ActiveSupport::ParameterFilter currently works as a deny list: you
specify the parameters that should be filtered.
For example, to filter password parameters you could do:
Rails.application.config.filter_parameters += [:password]
Some applications have stricter requirements and an allow list filter would be prefered. This is possible with a lambda. For example, only allowing "id"s:
Rails.application.config.filter_parameters += [
lambda { |key, value|
# filter all parameters that aren't :id
value.replace('[FILTERED]') unless key.in?(:id)
}
]
But this can be error prone. For example this doesn’t work if a value is
nil. This is caused because nil.to_s returns a frozen string since Ruby 2.7
and replace isn’t allowed on frozen strings.
In 2022 I’ve created a PR to support allow list filtering. For example, to only allow primary keys and foreign keys you could configure the following:
Rails.application.config.allow_parameters = [:id, /_id\z/]
I’m wondering if I’m the only one running into this issue. Are there other solutions I’m missing?