param filtering for exception notification (closes #8432, thanks for …

…the excellent patch!)

lib/exception_notifier_helper.rb

@@ -23,6 +23,7 @@
 module ExceptionNotifierHelper
   VIEW_PATH = "views/exception_notifier"
   APP_PATH = "#{RAILS_ROOT}/app/#{VIEW_PATH}"
+  PARAM_FILTER_REPLACEMENT = "[FILTERED]"
 
   def render_section(section)
     RAILS_DEFAULT_LOGGER.info("rendering section #{section.inspect}")
@@ -60,4 +61,17 @@ def inspect_value(value)
   def object_to_yaml(object)
     object.to_yaml.sub(/^---\s*/m, "")
   end
+
+  def exclude_raw_post_parameters?
+    @controller && @controller.respond_to?(:filter_parameters)
+  end
+
+  def filter_sensitive_post_data_parameters(parameters)
+    exclude_raw_post_parameters? ? @controller.filter_parameters(parameters) : parameters
+  end
+
+  def filter_sensitive_post_data_from_env(env_key, env_value)
+    return env_value unless exclude_raw_post_parameters?
+    (env_key =~ /RAW_POST_DATA/i) ? PARAM_FILTER_REPLACEMENT : env_value
+  end
 end

test/exception_notifier_helper_test.rb

@@ -0,0 +1,61 @@
+require 'test_helper'
+require 'exception_notifier_helper'
+
+class ExceptionNotifierHelperTest < Test::Unit::TestCase
+
+  class ExceptionNotifierHelperIncludeTarget
+    include ExceptionNotifierHelper
+  end
+
+  def setup
+    @helper = ExceptionNotifierHelperIncludeTarget.new
+  end
+
+  # No controller
+
+  def test_should_not_exclude_raw_post_parameters_if_no_controller
+    assert !@helper.exclude_raw_post_parameters?
+  end
+
+  # Controller, no filtering
+
+  class ControllerWithoutFilterParameters; end
+
+  def test_should_not_filter_env_values_for_raw_post_data_keys_if_controller_can_not_filter_parameters
+    stub_controller(ControllerWithoutFilterParameters.new)
+    assert @helper.filter_sensitive_post_data_from_env("RAW_POST_DATA", "secret").include?("secret")
+  end
+  def test_should_not_exclude_raw_post_parameters_if_controller_can_not_filter_parameters
+    stub_controller(ControllerWithoutFilterParameters.new)
+    assert !@helper.exclude_raw_post_parameters?    
+  end
+  def test_should_return_params_if_controller_can_not_filter_parameters
+    stub_controller(ControllerWithoutFilterParameters.new)
+    assert_equal :params, @helper.filter_sensitive_post_data_parameters(:params)
+  end
+
+  # Controller with filtering
+
+  class ControllerWithFilterParameters
+    def filter_parameters(params); :filtered end
+  end
+
+  def test_should_filter_env_values_for_raw_post_data_keys_if_controller_can_filter_parameters
+    stub_controller(ControllerWithFilterParameters.new)
+    assert !@helper.filter_sensitive_post_data_from_env("RAW_POST_DATA", "secret").include?("secret")
+    assert @helper.filter_sensitive_post_data_from_env("SOME_OTHER_KEY", "secret").include?("secret")
+  end
+  def test_should_exclude_raw_post_parameters_if_controller_can_filter_parameters
+    stub_controller(ControllerWithFilterParameters.new)
+    assert @helper.exclude_raw_post_parameters?
+  end
+  def test_should_delegate_param_filtering_to_controller_if_controller_can_filter_parameters
+    stub_controller(ControllerWithFilterParameters.new)
+    assert_equal :filtered, @helper.filter_sensitive_post_data_parameters(:params)
+  end
+
+  private
+    def stub_controller(controller)
+      @helper.instance_variable_set(:@controller, controller)
+    end
+end

test/test_helper.rb

@@ -0,0 +1,7 @@
+require 'test/unit'
+require 'rubygems'
+require 'active_support'
+
+$:.unshift File.join(File.dirname(__FILE__), '../lib')
+
+RAILS_ROOT = '.' unless defined?(RAILS_ROOT)

views/exception_notifier/_environment.rhtml

@@ -1,6 +1,6 @@
 <% max = @request.env.keys.max { |a,b| a.length <=> b.length } -%>
 <% @request.env.keys.sort.each do |key| -%>
-* <%= "%*-s: %s" % [max.length, key, @request.env[key].to_s.strip] %>
+* <%= "%*-s: %s" % [max.length, key, filter_sensitive_post_data_from_env(key, @request.env[key].to_s.strip)] %>
 <% end -%>
 
 * Process: <%= $$ %>

views/exception_notifier/_request.rhtml

@@ -1,3 +1,3 @@
 * URL: <%= @request.protocol %><%= @host %><%= @request.request_uri %>
-* Parameters: <%= @request.parameters.inspect %>
+* Parameters: <%= filter_sensitive_post_data_parameters(@request.parameters).inspect %>
 * Rails root: <%= @rails_root %>