msducheminjr

msducheminjr

Agile Web Development with Rails 6: Leaks credit card number to log Iteration I2 (PDF p. 232)

In Iteration H, the Book calls out that you should not store credit card information in a database or in the log and then instructs the user to filter them out (PDF page 212).

config.filter_parameters += [ :credit_card_number ]

When invoking ActiveJob in the Orders Controller on PDF page 232, the code invokes the job and then the credit card number is logged as plain text.

ChargeOrderJob.perform_later(@order,pay_type_params.to_h)

Rails 6.1 (currently on master) will have the ability to prevent logging of ActiveJob parameters.

class ChargeOrderJob < ApplicationJob
  queue_as :default
  # works on rails >= 6.1 only
  self.log_arguments = false

  def perform(order, pay_type_params)
    order.charge!(pay_type_params)
  end
end

It might be worth mentioning in the blurb on page 212 (noting that you need to be mindful of the entire chain of custody of sensitive data) or around the section on 232, that you need to beware of accidentally leaking sensitive parameters in plain text to ActiveJob.

Most Liked

davetron5000

davetron5000

Author of Rails, Angular, Postgres, and Bootstrap

To follow up, it looks like Prag Prog is using this forum for tracking errata. You’ve helpfully added that tag to this, so the next time the book is modified, we can address this and reference this post.

davetron5000

davetron5000

Author of Rails, Angular, Postgres, and Bootstrap

Oh jeez…I didn’t realize that! The book’s code uses the default Active Job which is all in memory so I never noticed what it was queuing :frowning:

Where Next?

Popular Pragmatic Bookshelf topics Top

jesse050717
Title: Web Development with Clojure, Third Edition, pg 116 Hi - I just started chapter 5 and I am stuck on page 116 while trying to star...
New
simonpeter
When I try the command to create a pair of migration files I get an error. user=&gt; (create-migration "guestbook") Execution error (Ill...
New
mikecargal
Title: Hands-on Rust: question about get_component (page 295) (feel free to respond. “You dug you’re own hole… good luck”) I have somet...
New
HarryDeveloper
Hi @venkats, It has been mentioned in the description of ‘Supervisory Job’ title that 2 things as mentioned below result in the same eff...
New
curtosis
Running mix deps.get in the sensor_hub directory fails with the following error: ** (Mix) No SSH public keys found in ~/.ssh. An ssh aut...
New
jskubick
I’m under the impression that when the reader gets to page 136 (“View Data with the Database Inspector”), the code SHOULD be able to buil...
New
jonmac
The allprojects block listed on page 245 produces the following error when syncing gradle: “org.gradle.api.GradleScriptException: A prob...
New
andreheijstek
After running /bin/setup, the first error was: The foreman' command exists in these Ruby versions: That was easy to fix: gem install fore...
New
redconfetti
Docker-Machine became part of the Docker Toolbox, which was deprecated in 2020, long after Docker Desktop supported Docker Engine nativel...
New
mcpierce
@mfazio23 I’ve applied the changes from Chapter 5 of the book and everything builds correctly and runs. But, when I try to start a game,...
New

Other popular topics Top

New
AstonJ
Just done a fresh install of macOS Big Sur and on installing Erlang I am getting: asdf install erlang 23.1.2 Configure failed. checking ...
New
PragmaticBookshelf
Learn different ways of writing concurrent code in Elixir and increase your application's performance, without sacrificing scalability or...
New
gagan7995
API 4 Path: /user/following/ Method: GET Description: Returns the list of all names of people whom the user follows Response [ { ...
New
AstonJ
Saw this on TikTok of all places! :lol: Anyone heard of them before? Lite:
New
PragmaticBookshelf
Build efficient applications that exploit the unique benefits of a pure functional language, learning from an engineer who uses Haskell t...
New
New
PragmaticBookshelf
Author Spotlight Jamis Buck @jamis This month, we have the pleasure of spotlighting author Jamis Buck, who has written Mazes for Prog...
New
PragmaticBookshelf
Author Spotlight: Tammy Coron @Paradox927 Gaming, and writing games in particular, is about passion, vision, experience, and immersio...
New
PragmaticBookshelf
Author Spotlight: Peter Ullrich @PJUllrich Data is at the core of every business, but it is useless if nobody can access and analyze ...
New

Latest in Agile Web Development with Rails 6

Agile Web Development with Rails 6 Portal

Sub Categories: