Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passwords show in Rails logs when lograge is enabled and custom options are provided #28

Closed
ghiculescu opened this issue Feb 12, 2013 · 6 comments
Closed

Passwords show in Rails logs when lograge is enabled and custom options are provided #28

ghiculescu opened this issue Feb 12, 2013 · 6 comments

Comments

@ghiculescu
Copy link
Contributor

When using standard Rails logging, fields named password are filtered out before being logged. So they show up as :password=>\"[FILTERED]\"

When using lograge, this filtering doesn't happen - the param shows up as "password"=>"hunter2" in the logs.

Note: this doesn't happen by default, it only happens if you are passing parameters through using append_info_to_payload.
@ghiculescu
Copy link
Contributor Author

pull request: #29

@BRMatt
Copy link
Contributor

BRMatt commented Feb 12, 2013

What version of rails are you using? Passwords are being filtered out of
our logs without any intervention
On 12 Feb 2013 07:07, "Alex Ghiculescu" notifications@github.com wrote:

#29 #29


Reply to this email directly or view it on GitHubhttps://github.com//issues/28#issuecomment-13420699.

@ghiculescu
Copy link
Contributor Author

Rails 3.2.11

@BRMatt
Copy link
Contributor

BRMatt commented Feb 12, 2013

It looks like rails filters parameters before it sends them to instrumentation, not sure why passwords are showing up for you.

@larron
Copy link

larron commented Nov 29, 2013

Had the same issue... (Rails 4.0.1)
In append_info_to_payload I just used:

payload[:params] = request.filtered_parameters

@ghiculescu
Copy link
Contributor Author

Yep, I'm not sure what ten-months-ago-me was on about.

danielpowell4 added a commit to danielpowell4/lograge that referenced this issue Jun 3, 2019
@danielpowell4
Adds security note to param logging
31f5377 
Good for this to be top of mind so no one traverses as such:

```
config.lograge.custom_payload do |controller|
  exceptions = %w(controller action format authenticity_token)
  {
    params: controller.request.params.except(*exceptions), # request.params is DANGEROUS
  }
end
```

request.filtered_params is at least a bit safer as noted in roidrage#28
@danielpowell4 danielpowell4 mentioned this issue Jun 3, 2019
Merged
danielpowell4 added a commit to danielpowell4/lograge that referenced this issue Jun 3, 2019
@danielpowell4
Adds security note to param logging
9372c6e 
Good for this to be top of mind so no one traverses as such:

```
config.lograge.custom_payload do |controller|
  exceptions = %w(controller action format authenticity_token)
  {
    params: controller.request.params.except(*exceptions), # request.params is DANGEROUS
  }
end
```

request.filtered_parameters is at least a bit safer as noted
in roidrage#28
iloveitaly pushed a commit that referenced this issue Jan 20, 2022
@danielpowell4
Adds security note to param logging (#293)
8ced4f6 
Good for this to be top of mind so no one traverses as such:

```
config.lograge.custom_payload do |controller|
  exceptions = %w(controller action format authenticity_token)
  {
    params: controller.request.params.except(*exceptions), # request.params is DANGEROUS
  }
end
```

request.filtered_parameters is at least a bit safer as noted
in #28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@BRMatt @ghiculescu @larron