How to filter parameters in rails?
Ruby on-RailsRubyFilteringRuby on-Rails Problem Overview
Rails has built in log filtering so you don't log passwords and credit cards. Works great for that but when you want to trigger a custom log (like to email) and send your own params or other data along with it, the parameters are obviously not auto-filtered. I have been digging and trying to find this in the rails source but have had no luck so far.
I have configured rails to filter parameters as follows and it works properly for keeping the data out of rails logs:
config.filter_parameters += [:password, :password_confirmation, :credit_card]
How would you filter sensitive data from the params hash before dumping it into an email, api call or custom (non-rails) log?
Ruby on-Rails Solutions
Solution 1 - Ruby on-Rails
Rails 4+
Sidenote for filtering the log in Rails 4+: The config.filter_parameters
has been moved from application.rb to it's own initializer.
config/initializers/filter_parameter_logging.rb
Rails.application.config.filter_parameters += [:password]
Solution 2 - Ruby on-Rails
tadman answered correctly but here is some additional info:
In application.rb
config.filter_parameters += [:password, :password_confirmation, :credit_card]
Wherever you are doing custom logging:
f = ActionDispatch::Http::ParameterFilter.new(Rails.application.config.filter_parameters)
f.filter :order => {:credit_card => "4111111111111111"}
=> {:order=>{:credit_card=>"[FILTERED]"}}
Solution 3 - Ruby on-Rails
You can always use the except
method:
params.except(:password, :password_confirmation, :credit_card)
That will exclude them from the listing. To "filter" them you could try this approach.
Solution 4 - Ruby on-Rails
If you are inside a rails controller method, why not just call request.filtered_parameters
?
It is always a good choice to use what is already provided. Cheers!
Solution 5 - Ruby on-Rails
Just to add on @tadman answer:
When using except
, beware that it will remove only top-level keys of your parameters, eg:
params = {
search_query: 'foobar',
secret_key1: 'SENSITIVE_KEY_1',
auth_info: {secret_key_2: 'SENSITIVE_KEY2'}
}
params.except(:secret_key1, :secret_key2)
=> {:search_query=>"foobar", :auth_info=>{:secret_key_2=>"SENSITIVE_KEY2"}}
Using request.filtered_parameters
will filter both of those keys if they are in config/application.rb
config.filter_parameters += [:password]