
msducheminjr
Agile Web Development with Rails 6: Leaks credit card number to log Iteration I2 (PDF p. 232)
In Iteration H, the Book calls out that you should not store credit card information in a database or in the log and then instructs the user to filter them out (PDF page 212).
config.filter_parameters += [ :credit_card_number ]
When invoking ActiveJob in the Orders Controller on PDF page 232, the code invokes the job and then the credit card number is logged as plain text.
ChargeOrderJob.perform_later(@order,pay_type_params.to_h)
Rails 6.1 (currently on master) will have the ability to prevent logging of ActiveJob parameters.
class ChargeOrderJob < ApplicationJob
queue_as :default
# works on rails >= 6.1 only
self.log_arguments = false
def perform(order, pay_type_params)
order.charge!(pay_type_params)
end
end
It might be worth mentioning in the blurb on page 212 (noting that you need to be mindful of the entire chain of custody of sensitive data) or around the section on 232, that you need to beware of accidentally leaking sensitive parameters in plain text to ActiveJob.
Most Liked

davetron5000
To follow up, it looks like Prag Prog is using this forum for tracking errata. You’ve helpfully added that tag to this, so the next time the book is modified, we can address this and reference this post.

davetron5000
Oh jeez…I didn’t realize that! The book’s code uses the default Active Job which is all in memory so I never noticed what it was queuing
Popular Prag Prog topics









Modern front-end development for Rails, second edition - Struggling to get the first chapter to work

Other popular topics










Latest in PragProg
Categories:
Popular Portals
- /elixir
- /rust
- /wasm
- /ruby
- /erlang
- /phoenix
- /keyboards
- /js
- /rails
- /python
- /security
- /go
- /swift
- /vim
- /clojure
- /java
- /haskell
- /emacs
- /svelte
- /onivim
- /typescript
- /crystal
- /c-plus-plus
- /tailwind
- /kotlin
- /gleam
- /react
- /flutter
- /elm
- /ocaml
- /vscode
- /opensuse
- /centos
- /ash
- /php
- /deepseek
- /scala
- /zig
- /html
- /debian
- /nixos
- /lisp
- /agda
- /sublime-text
- /textmate
- /react-native
- /kubuntu
- /arch-linux
- /ubuntu
- /revery
- /manjaro
- /django
- /spring
- /diversity
- /nodejs
- /lua
- /c
- /julia
- /slackware
- /neovim