From d1058a030e47438b247eb9959a494eec2884a6f8 Mon Sep 17 00:00:00 2001 From: Russell Osborne Date: Sun, 4 Dec 2016 02:10:01 -0500 Subject: [PATCH 1/4] Remove filtered params from being stored in db --- app/controllers/impressionist_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/impressionist_controller.rb b/app/controllers/impressionist_controller.rb index f23a9fc..5fbc1dd 100644 --- a/app/controllers/impressionist_controller.rb +++ b/app/controllers/impressionist_controller.rb @@ -59,7 +59,7 @@ module ImpressionistController :session_hash => session_hash, :ip_address => request.remote_ip, :referrer => request.referer, - :params => params_hash + :params => params_hash.except(Rails.application.config.filter_parameters) ) end From b59f640b199576be5ba7491e59c1e881dba98ea4 Mon Sep 17 00:00:00 2001 From: Russell Osborne Date: Sun, 4 Dec 2016 02:22:55 -0500 Subject: [PATCH 2/4] Use action dispatch filter to support nested filters and other rails 5 features. --- app/controllers/impressionist_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/controllers/impressionist_controller.rb b/app/controllers/impressionist_controller.rb index 5fbc1dd..9bfcb22 100644 --- a/app/controllers/impressionist_controller.rb +++ b/app/controllers/impressionist_controller.rb @@ -51,6 +51,7 @@ module ImpressionistController # creates a statment hash that contains default values for creating an impression via an AR relation. def associative_create_statement(query_params={}) + filter = ActionDispatch::Http::ParameterFilter.new(Rails.application.config.filter_parameters) query_params.reverse_merge!( :controller_name => controller_name, :action_name => action_name, @@ -59,7 +60,7 @@ module ImpressionistController :session_hash => session_hash, :ip_address => request.remote_ip, :referrer => request.referer, - :params => params_hash.except(Rails.application.config.filter_parameters) + :params => filter.filter(params_hash) ) end From 90815302ea2c7f798cb92e6bcf40be9277e28105 Mon Sep 17 00:00:00 2001 From: Russell Osborne Date: Thu, 1 Jun 2017 20:54:17 -0400 Subject: [PATCH 3/4] Add basic test to verify the positive context of filtering params --- .../spec/controllers/articles_controller_spec.rb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/test_app/spec/controllers/articles_controller_spec.rb b/tests/test_app/spec/controllers/articles_controller_spec.rb index ab35124..2cf6c02 100644 --- a/tests/test_app/spec/controllers/articles_controller_spec.rb +++ b/tests/test_app/spec/controllers/articles_controller_spec.rb @@ -71,4 +71,20 @@ describe ArticlesController do Impression.last.session_hash.size.should eq 32 Impression.last.referrer.should eq nil end + + describe "when filtering params" do + before do + @_filtered_params = Rails.application.config.filter_parameters + Rails.application.config.filter_parameters = [:password] + end + + it "should FILTER params that are included in filtering {}" do + get "index", password: "best-password-ever" + Impression.last.params.should eq("password" => "[FILTERED]") + end + + after do + Rails.application.config.filter_parameters = @_filtered_params + end + end end From 82db214c67b2856f7d7698550bc77d456a0059c7 Mon Sep 17 00:00:00 2001 From: Russell Osborne Date: Thu, 1 Jun 2017 20:55:26 -0400 Subject: [PATCH 4/4] Improve test name to be better english. --- tests/test_app/spec/controllers/articles_controller_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_app/spec/controllers/articles_controller_spec.rb b/tests/test_app/spec/controllers/articles_controller_spec.rb index 2cf6c02..c41eda2 100644 --- a/tests/test_app/spec/controllers/articles_controller_spec.rb +++ b/tests/test_app/spec/controllers/articles_controller_spec.rb @@ -78,7 +78,7 @@ describe ArticlesController do Rails.application.config.filter_parameters = [:password] end - it "should FILTER params that are included in filtering {}" do + it "values should not be recorded" do get "index", password: "best-password-ever" Impression.last.params.should eq("password" => "[FILTERED]") end