Rails automatically filters sensitive information from logs. However, there is no mechanism preventing these parameters from appearing in the query string.
Imagine the case where a login form’s
method is accidentally set to
get instead of
post. This would leak the password in the query string.
The values in the query string would then available in the browser’s history and potentially any analytic software.
One solution could be to raise an error in ActionView::Helpers::FormHelper#form_with under the following conditions:
- The form’s method is set to
- The form contains an
namematching any of the configured filtered parameters.
However, there could be valid cases for building a form containing sensitive parameters, so there should probably be a way to opt-out of this. Either by using a different configuration to store the parameters we want to guard against, or by passing allowed values to
<%= form_with(method: :get, permit_sensitive_params: [:token]) do | form| %> <% form.text_field :token %> <% end %>