Project

blouson

0.04
A long-lived project that still receives updates
Filter tools to mask sensitive data in various logs
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

>= 1.14
>= 0
>= 0
>= 10.0
>= 3.0

Runtime

>= 6.0.0
 Project Readme

Blouson

Gem Version Build Status

Blouson is a filter tool for Rails to conceal sensitive data from various logs.

  • HTTP Request parameters in Rails log
  • SQL query in Rails log
  • Exception messages in ActiveRecord::StatementInvalid
  • Sentry Raven parameters
  • Mail parameters in Rails log

Installation

Add this line to your application's Gemfile:

gem 'blouson'

And then execute:

$ bundle

Or install it yourself as:

$ gem install blouson

Usage

SensitiveParamsSilencer

If there is a HTTP request parameter prefixed with secure_, Blouson conceals sensitive data from logging. Blouson enables this filter automatically.

Example:

Started PUT "/employees/1" for 127.0.0.1 at Tue Jan 1 00:00:00 +0900 2013
Processing by EmployeesController#update as HTML
  Parameters: {"commit"=>"Update Employee", "id"=>"1", "employee"=>{"name"=>"", "secure_personal_information"=>"[FILTERED]"}, "utf8"=>"✓"}
  [Blouson::SensitiveParamsSilencer] SQL Log is skipped for sensitive data

SensitiveQueryFilter

If there is a table prefixed with secure_, in exception message of ActiveRecord::StatementInvalid, Blouson conceals sensitive data from exception messages. Blouson enables this filter automatically.

Example:

RuntimeError: error: SELECT  `secure_users`.* FROM `secure_users` WHERE `secure_users`.`email` = '[FILTERED]'  ORDER BY `secure_users`.`id` ASC LIMIT 1

SensitiveTableQueryLogSilencer

Blouson provides an Arproxy module to suppress query logs for secure_ prefix tables. If there is a query log for secure_ prefix table, Blouson conceals it. This proxy does not works automatically, so that you have to set Blouson::SensitiveTableQueryLogSilencer in your Arproxy initializer.

require 'blouson/sensitive_table_query_log_silencer'
# your initializers

Arproxy.configure do |config|
  config.adapter = "mysql2"
  config.use Blouson::SensitiveTableQueryLogSilencer
end
Arproxy.enable!

SentryParameterFilter

Blouson provides an sentry-ruby filter to conceal sensitive data from query string, request body, request headers and cookie values.

require 'sentry-ruby'
require 'blouson/sentry_parameter_filter'

Sentry.init do |config|
  # Enable `send_default_pii` to send the filtered sensitive information.
  config.send_default_pii = true

  filter_pattern = Rails.application.config.filter_parameters
  secure_headers = %w(secret_token)
  filter = Blouson::SentryParameterFilter.new(filter_pattern, secure_headers)

  config.before_send = lambda do |event, _hint|
    filter.process(event.to_hash)
  end
end

RavenParameterFilterProcessor

Blouson provides an Raven-Ruby processor to conceal sensitive data from query string, request body, request headers and cookie values.

require 'blouson/raven_parameter_filter_processor'

filter_pattern = Rails.application.config.filter_parameters
secure_headers = %w(secret_token)

Raven.configure do |config|
  ...
  config.processors << Blouson::RavenParameterFilterProcessor.create(filter_pattern, secure_headers)
  ...
end

SensitiveMailLogFilter

ActionMailer outputs email address, all headers, and body text to the log when sending email.

D, [2019-08-08T08:40:15.939251 #67674] DEBUG -- : UserMailer#hello: processed outbound mail in 43.0ms
I, [2019-08-08T08:40:15.946281 #67674]  INFO -- : Sent mail to xxx@example.com (6.3ms)
D, [2019-08-08T08:40:15.946432 #67674] DEBUG -- : Date: Thu, 08 Aug 2019 08:40:15 +0900
From: from@example.com
To: xxx@example.com
Message-ID: <xxx>
Subject: Hello
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Example mail.

Blouson filters such logs.

Example:

D, [2019-08-08T08:47:06.524182 #67886] DEBUG -- : UserMailer#hello: processed outbound mail in 23.2ms
I, [2019-08-08T08:47:06.530849 #67886]  INFO -- : Sent mail to [FILTERED] (6.4ms)
D, [2019-08-08T08:47:06.530953 #67886] DEBUG -- : [Blouson::SensitiveMailLogFilter] Mail data is filtered for sensitive data

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/cookpad/blouson.

License

The gem is available as open source under the terms of the MIT License.