From f4f3ef77813977d0067635a6c82efbd7936df09a Mon Sep 17 00:00:00 2001 From: Roque Pinel Date: Mon, 27 Jul 2015 23:59:31 -0400 Subject: [PATCH] Add parameter filter capability for redirect locations It uses the `config.filter_parameters` to match what needs to be filtered. The result would be like this: ``` Redirected to http://secret.foo.bar?username=roque&password=[FILTERED] ``` --- actionpack/CHANGELOG.md | 11 +++++++ .../action_dispatch/http/filter_redirect.rb | 12 +++++++- .../test/controller/log_subscriber_test.rb | 30 +++++++++++++++++++ guides/source/action_controller_overview.md | 3 +- 4 files changed, 54 insertions(+), 2 deletions(-) diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 96367652f4e..d7be6de5f58 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -90,4 +90,15 @@ *Rafael Mendonça França* +* Add parameter filter capability for redirect locations. + + It uses the `config.filter_parameters` to match what needs to be filtered. + The result would be like this: + + Redirected to http://secret.foo.bar?username=roque&password=[FILTERED] + + Fixes #14055. + + *Roque Pinel*, *Trevor Turk*, *tonytonyjan* + Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionpack/CHANGELOG.md) for previous changes. diff --git a/actionpack/lib/action_dispatch/http/filter_redirect.rb b/actionpack/lib/action_dispatch/http/filter_redirect.rb index a6645275158..e15ed1feac1 100644 --- a/actionpack/lib/action_dispatch/http/filter_redirect.rb +++ b/actionpack/lib/action_dispatch/http/filter_redirect.rb @@ -11,7 +11,7 @@ module ActionDispatch if location_filter_match? FILTERED else - location + parameter_filtered_location end end @@ -33,6 +33,16 @@ module ActionDispatch end end end + + def parameter_filtered_location + uri = URI.parse(location) + unless uri.query.nil? || uri.query.empty? + uri.query.gsub!(FilterParameters::PAIR_RE) do + request.parameter_filter.filter($1 => $2).first.join("=") + end + end + uri.to_s + end end end end diff --git a/actionpack/test/controller/log_subscriber_test.rb b/actionpack/test/controller/log_subscriber_test.rb index 5763cde8cef..ff5ad2c8991 100644 --- a/actionpack/test/controller/log_subscriber_test.rb +++ b/actionpack/test/controller/log_subscriber_test.rb @@ -32,6 +32,10 @@ module Another redirect_to "http://secret.foo.bar/" end + def filterable_redirector_with_params + redirect_to "http://secret.foo.bar?username=repinel&password=1234" + end + def data_sender send_data "cool data", filename: "file.txt" end @@ -266,6 +270,32 @@ class ACLogSubscriberTest < ActionController::TestCase assert_equal "Redirected to [FILTERED]", logs[1] end + def test_does_not_filter_redirect_params_by_default + get :filterable_redirector_with_params + wait + + assert_equal 3, logs.size + assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=1234", logs[1] + end + + def test_filter_redirect_params_by_string + @request.env["action_dispatch.parameter_filter"] = ["password"] + get :filterable_redirector_with_params + wait + + assert_equal 3, logs.size + assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=[FILTERED]", logs[1] + end + + def test_filter_redirect_params_by_regexp + @request.env["action_dispatch.parameter_filter"] = [/pass.+/] + get :filterable_redirector_with_params + wait + + assert_equal 3, logs.size + assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=[FILTERED]", logs[1] + end + def test_send_data get :data_sender wait diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index a7b9ee42445..dffcbfc91bb 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -1210,7 +1210,8 @@ You can set it to a String, a Regexp, or an array of both. config.filter_redirect.concat ['s3.amazonaws.com', /private_path/] ``` -Matching URLs will be marked as '[FILTERED]'. +Matching URLs will be replaced with '[FILTERED]'. However, if you only wish to filter the parameters, not the whole URLs, +please take a look at [Parameters Filtering](#parameters-filtering). Rescue ------