sensitive_data_filter 0.2.4 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a5bcd42d1f6150631ffd7b6396c6b55f3fe2d7e0
-  data.tar.gz: bdc00c28890a73bdfc0ce27dfff8cafb844f9e61
+  metadata.gz: e31778956e211080b72def2da410aa33a3f93b86
+  data.tar.gz: 8234e02dc9e1e69663cd72aa65fb854a5471f0f7
 SHA512:
-  metadata.gz: 3a45d2aa68ce255f7efd545318650c1b3007dda3aa38ec7503233678bcd79a54826188615a222703dbb548179fd341c2cc0f73c12519d174bb04f3186f271eba
-  data.tar.gz: e13bea99f41ed5a23c64643f8e75d64e11748a27bebee2575e3172fe7e022ea0aecb4da4d5c110103fc30cdfe88a1aa0e59288e7fbeef597e3f24e98a2c8a0b6
+  metadata.gz: 4317e1dcf196f132905332abd27ce1227656294edf9b721d6b577d6bab6156860ae687c1aefbbfa122da49245c64aa344841e10f61554027c7ec2a4eacdefd87
+  data.tar.gz: e1f221ad6fc0fb2bf57d36d6b0652de4f410e3ff587f5cb73069b0fa0eac85b21f8343a2e721541d5137abf2527010001bffab58c1c6cbe34f247874a9ae74cf

data/CHANGELOG.md

@@ -3,6 +3,14 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 This changelog adheres to [Keep a CHANGELOG](http://keepachangelog.com/).
 
+## [0.3.0] - 2016-12-28
+### Changed
+- Allows whitelisting hash values based on the key
+- Updates README for usage with Rails middleware stack
+
+### Added
+- Adds `original_env` and `filtered_env` properties to occurrence
+
 ## [0.2.4] - 2016-12-22
 ### Changed
 - Does not match credit cards numbers that are part of alphanumerical strings
@@ -14,7 +22,6 @@ This changelog adheres to [Keep a CHANGELOG](http://keepachangelog.com/).
 ### Changed
 - Does not match credit cards numbers that are part of longer numbers
 
-
 ## [0.2.2] - 2016-12-21
 ### Fixed
 - Implements stricter credit cards pattern matching

data/README.md

@@ -28,7 +28,7 @@ Or install it yourself as:
 
 ### Enable the middleware
 
-Insert the middleware in the stack before any parameter parsing is performed
+Insert the middleware in the stack before any parameter parsing is performed.
 
 E.g. for Rails, add the following in application.rb
 
@@ -37,6 +37,21 @@ E.g. for Rails, add the following in application.rb
 config.middleware.insert_before 'ActionDispatch::ParamsParser', SensitiveDataFilter::Middleware::Filter
 ```
 
+To ensure that no sensitive data is accessed at any level of the stack, insert the middleware at the top of the stack. 
+
+E.g.
+
+```ruby
+# --- Sensitive Data Filtering ---
+config.middleware.insert_before 0, SensitiveDataFilter::Middleware::Filter
+```
+
+#### Important note for Rails
+
+Rails logs the URI of the request in ``Rails::Rack::Logger``. At this point of the stack, Rails generally has not yet set the session in the env.
+If you insert the sensitive data filtering middleware before this middleware you will prevent sensitive data from appearing in the logs, 
+but you will not have access to the session via the occurrence or the env in the occurrence handling block.
+
 ### Configuration
 
 ```ruby
@@ -46,6 +61,7 @@ SensitiveDataFilter.config do |config|
     # Report occurrence
   end
   config.whitelist pattern1, pattern2 # Allows specifying patterns to whitelist matches
+  config.whitelist_key key_pattern1, key_pattern2 # Allows specifying patterns to whitelist hash values based on their keys
   config.register_parser('yaml', -> params { YAML.load params }, -> params { YAML.dump params })
 end
 ```
@@ -63,6 +79,8 @@ An occurrence object has the following properties:
 * session:               the session properties for the request
 * matches:               the matched sensitive data
 * matches_count:         the number of matches per data type, e.g. { 'CreditCard' => 1 }
+* original_env:          the original unfiltered Rack env
+* filtered_env:          the filtered Rack env which will be passed down the middleware stack
 
 It also exposes `to_h` and `to_s` methods for hash and string representation respectively.  
 Please note that these representations omit sensitive data, 
@@ -91,6 +109,9 @@ filtered_body_params = if @occurrence.filtered_body_params.is_a? Hash
 A list of whitelisting patterns can be passed to `config.whitelist`. 
 Any sensitive data match which also matches any of these patterns will be ignored.
 
+A list of whitelisting patterns can be passed to `config.whitelist_key`. 
+When scanning and matching hashes, any value whose key matches any of these patterns will be ignored.
+
 #### Parameter Parsing
 
 Parsers for parameters encoded for a specific content type can be defined.

data/lib/sensitive_data_filter/config.rb

@@ -20,6 +20,10 @@ module SensitiveDataFilter
     config.whitelist_patterns.any? { |pattern| value.match pattern }
   end
 
+  def self.whitelisted_key?(key)
+    config.whitelist_key_patterns.any? { |pattern| key.match pattern }
+  end
+
   class Config
     DEFAULT_TYPES = %i(credit_card).freeze
 
@@ -45,6 +49,14 @@ module SensitiveDataFilter
       @whitelist_patterns ||= []
     end
 
+    def whitelist_key(*patterns)
+      @whitelist_key_patterns = patterns
+    end
+
+    def whitelist_key_patterns
+      @whitelist_key_patterns ||= []
+    end
+
     def register_parser(content_type, parser, unparser)
       SensitiveDataFilter::Middleware::ParameterParser
         .register_parser(content_type, parser, unparser)

data/lib/sensitive_data_filter/mask.rb

@@ -12,7 +12,13 @@ module SensitiveDataFilter
     end
 
     module_function def mask_hash(hash)
-      hash.map { |key, value| [mask(key), mask(value)] }.to_h
+      hash.map { |key, value| mask_key_value(key, value) }.to_h
+    end
+
+    module_function def mask_key_value(key, value)
+      masked_key = mask(key)
+      return [masked_key, value] if SensitiveDataFilter.whitelisted_key? key
+      [masked_key, mask(value)]
     end
   end
 end

data/lib/sensitive_data_filter/middleware/occurrence.rb

@@ -35,6 +35,14 @@ module SensitiveDataFilter
         @filtered_env_parser.body_params
       end
 
+      def original_env
+        @original_env_parser.env
+      end
+
+      def filtered_env
+        @filtered_env_parser.env
+      end
+
       def_delegators :@filtered_env_parser, :request_method, :url, :content_type, :session
 
       def matches_count

data/lib/sensitive_data_filter/scan.rb

@@ -17,7 +17,13 @@ module SensitiveDataFilter
     end
 
     def self.scan_hash(hash)
-      hash.map { |key, value| scan(key).collate(scan(value)) }.inject(:collate) || {}
+      hash.map { |key, value| scan_key_value(key, value) }.inject(:collate) || {}
+    end
+
+    def self.scan_key_value(key, value)
+      key_scan = scan(key)
+      return key_scan if SensitiveDataFilter.whitelisted_key? key
+      key_scan.collate(scan(value))
     end
 
     def self.whitelist(matches)

data/lib/sensitive_data_filter/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module SensitiveDataFilter
-  VERSION = '0.2.4'
+  VERSION = '0.3.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sensitive_data_filter
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - Alessandro Berardi
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-12-22 00:00:00.000000000 Z
+date: 2016-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack