Add parameter filter capability for redirect locations

It uses the `config.filter_parameters` to match what needs to be filtered. The result would be like this: ``` Redirected to http://secret.foo.bar?username=roque&password=[FILTERED] ```
2015-07-27 23:59:31 -04:00 · 2015-07-27 23:59:31 -04:00 · f4f3ef7781
commit f4f3ef7781
parent 554e71af0b
4 changed files with 54 additions and 2 deletions
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@ -90,4 +90,15 @@

    *Rafael Mendonça França*

+*   Add parameter filter capability for redirect locations.
+
+    It uses the `config.filter_parameters` to match what needs to be filtered.
+    The result would be like this:
+
+        Redirected to http://secret.foo.bar?username=roque&password=[FILTERED]
+
+    Fixes #14055.
+
+    *Roque Pinel*, *Trevor Turk*, *tonytonyjan*
+
 Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionpack/CHANGELOG.md) for previous changes.
--- a/actionpack/lib/action_dispatch/http/filter_redirect.rb
+++ b/actionpack/lib/action_dispatch/http/filter_redirect.rb
@ -11,7 +11,7 @@ def filtered_location # :nodoc:
        if location_filter_match?
          FILTERED
        else
-          location
+          parameter_filtered_location
        end
      end

@ -33,6 +33,16 @@ def location_filter_match?
          end
        end
      end
+
+      def parameter_filtered_location
+        uri = URI.parse(location)
+        unless uri.query.nil? || uri.query.empty?
+          uri.query.gsub!(FilterParameters::PAIR_RE) do
+            request.parameter_filter.filter($1 => $2).first.join("=")
+          end
+        end
+        uri.to_s
+      end
    end
  end
 end
--- a/actionpack/test/controller/log_subscriber_test.rb
+++ b/actionpack/test/controller/log_subscriber_test.rb
@ -32,6 +32,10 @@ def filterable_redirector
      redirect_to "http://secret.foo.bar/"
    end

+    def filterable_redirector_with_params
+      redirect_to "http://secret.foo.bar?username=repinel&password=1234"
+    end
+
    def data_sender
      send_data "cool data", filename: "file.txt"
    end
@ -266,6 +270,32 @@ def test_filter_redirect_url_by_regexp
    assert_equal "Redirected to [FILTERED]", logs[1]
  end

+  def test_does_not_filter_redirect_params_by_default
+    get :filterable_redirector_with_params
+    wait
+
+    assert_equal 3, logs.size
+    assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=1234", logs[1]
+  end
+
+  def test_filter_redirect_params_by_string
+    @request.env["action_dispatch.parameter_filter"] = ["password"]
+    get :filterable_redirector_with_params
+    wait
+
+    assert_equal 3, logs.size
+    assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=[FILTERED]", logs[1]
+  end
+
+  def test_filter_redirect_params_by_regexp
+    @request.env["action_dispatch.parameter_filter"] = [/pass.+/]
+    get :filterable_redirector_with_params
+    wait
+
+    assert_equal 3, logs.size
+    assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=[FILTERED]", logs[1]
+  end
+
  def test_send_data
    get :data_sender
    wait
--- a/guides/source/action_controller_overview.md
+++ b/guides/source/action_controller_overview.md
@ -1210,7 +1210,8 @@ You can set it to a String, a Regexp, or an array of both.
 config.filter_redirect.concat ['s3.amazonaws.com', /private_path/]
 ```

-Matching URLs will be marked as '[FILTERED]'.
+Matching URLs will be replaced with '[FILTERED]'. However, if you only wish to filter the parameters, not the whole URLs,
+please take a look at [Parameters Filtering](#parameters-filtering).

 Rescue
 ------