Rails Code Audit Tips - Filtered Parameter Logging
44 comments Latest by jewelry-magic01@hotmail.com Thu, 02 Sep 2010 02:30:08 GMT
It’s been a month since I posted, Audit Your Rails Development Team and now I find myself sitting in a hotel room in Mankato, Minnesota with Graeme after a long day of walking through the documents that we delivered to our client after conducting a Rails Code Audit and Review. Our client felt that it would be a great idea to have us visit with six of their employees and walk through the various topics that we brought up in our process. We’ve been doing several of these audits recently and are thought that it would be a good idea to begin sharing some problems that we’ve discovered across projects.
As much as we like to find lots things that we’d recommend improving in Rails applications, we also want to make sure that as many projects as possible avoid some of these common oversights. So, expect to see more posts related to things that we find through our Code Audit and Review process.
Today, I’d like to point out a potential security problem that is often overlooked by developers and system administrators.
Log files.
Does your application request any of the following information from your users?
- Social security number
- Credit card date (number, expiration date, etc..)
- Passwords
BY DEFAULT, all of this data is being written to your production log file. Even if you’re encrypting this data in your database, request parameters (get/post) are all written to your production logs without any encryption. Log files are also notorious for having insecure file permissions, so if you’re on a shared host, other accounts on the server might be able to view them. Regardless of how secure you think your server is, this isn’t data that you want sitting around.
Lucky for you, Ruby on Rails has an easy solution to this problem! All that you need to do is use the filter_parameter_logging method in your controller(s). We generally add something like the following to our application controller.
filter_parameter_logging :social_security_number, :password, :credit_card_number, 'some-other-param'
This will replace the value from the parameters with [FILTERED], which solves this problem rather nicely.
So, it would be our recommendation, that if your application is storing any sensitive data, that you take advantage of this simple solution. Be sure to read more about filter_parameter_logging before you implement this for various usage examples.
Stay tuned for more tips and tricks. If you’re interested in contracting us for our Rails Code Audit and Review service, give us a call.
Tomorrow, Graeme and I will be meeting for another day with our clients and then we fly home to Portland, Oregon in the evening. We survived our first tornado warnings, which was exciting as we don’t get those on the west coast. ;-)
Enjoying the content? Be sure to subscribe to my RSS feed.
Thanks for embarrassing me! I just looked at the production.log on a project that was recently launched for a client. Just as you said, there was user credit card data. I’m cleaning up the old logs and deploying this fix immediately! Thanks for the great tip, because I didn’t even think about this as something to look at.
Great tip!
Any idea how to filter ActiveRecord logging too?
You can’t filter your ActiveRecord log messages, but you can limit it to only write to the log in the event of a warning or error using code such as this in your environment.rb or production.rb file:
ActiveRecordLogger = Logger.new(”#{RAILS_ROOT}/log/#{RAILS_ENV}.log”) ActiveRecordLogger.level = Logger::WARN ActiveRecord::Base.logger = ActiveRecordLogger
http://adqrsdwfqrrfb.host.com desk3 [url=http://adqssdwfqrrfb.host.com]desk4[/url] [link=http://adqasdwfqrrfb.host.com]desk6[/link]
http://adqraswffrfwr.host.com desk3 [url=http://adqsaswffrfwr.host.com]desk4[/url] [link=http://adqaaswffrfwr.host.com]desk6[/link]
http://adbrdabfgedqe.host.com desk3 [url=http://adbsdabfgedqe.host.com]desk4[/url] [link=http://adbadabfgedqe.host.com]desk6[/link]
Your articles are very intersting. Are you a freelancer? You know I think it’s nice to have a freelance work. I would like to publish new findings on the web , to interview interesting people and businesses, and compile useful references for the readers to help them succeed in running their own businesses.
risisreplica watchesThe pro
Olympic debut against the voice of the high tower (Figure)replica watchesExpo U.S. Pavilion: 61 million U.S. dollars budget for the fund raising completedreplica watchesCommodities 4D Magic transfiguration large in cityreplica watchesKyrgyz riot or cause 100 deathsreplica watchesRed Shirt Army refused to leave the government sworn to overthrow Abhisit(L4.8)
Olympic debut against the voice of the high tower (Figure)replica watchesExpo U.S. Pavilion: 61 million U.S. dollars budget for the fund raising completedreplica watchesCommodities 4D Magic transfiguration large in cityreplica watchesKyrgyz riot or cause 100 deathsreplica watchesRed Shirt Army refused to leave the government sworn to overthrow Abhisit(L4.8)
adidas kicks
mbt women’s kaya mary-jane dawn nubuck
rt er t
try rt
try rt
ty ut
tr yrt
tr yrt
tr yrt
ty
65y 65
http://hobix.com/textile/
You can’t filter your ActiveRecord nfl jerseyslog messages, but you can limit it to only write to the log in the event of a warning or error using codair jordans shoese such as this in louis vuitton bagsyour environment.rb or production.rb file:
In JuneThe Wars, on-campus web gamesjob fairs free web gameare crowded online web gameaffairs filled web gamewith hopeful free web gamesjob-seekersweb gaming. But the stressweb online games in today’son web gameswork environmentsfree online web games is already play web gamesgreat; finding new games on the weba job play free web gamesthat one game web sitereally likes web game sitesis indeed on the web gamesno easyweb games online free task. So Browser game , with the Chinese culture pressure of MMORPG job-seeking Three kingdom today in The Romance Of The Three Kingdom mind, the Grand officer news of Myspace Games the “negative Free games salary” comes Internet Games as no surprise。
The more website creatorI look aroundhow to build a website me, the build your own websitemore self-employmentbuilding web page seems to beonline website builder the wayweb site builder to gowebsite building software for many web site buildingpeople. I’m sitebuildernot sure website creatingif this isbusiness website builder just my personal website builderobservation or website makerif it’s make a websiteindeed a globalonline website buildingphenomenon, so flash website builderI’d like topersonal website building discuss itSEO with you.Manyapplication software people lose application for applebeestheir jobsseo optimization because ofbest seo the recent seo marketingfinancial crisisgoogle seo. I read many seo companystories about peoplesearch engine optimization with high salaryapplications software who suddenly quality softwarefound themselves semout of work and found it difficult to get new jobs.
Really interesting articles. I enjoyed reading it
Nice information, many thanks to the author.
Thanks for the useful information, I really like it and think it’s a good info..
Do you know runescape money?if you play the online game,you will know rs money is the game gold. In the game,if you had more rs2 money,you will had a tall level.Quickly come here.
Louis Vuitton Cabas GM Pink M95673 Louis Vuitton Cabas GM Pink Louis Vuitton Cabas GM Beige M95675 Louis Vuitton Cabas GM Beige Louis Vuitton Cabas GM Green M95679 Louis Vuitton Cabas GM Green Louis Vuitton Cabas GM lilac M95681 Louis Vuitton Cabas GM lilac Louis Vuitton Cabas PM Beige M95674 Louis Vuitton Cabas PM Beige Louis Vuitton Cabas PM Lilac M95680 Louis Vuitton Cabas PM Lilac Louis Vuitton Cabas PM Pink M95672 Louis Vuitton Cabas PM Pink Louis Vuitton Cabas PM Green M95678 Louis Vuitton Cabas PM Green
Supra Chad Muska Skytop White Red, Supra Chad Muska Skytop White Red
Supra Chad Skytop Jacinth black, Supra Chad Skytop Jacinth black
Supra TK Society Gray White, Supra TK Society Gray White
Supra TK Society Black, Supra TK Society Black
Supra Chad Muska Skytop purple, Supra Chad Muska Skytop purple
Supra Chad Muska Skytop Black, Supra Chad Muska Skytop Black
This article is really great, strong support
Supra Chad Muska Skytop purple, Supra Chad Muska Skytop purple
Supra Chad Muska Skytop Black, Supra Chad Muska Skytop Black
I bought a perfect replica submariner watch from Replica Watches Store just cost me $80 with Free Shipping option
Hi webmaster, commenters and everybody else !!! The blog was absolutely fantastic! Lots of great information and inspiration, both of which we all need!b Keep ‘em coming… you all do such a great job at such Concepts… can’t tell you how much I, for one appreciate all you do!
http://bestworkfromhomejobs.blinkweb.com/
have a good time
brought up in our process. We’ve been doing several of these audits recently and are thought that it would be a good idea to begin sharing some problems that we
I think your blog is useful to me. I can learn much knowledge from it. silver anklet
Do you believe that your shoes do enough for you? Then the christian louboutin come from US for more functions you need. I wanted to let all of you know that mbt lami can have a great tool for professionally fitting. christian louboutin shoes m walk so much easier, fun and better for you than any other shoe I have ever used! mbt chapa will make you a better life. Come to select an christian louboutin sale
thank you for your advice…
thank you for your advice…
www.jewelry-magic01.com is dedicated to providing the best and newest jewelry,like necklaces,rings,earrings,bracelets,loose beads,pendora series,and pendants at a fraction of the cost. We mainly specialize in exporting all above fashion jewelry. we have strict and perfect managing system. We insist on our own business concept that providing the good quality with the lowest price to satisfy our sincere customers. Customer satisfaction is imperative to our business. We know that people who love designer jewelry always want the newest and hottest styles on the market. Often. We know that you want to know exactly what you are going to get when you place an order, so we have our photographer taking pictures of every new product before it is put up for sale on our website.. We care about you so we take care in the selection of your jewelry and we respond to all questions or comments on the next business day. Please be free to contract us: MSN: jewelry-magic@hotmail.com Emai: service@jewelry-magic01.com SKYPE: jewelry-magic Loose beads link: http://www.jewelry-magic01.com/loose-beads/loose-beads.html
CARNELIAN AGATE GEMSTONE VASE LOOSE BEAD link: http://www.jewelry-magic01.com/agate-beads/carnelian-agate-gemstone-vase-loose-bead.html NATURAL INDIAN AGATE GEMSTONE ROUND BEADS link: http://www.jewelry-magic01.com/agate-beads/natural-indian-agate-gemstone-round-beads.html GORGEOUS BLACK ONYX TWISTED LOOSE BEAD link: http://www.jewelry-magic01.com/agate-beads/gorgeous-black-onyx-twisted-loose-bead.html CARNELIAN GEMSTONE ROUND LOOSE BEADS link: http://www.jewelry-magic01.com/agate-beads/carnelian-gemstone-round-loose-beads.html PURPLE BANDED STRIPE AGATE LOOSE BEADS link: http://www.jewelry-magic01.com/agate-beads/purple-banded-stripe-agate-loose-beads.html GREEN BANDED STRIPE AGATE COIN BUTTON BEAD link: http://www.jewelry-magic01.com/agate-beads/green-banded-stripe-agate-coin-button-bead.html DREAM FINE AGATE GEMSTONE ROUND LOOSE BEADS link: http://www.jewelry-magic01.com/agate-beads/dream-fine-agate-gemstone-round-loose-beads.html