Strip query string from the log for Location headers

The Location URL may contain sensitive information, so just like the path we should remove the query string. Closes roidrage#229
stanhu · Mar 20, 2018 · aefae1e · aefae1e
1 parent 3b61c61
commit aefae1e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/lib/lograge/log_subscriber.rb b/lib/lograge/log_subscriber.rb
@@ -53,6 +53,10 @@ def initial_data(payload)
 
     def extract_path(payload)
       path = payload[:path]
+      strip_query_string(path)
+    end
+
+    def strip_query_string(path)
       index = path.index('?')
       index ? path[0, index] : path
     end
@@ -104,7 +108,7 @@ def extract_location
       return {} unless location
 
       RequestStore.store[:lograge_location] = nil
-      { location: location }
+      { location: strip_query_string(location) }
     end
 
     def extract_unpermitted_params

diff --git a/spec/lograge_logsubscriber_spec.rb b/spec/lograge_logsubscriber_spec.rb
@@ -167,7 +167,7 @@
 
     context 'with a redirect' do
       before do
-        RequestStore.store[:lograge_location] = 'http://www.example.com'
+        RequestStore.store[:lograge_location] = 'http://www.example.com?key=value'
       end
 
       it 'adds the location to the log line' do