UpdatesController::LogSubscriber should obfuscate sensitive information #239
Comments
|
Could you share your patch? It can be tricky to have some generic solution: somebody may want to log messages with commands ( |
|
Sure: module Telegram
module Bot
class UpdatesController
class LogSubscriber
FILTERED_PARAMS = %i[text].freeze
def start_processing(event)
info do
payload = event.payload
update = sanitize_sensitive_data(payload[:update])
"Processing by #{payload[:controller]}##{payload[:action]}\n " \
"Update: #{update.to_json}"
end
end
private
def sanitize_sensitive_data(update)
parameter_filter.filter(update)
end
def parameter_filter
@parameter_filter ||= ActiveSupport::ParameterFilter.new(FILTERED_PARAMS)
end
end
end
end
endMaybe we could also leave the default as it is but provide a config option to enable filtering in logs? |
|
Let me know if that makes sense to you / if you have any preferences regarding implementation and I'd be glad to work on this one some time during the week @printercu. |
|
@florianfelsing Thanks for the patch! I altered your Also added a conditional so it won't filter anything in local dev environments. def start_processing(event)
info do
payload = event.payload
update = payload[:update].to_h
update = sanitize_sensitive_data(update) unless Rails.env.local?
"Processing by #{payload[:controller]}##{payload[:action]}\n " \
"Update: #{update.to_json}"
end
end |
|
Thanks for following up with this! |
Right now the gem is basically logging the complete payload:
I think that especially in production settings it would be a good practice to at least obfuscate the text parts. As a default or via configuration.
For now I've monkey patched this in my app, but I think this would be a good thing to implement on the gem level? I'd be happy to help implement this.
The text was updated successfully, but these errors were encountered: