Project

General

Profile

Actions
Copy link

Patch #43986

closed

Improve the `config.filter_parameters` setting

Added by Julian Hanzlik 21 days ago. Updated 17 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Go MAEDA
Category:
Security
Target version:
6.0.10

Description

While working with the application, I encountered an unexpected error that resulted in the following log entry:


[request-id] ActionView::Template::Error 
[557a2650-c33f-4f3b-8b92-6ba7b9dac904] ActionView::Template::Error (No route matches {:action=>"show", :controller=>"doorkeeper/people", :id=>#<User id: xxx, login: "xxx", hashed_password: [FILTERED],
firstname: "xxx", lastname: "xxx", admin: xxx, status: 1, last_login_on: "xxx", language: "en", auth_source_id: nil, created_on: "xxx", updated_on: "xxx", type: "User", mail_notification: "only_my_events",
salt: "xxx", must_change_passwd: false, passwd_changed_on: "xxx", twofa_scheme: "totp", twofa_totp_key: <KEY_IN_CLEARTEXT>, twofa_totp_last_used_at: xxx, twofa_required: xxx>}):

The log output includes sensitive information, specifically the twofa_totp_key , which is written in plain text . This poses a security risk, as such secrets should never be exposed in application logs.

Expected Behavior

Sensitive attributes such as twofa_totp_key (and similar authentication-related fields) should always be properly filtered or masked in logs.

Actual Behavior

The twofa_totp_key is logged in clear text as part of the serialized User object within the error message.

Impact

This could potentially expose confidential authentication data if logs are accessed by unauthorized parties or stored in insecure locations.

Proposed Fix

I have implemented a fix to filter the sensitive attribute:

diff --git a/config/application.rb b/config/application.rb
index 953fd7616..49dc5e2f7 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -66,7 +66,7 @@ module RedmineApp
     config.encoding = "utf-8" 

     # Configure sensitive parameters which will be filtered from the log file.
-    config.filter_parameters += [:password]
+    config.filter_parameters += [:password, :twofa_totp_key]

     config.action_mailer.perform_deliveries = false

Additional Notes

It may be worth reviewing other sensitive fields to ensure they are consistently filtered across all logging outputs.

Files

43986.patch (469 Bytes) 43986.patch Go MAEDA, 2026-04-23 08:25
Actions
Copy link
 #1

Updated by Go MAEDA 20 days ago

  • File 43986.patch 43986.patch added
  • Subject changed from add twofa_totp_key to the config.filter_parameter to Improve the `config.filter_parameters` setting
  • Target version set to 6.0.10

Thank you for the report.

I could not reproduce the exact logging scenario, but the proposed filtering change still makes sense.

Setting the target version to 6.0.10.

Actions
Copy link
 #2

Updated by Julian Hanzlik 20 days ago

Thanks!
I'm using redmineup plugins and they have a bug when you have rest api enabled and go to My Account - Authorized Applications this log is shown.
Will it also be included 6.1.3?

Actions
Copy link
 #3

Updated by Go MAEDA 20 days ago

Julian Hanzlik wrote in #note-2:

Will it also be included 6.1.3?

Yes, the change will be included in Redmine 6.1.3 and 6.0.10.

Actions
Copy link
 #4

Updated by Go MAEDA 18 days ago

  • Status changed from New to Resolved
  • Assignee set to Go MAEDA

Committed the patch with a slight change in r24609. Thank you.

Actions
Copy link
 #5

Updated by Go MAEDA 17 days ago

  • Status changed from Resolved to Closed

Merged the change into the stable branches in r24612 and r24613.

Actions
Copy link

Also available in: Atom PDF