Open thebravoman opened 3 years ago
I was wondering if you've had the chance to look at this. It seems to be a security issue as the secret key base is how most of the security on rails is handled. So I think it should not be exposed
For me it shows up as:
* action_dispatch.secret_key_base : [FILTERED]
Did you setup your Rails.application.config.filter_parameters
correctly?
No, I did not realize that exception_notification was using filter_parameters
Should it be like
Rails.application.config.filter_parameters += [:password, :secret_key_base]
Would you accept a PR that gives more information about filter_parameters?
Update: I can confirm that Rails.application.config.filter_parameters += [:password, :secret_key_base] removes the :secret_key_base
The default for a Rails 6 app is this, it is what I use:
config/initializers/filter_parameter_logging.rb :
# Be sure to restart your server when you modify this file.
# Configure sensitive parameters which will be filtered from the log file.
Rails.application.config.filter_parameters += [
:passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
]
I'm not the original author, so I cannot accept your PR if you create one.
Got it.
I am running this platform since rails 2 and there was only one filtered param.
Will add the rest.
On Tue, Aug 17, 2021, 13:48 Frank Groeneveld @.***> wrote:
The default for a Rails 6 app is this, it is what I use:
config/initializers/filter_parameter_logging.rb :
Be sure to restart your server when you modify this file.
Configure sensitive parameters which will be filtered from the log file.
Rails.application.config.filter_parameters += [ :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn ]
I'm not the original author, so I cannot accept your PR if you create one.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/smartinez87/exception_notification/issues/507#issuecomment-900190554, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKAGBJV4VACNUYA65YNKB3T5I47TANCNFSM44EAPA7A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .
Steps to reproduce
This is the secret_key_base that is leaking through the email.
Expected behavior
Hide the secret_key_base
Actual behavior
It is in the email as action_dispatch.secret_key_base
System configuration
Rails version: 6.0 Ruby version: 2.6.5 Other configurations: