Agile Web Development with Rails 6: Leaks credit card number to log Iteration I2 (PDF p. 232)

In Iteration H, the Book calls out that you should not store credit card information in a database or in the log and then instructs the user to filter them out (PDF page 212).

config.filter_parameters += [ :credit_card_number ]

When invoking ActiveJob in the Orders Controller on PDF page 232, the code invokes the job and then the credit card number is logged as plain text.

ChargeOrderJob.perform_later(@order,pay_type_params.to_h)

Rails 6.1 (currently on master) will have the ability to prevent logging of ActiveJob parameters.

class ChargeOrderJob < ApplicationJob
  queue_as :default
  # works on rails >= 6.1 only
  self.log_arguments = false

  def perform(order, pay_type_params)
    order.charge!(pay_type_params)
  end
end

It might be worth mentioning in the blurb on page 212 (noting that you need to be mindful of the entire chain of custody of sensitive data) or around the section on 232, that you need to beware of accidentally leaking sensitive parameters in plain text to ActiveJob.

Oh jeez…I didn’t realize that! The book’s code uses the default Active Job which is all in memory so I never noticed what it was queuing

To follow up, it looks like Prag Prog is using this forum for tracking errata. You’ve helpfully added that tag to this, so the next time the book is modified, we can address this and reference this post.