filter_parameter_logging on "dynamic" parameters

Hi,

I'm using the negative_captcha plugin for my signup form on a website,
and I'd like to have the parameters filtered out in my logs.

My problem is : negative_captcha replaces the parameters names with some
md5 hashes in a before_filter and leaves the uncrypted parameter as a
honeypot to identify bots.
So if I use filter_parameter_logging :password, I end up with this line
in my logs :

Parameters: {... "829334b5e733bd4eefa3d2e02337a7e1"=>"PASSWORD",
"password" => "[FILTERED]" ...}

That's obviously not what I want. I thought I could add
@captcha.fields[:password] as a parameter, but filter_parameter_logging
is a Class method so @captcha is nil when it's called.

I'm out of idea for this, would anyone have a solution or some tips
about this ?

That's obviously not what I want. I thought I could add
@captcha.fields[:password] as a parameter, but filter_parameter_logging
is a Class method so @captcha is nil when it's called.

I'm out of idea for this, would anyone have a solution or some tips
about this ?

If you give filter_parameter_logging a block it will yield parameter
names/values to that block and you can make the decision to filter on
a case by case basis. Is that enough for you ?

Fred

Thanks for the quick reply :slight_smile:

If you give filter_parameter_logging a block it will yield parameter
names/values to that block and you can make the decision to filter on
a case by case basis. Is that enough for you ?

I've tried this, but again the fact that filter_parameter_logging is a
class method does not help...

filter_parameter_logging (:some, :other, :parameters) { |k,v]
  v.replace "[FILTERED]" if @captcha.fields.include? k
}

raises an exception saying @captcha is nil. Which is normal, as it is
initialized in a before_filter invoked after the call to
filter_parameter_logging...

what I didn't mention and is the core of this problem, is that those
captcha parameters are salted, so they are different for each and every
client. That's why I need to access the initialized @captcha object...

Thanks for the quick reply :slight_smile:

> If you give filter_parameter_logging a block it will yield parameter
> names/values to that block and you can make the decision to filter on
> a case by case basis. Is that enough for you ?

I've tried this, but again the fact that filter_parameter_logging is a
class method does not help...

filter_parameter_logging (:some, :other, :parameters) { |k,v]
v.replace "[FILTERED]" if @captcha.fields.include? k

}

raises an exception saying @captcha is nil. Which is normal, as it is
initialized in a before_filter invoked after the call to
filter_parameter_logging...

Is it not possible to work out whether a parameter name looks like a
captcha parameters ? Failing that, all filter_parameter_logging does
is define an instance method called filter_parameters - you could
define such a method without the help of filter_parameter_logging
(although you might want to inspire your self from the source for
filter_parameter_logging to understand what the filter_parameters
method should look like)

Fred

Hi Fred,

I'm sorry I took so long to answer, I was busy with other
developments...

Thanks for the filter_parameters idea, that was the solution for me.
Guessing whether a parameter name is a captcha worked well too but I
couldn't be selective enough: I had to filter all parameters looking
like a MD5 hash, whereas I'd like to keep emails appearing in my logs on
signups in case I have to trace back a problem from a user.

So I defined a filter_parameters method, which is mainly taken from
Rails source. I defined my parameter_filter out of a constant array to
emulate filter_parameter_logging mechanism. This array contains the
params names I was giving to filter_parameter_logging, plus the captcha
params I want to filter out.

I actually don't know how and why my own filter_parameters method gets
called. Any pointer on that?
Would you know of any way to keep a filter-like way of calling this?
(like adding my_own_filter_parameter_logging :param1, :param2)

Thanks for your help!
Olivier

Frederick Cheung wrote: