Permalink
Browse files

enable filtering of sensitive Rack vars by default

see #185 for more details
  • Loading branch information...
1 parent 6544885 commit c9098b13342de17b252b373c7af94e9f2f30b383 @shime shime committed Nov 12, 2013
View
@@ -150,6 +150,20 @@ Feature: Install the Gem in a Rails application
And the Airbrake notification should not contain "blue42"
And the Airbrake notification should contain "FILTERED"
+ Scenario: Filtering sensitive Rack variables
+ When I configure the Airbrake shim
+ And I run `rails generate airbrake -k myapikey -t`
+ When I configure the notifier to use the following configuration lines:
+ """
+ config.logger = Logger.new STDOUT
+ """
+ And I define a response for "TestController#index":
+ """
+ raise RuntimeError
+ """
+ Then I should receive a Airbrake notification
+ And the Airbrake notification should not contain any of the sensitive Rack variables
+
Scenario: Notify airbrake within the controller
When I configure the Airbrake shim
And I run `rails generate airbrake -k myapikey -t`
@@ -253,6 +253,13 @@ def #{current_user}
step %{the last notice sent should contain "<id>1</id>"}
end
+Then /^the Airbrake notification should not contain any of the sensitive Rack variables$/ do
+ sensitive_rack_data_regex = FILTERED_RACK_VARS.map do |var|
+ Regexp.quote(var)
+ end.join("|")
+ step %{the last notice sent should not contain "#{sensitive_rack_data_regex}"}
+end
+
Then /^the last notice sent should contain "([^\"]*)"$/ do |data|
last_notice = File.read(LAST_NOTICE)
last_notice.should match(%r{#{data}})
@@ -263,7 +270,6 @@ def #{current_user}
last_notice.should_not match(%r{#{data}})
end
-
Then /^the Airbrake notification should contain the framework information$/ do
step %{the last notice sent should contain "Rails: #{ENV["RAILS_VERSION"]}"}
end
View
@@ -1,16 +1,20 @@
require 'active_support'
require 'nokogiri'
require 'rspec'
-require "aruba/cucumber"
+require 'aruba/cucumber'
+require 'pry'
-PROJECT_ROOT = File.expand_path(File.join(File.dirname(__FILE__), '..', '..')).freeze
-TEMP_DIR = File.join(PROJECT_ROOT, 'tmp').freeze
-LOCAL_RAILS_ROOT = File.join(TEMP_DIR, 'rails_root').freeze
-RACK_FILE = File.join(TEMP_DIR, 'rack_app.rb').freeze
-LAST_NOTICE = File.join(PROJECT_ROOT, 'resources', 'notice.xml')
+PROJECT_ROOT = File.expand_path(File.join(File.dirname(__FILE__), '..', '..')).freeze
+TEMP_DIR = File.join(PROJECT_ROOT, 'tmp').freeze
+LOCAL_RAILS_ROOT = File.join(TEMP_DIR, 'rails_root').freeze
+RACK_FILE = File.join(TEMP_DIR, 'rack_app.rb').freeze
+LAST_NOTICE = File.join(PROJECT_ROOT, 'resources', 'notice.xml')
+ORIGINAL_RACK_FILTERS = File.join(PROJECT_ROOT, 'lib', 'airbrake', 'utils', 'rack_filters.rb')
Before do
FileUtils.rm_rf(LOCAL_RAILS_ROOT)
+
+ reload_rack_filters
end
When /^I reset Bundler environment variable$/ do
@@ -23,3 +27,11 @@ def prepend_path(path)
ENV['PATH'] = path + ":" + ENV['PATH']
end
+def reload_rack_filters
+ original_filters = File.read(ORIGINAL_RACK_FILTERS)
+
+ File.write(File.join(TEMP_DIR, "rack_filters.rb"),
+ original_filters.lines[1..-2].join("\n"))
+
+ require File.join(TEMP_DIR, "rack_filters.rb")
+end
View
@@ -9,6 +9,7 @@
require 'logger'
require 'airbrake/version'
+require 'airbrake/utils/rack_filters'
require 'airbrake/utils/params_cleaner'
require 'airbrake/configuration'
require 'airbrake/notice'
@@ -55,8 +55,9 @@ def clean_session_data
def clean_rack_request_data
if @cgi_data
- @cgi_data.delete("rack.request.form_vars")
- @cgi_data.delete("action_dispatch.secret_token")
+ Airbrake::FILTERED_RACK_VARS.each do |var|
+ @cgi_data.delete var
+ end
end
end
@@ -0,0 +1,39 @@
+module Airbrake
+ SENSITIVE_RACK_VARS = %w(
+ HTTP_X_CSRF_TOKEN
+ HTTP_COOKIE
+
+ action_dispatch.request.unsigned_session_cookie
+ action_dispatch.cookies
+ action_dispatch.unsigned_session_cookie
+ action_dispatch.secret_key_base
+ action_dispatch.signed_cookie_salt
+ action_dispatch.encrypted_cookie_salt
+ action_dispatch.encrypted_signed_cookie_salt
+ action_dispatch.http_auth_salt
+ action_dispatch.secret_token
+
+ rack.request.cookie_hash
+ rack.request.cookie_string
+ rack.request.form_vars
+
+ rack.session
+ rack.session.options
+ )
+
+ RACK_VARS_CONTAINING_INSTANCES = %w(
+ action_controller.instance
+
+ action_dispatch.backtrace_cleaner
+ action_dispatch.routes
+ action_dispatch.logger
+ action_dispatch.key_generator
+
+ rack-cache.storage
+
+ rack.errors
+ rack.input
+ )
+
+ FILTERED_RACK_VARS = SENSITIVE_RACK_VARS + RACK_VARS_CONTAINING_INSTANCES
+end

0 comments on commit c9098b1

Please sign in to comment.