nateleavitt
commented
7 years ago 👍 Should be able to do log filtering on it. I'm usually particular about this as well.
Closed jaredjackson closed 6 years ago
nateleavitt
commented
7 years ago 👍 Should be able to do log filtering on it. I'm usually particular about this as well.
jaredjackson
commented
7 years ago Two problems with the logger and filtering.
First, it appears that the Rails parameter filter gets called on the http request, so it isn't being applied to any method that directly writes to a log file.
Second, it also seems from what I've been able to test that the Rails filter is applied against the actual hash of parameters. Since the gem is writing a string to the log, it breaks when I added the Rails filtering manually.
I'm working on a solution that would either (preferably) use Rails built-in parameter filter or if that doesn't work a regex method of filtering based on the string. I'll work on the first method first since I think that would be the cleanest.
jaredjackson
commented
7 years ago On second thought, I don't think the Rails built-in parameter filter is going to work. That approach assumes a Rails environment. I actually use the gem both in Rails and in stand alone scripting environment for certain processing functions. So that method would break in a non-rails env.
jaredjackson
commented
7 years ago This branch has a quick and dirty filter to get the job done. Just really a start at this point for proof of concept.
https://github.com/nateleavitt/infusionsoft/compare/master...jaredjackson:fix/filter-log?expand=1
nateleavitt
commented
6 years ago Hey.. I'm just going to remove the api_key entry from the logs. I think that will solve the security issue.
jaredjackson
commented
6 years ago Sounds good. I had been reworking how the logging would work but I think removing it is probably better.
--
Jared Jackson
From: nateleavitt notifications@github.com(mailto:notifications@github.com) Reply: nateleavitt/infusionsoft reply@reply.github.com(mailto:reply@reply.github.com) Date: December 8, 2017 at 5:37:35 PM To: nateleavitt/infusionsoft infusionsoft@noreply.github.com(mailto:infusionsoft@noreply.github.com) CC: jaredjackson jared@jaredjackson.com(mailto:jared@jaredjackson.com), Author author@noreply.github.com(mailto:author@noreply.github.com) Subject: Re: [nateleavitt/infusionsoft] API Key in log? (#59)
Hey.. I'm just going to remove the api_key entry from the logs. I think that will solve the security issue.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub(https://github.com/nateleavitt/infusionsoft/issues/59#issuecomment-350399432), or mute the thread(https://github.com/notifications/unsubscribe-auth/ABfltL1ylInnzoIMAF1LNFQkjWCK_htgks5s-cg_gaJpZM4NNvc9).
I noticed in my testing that the api_key and api_url are printed in plain text in the log with each call. Not sure if this is intended or not. Seems like I'd prefer that not be in the log files. Just a thought.