82fc62ca71
When parsing HTTP request parameters, Rails delegates to a set of parsing strategies based on the MIME type. If any of these strategies raises an error Rails rescues it and raises an instance of `ActionDispatch::Http::Parameters::ParseError` with the same message as the underlying error. However, in the presence of malformed JSON, the default parameter parser for the `application/json` MIME type raises a `JSON:ParserError` with a message containing the entire malformed JSON string (the request body in this context). By raising a new error with this same message Rails inadvertently ends up logging the full HTTP request body at the `fatal` level. This request body could contain sensitive information or could be intentionally crafted to be extremely large. This commit sets the `ActionDispatch::Http::Parameters::ParseError` message to a static message which mirrors that of the corresponding `debug` log. |
||
|---|---|---|
| .. | ||
| abstract | ||
| assertions | ||
| controller | ||
| dispatch | ||
| fixtures | ||
| journey | ||
| lib | ||
| routing | ||
| support | ||
| abstract_unit.rb | ||