我正在我的应用程序控制器中创建一个日志方法。我有以下设置,但由于某种原因,我的参数过滤器没有过滤密码。缺少了什么?我如何确保我的应用程序是安全的,所有的密码参数被过滤?
配置/applicaton.rb
# Configure sensitive parameters which will be filtered from the log file.
config.filter_parameters += [:password]
应用程序控制器
before_filter :record_activity
def record_activity(note = nil)
@activity={}
@activity['user'] = current_user
@activity['note'] = note
@activity['browser'] = request.env['HTTP_USER_AGENT']
@activity['ip_address'] = request.env['REMOTE_ADDR']
@activity['controller'] = controller_name
@activity['action'] = action_name
@activity['params'] = log_filter(params.inspect)
p @activity
end
输出终端
15:39:38 web.1 |
{"user"=>nil,
"note"=>nil,
"browser"=>"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0",
"ip_address"=>"127.0.0.1",
"controller"=>"sessions",
"action"=>"create",
"params"=>"{"utf8"=>"✓", "authenticity_token"=>"dYofOQ64sTajNVn2JiJWVM+E3kz5jCGazrYBObukBAQ=",
"user"=>{"email"=>"user@domain.com",
"password"=>"thepasswordexposed",
"remember_me"=>"0"},
"commit"=>"Login",
"action"=>"create",
"controller"=>"sessions"}"}
* 编辑:* 我添加了以下内容,但是还是不行,有什么建议吗?
def log_filter(hash)
filters = Rails.application.config.filter_parameters
f = ActionDispatch::Http::ParameterFilter.new filters
f.filter hash
end
第36行错误
NoMethodError at /users/sign_in
undefined method `each' for #<String:0x007fa0280b3a68>
36 f.filter hash
答:
我的解决方案如下,我需要删除。inspect,它开始工作。
def record_activity(note = nil)
@activity={}
@activity['user'] = current_user
@activity['note'] = note
@activity['browser'] = request.env['HTTP_USER_AGENT']
@activity['ip_address'] = request.env['REMOTE_ADDR']
@activity['controller'] = controller_name
@activity['action'] = action_name
@activity['params'] = params
p @activity
end
这是因为config.filter_parameters
只是用于http参数(然后在params
中得到)。它不能用于你自己的对象。
如果你发出请求那么在日志文件中你会有一些标准信息
Started GET "/en/projects/1/edit" for 127.0.0.1 at 2013-04-28 04:13:11 +0700
Processing by ProjectsController#edit as HTML
Parameters: {"locale"=>"en", "id"=>"1"}
在Parameters
值为password的行中,如果存在,将被过滤。
但是如果你使用p
或puts
,它将不起作用。
手动过滤参数