我正在我的应用程序控制器中创建一个日志记录方法。我有以下设置,但由于某种原因,我的参数过滤器没有过滤密码。什么不见了?如何确保我的应用程序是安全的并且所有密码参数都被过滤了?
配置/应用程序.rb
# Configure sensitive parameters which will be filtered from the log file.
config.filter_parameters += [:password]
应用控制器
before_filter :record_activity
def record_activity(note = nil)
@activity={}
@activity['user'] = current_user
@activity['note'] = note
@activity['browser'] = request.env['HTTP_USER_AGENT']
@activity['ip_address'] = request.env['REMOTE_ADDR']
@activity['controller'] = controller_name
@activity['action'] = action_name
@activity['params'] = log_filter(params.inspect)
p @activity
end
终端输出
15:39:38 web.1 |
{"user"=>nil,
"note"=>nil,
"browser"=>"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0",
"ip_address"=>"127.0.0.1",
"controller"=>"sessions",
"action"=>"create",
"params"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"dYofOQ64sTajNVn2JiJWVM+E3kz5jCGazrYBObukBAQ=\",
\"user\"=>{\"email\"=>\"user@domain.com\",
\"password\"=>\"thepasswordexposed\",
\"remember_me\"=>\"0\"},
\"commit\"=>\"Login\",
\"action\"=>\"create\",
\"controller\"=>\"sessions\"}"}
*编辑:* 我添加了以下内容,但它仍然不起作用,有什么建议吗?
def log_filter(hash)
filters = Rails.application.config.filter_parameters
f = ActionDispatch::Http::ParameterFilter.new filters
f.filter hash
end
第 36 行出错...
NoMethodError at /users/sign_in
undefined method `each' for #<String:0x007fa0280b3a68>
36 f.filter hash
回答:
我的解决方案如下,我需要删除 .inspect 并且它开始工作。
def record_activity(note = nil)
@activity={}
@activity['user'] = current_user
@activity['note'] = note
@activity['browser'] = request.env['HTTP_USER_AGENT']
@activity['ip_address'] = request.env['REMOTE_ADDR']
@activity['controller'] = controller_name
@activity['action'] = action_name
@activity['params'] = params
p @activity
end