1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Include the model name when filtering encrypted attributes.

For example, when encrypting `Person#name` it will add `person.name` as a filter
parameter, instead of just `name`. This prevents unintended filtering of parameters
with a matching name in other models.

Closes https://github.com/rails/rails/issues/44330
This commit is contained in:
Jorge Manrubia 2022-02-08 18:06:01 +01:00
parent c21c4139e1
commit 67d6183694
4 changed files with 31 additions and 3 deletions

View file

@ -1,3 +1,11 @@
* Use the model name as a prefix when filtering encrypted attributes from logs.
For example, when encrypting `Person#name` it will add `person.name` as a filter
parameter, instead of just `name`. This prevents unintended filtering of parameters
with a matching name in other models.
*Jorge Manrubia*
* Fix `config.active_record.destroy_association_async_job` configuration * Fix `config.active_record.destroy_association_async_job` configuration
`config.active_record.destroy_association_async_job` should allow `config.active_record.destroy_association_async_job` should allow

View file

@ -52,9 +52,15 @@ module ActiveRecord
def install_auto_filtered_parameters_hook(application) # :nodoc: def install_auto_filtered_parameters_hook(application) # :nodoc:
ActiveRecord::Encryption.on_encrypted_attribute_declared do |klass, encrypted_attribute_name| ActiveRecord::Encryption.on_encrypted_attribute_declared do |klass, encrypted_attribute_name|
application.config.filter_parameters << encrypted_attribute_name unless ActiveRecord::Encryption.config.excluded_from_filter_parameters.include?(encrypted_attribute_name) filter_parameter = [("#{klass.model_name.element}" if klass.name), encrypted_attribute_name.to_s].compact.join(".")
application.config.filter_parameters << filter_parameter unless excluded_from_filter_parameters?(filter_parameter)
end end
end end
private
def excluded_from_filter_parameters?(filter_parameter)
ActiveRecord::Encryption.config.excluded_from_filter_parameters.find { |excluded_filter| excluded_filter.to_s == filter_parameter }
end
end end
end end
end end

View file

@ -41,7 +41,19 @@ class ActiveRecord::Encryption::ConfigurableTest < ActiveRecord::EncryptionTestC
assert_equal :isbn, @attribute_name assert_equal :isbn, @attribute_name
end end
test "install autofiltered params" do test "installing autofiltered parameters will add the encrypted attribute as a filter parameter using the dot notation" do
application = OpenStruct.new(config: OpenStruct.new(filter_parameters: []))
ActiveRecord::Encryption.install_auto_filtered_parameters_hook(application)
NamedPirate = Class.new(Pirate) do
self.table_name = "pirates"
end
NamedPirate.encrypts :catchphrase
assert_includes application.config.filter_parameters, "named_pirate.catchphrase"
end
test "installing autofiltered parameters will work with unnamed classes" do
application = OpenStruct.new(config: OpenStruct.new(filter_parameters: [])) application = OpenStruct.new(config: OpenStruct.new(filter_parameters: []))
ActiveRecord::Encryption.install_auto_filtered_parameters_hook(application) ActiveRecord::Encryption.install_auto_filtered_parameters_hook(application)
@ -50,7 +62,7 @@ class ActiveRecord::Encryption::ConfigurableTest < ActiveRecord::EncryptionTestC
encrypts :catchphrase encrypts :catchphrase
end end
assert_includes application.config.filter_parameters, :catchphrase assert_includes application.config.filter_parameters, "catchphrase"
end end
test "exclude the installation of autofiltered params" do test "exclude the installation of autofiltered params" do

View file

@ -241,6 +241,8 @@ end
By default, encrypted columns are configured to be [automatically filtered in Rails logs](https://guides.rubyonrails.org/action_controller_overview.html#parameters-filtering). You can disable this behavior by adding the following to your `application.rb`: By default, encrypted columns are configured to be [automatically filtered in Rails logs](https://guides.rubyonrails.org/action_controller_overview.html#parameters-filtering). You can disable this behavior by adding the following to your `application.rb`:
When generating the filter parameter, it will use the model name as a prefix. E.g: For `Person#name` the filter parameter will be `person.name`.
```ruby ```ruby
config.active_record.encryption.add_to_filter_parameters = false config.active_record.encryption.add_to_filter_parameters = false
``` ```