From 8b5d687b7a97b21b9e5577ef4ec85b461f092cd3 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sun, 6 Feb 2022 15:14:01 -0600
Subject: [PATCH] rails: add more attributes to filtered params list.

Add more sensitive attributes to the filtered parameters list so that
they aren't shown in exception messages, and aren't logged in log files
or to NewRelic.

Only do this in production so that in testing and development, you can
still see these things when inspecting objects on the console.
---
 config/application.rb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/config/application.rb b/config/application.rb
index ddb5e1b87..34fabadbb 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -48,7 +48,14 @@ module Danbooru
     config.load_defaults 6.1
     config.active_record.schema_format = :sql
     config.encoding = "utf-8"
-    config.filter_parameters += [:password, :password_confirmation, :password_hash, :api_key]
+
+    # Hide sensitive model attributes and request params in exception messages,
+    # log files, and in NewRelic. These are substring matches, so they match
+    # any attribute or request param containing the word 'password' etc.
+    #
+    # https://guides.rubyonrails.org/configuring.html#config-filter-parameters
+    config.filter_parameters += [:password, :api_key, :secret, :ip_addr, :address, :email_verification_key, :signed_user_id] if Rails.env.production?
+
     # config.assets.enabled = true
     # config.assets.version = '1.0'
     config.autoload_paths += %W(#{config.root}/app/presenters #{config.root}/app/logical/concerns #{config.root}/app/logical #{config.root}/app/mailers)