Comments (21)
I ran into the same issue. ActiveRecord::SessionStore::Extension::LoggerSilencer
was removed in this commit
I replaced my use of ActiveRecord::SessionStore::Extension::LoggerSilencer
with the following.
Rails.logger.class.include ActiveSupport::LoggerSilence
from activerecord-session_store.
@jeremyburks-sikich Thanks for the pointer, that was the problem in my case! ❤️
from activerecord-session_store.
If anyone else is having this issue, I forked the project and added ActiveRecord::SessionStore::Extension::LoggerSilencer
back in to version 2.0.0 with the CVE fix.
That fork is located here: https://github.com/egallup02360/activerecord-session_store
Can confirm my logging works through GELF/Lograge->Graylog and the session IDs are properly secured with this fork. Obviously we would want to continue with the official repo at some point if a workaround or solution is found for this particular issue.
from activerecord-session_store.
Thanks! That seemed to resolve things for me as well. I'm curious if this should be pulled into this gem directly? Feels weird to require changes to logging in consuming applications.
from activerecord-session_store.
Hi, I'm having the same issue after 2.0.0 upgrade. Where should I put the following code?
Rails.logger.class.include ActiveSupport::LoggerSilence
I don't see any
ActiveRecord::SessionStore::Extension::LoggerSilencer
in my repo.
You could put it in your initializer: config/initializers/session_store.rb
from activerecord-session_store.
@powerwlsl Maybe compare staging.rb
to production.rb
and see if you can isolate any differences. Not sure though, I only was having trouble in my test environment.
Not sure it helps but I have these logging related lines in my staging
and production
environment configs:
# Use the lowest log level to ensure availability of diagnostic information
# when problems arise.
config.log_level = :debug
# Prepend all log lines with the following tags.
config.log_tags = [ :request_id ]
# Use default logging formatter so that PID and timestamp are not suppressed.
config.log_formatter = ::Logger::Formatter.new
# Use a different logger for distributed setups.
# require 'syslog/logger'
# config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')
if ENV["RAILS_LOG_TO_STDOUT"].present?
logger = ActiveSupport::Logger.new(STDOUT)
logger.formatter = config.log_formatter
config.logger = ActiveSupport::TaggedLogging.new(logger)
end
In my case, I removed the config.logger = Logger.new(nil)
setting in my test environment and that solved the issue without add Rails.logger.class.include ActiveSupport::LoggerSilence
.
from activerecord-session_store.
I just stop receiving my application logs.
It's either misconfigured (
LoggerSilence
makes thelevel
a per thread variable, which might impact you configuration) orGELF::Logger
is incompatible withLoggerSilence
. IsGELF
open source? Can you repo in isolation?Should I open a separate issue for this?
No, this isn't a problem with
activerecord-session_store
, it expects a contract fromActiveRecord::Base.logger
, and the logger in your app doesn't fulfil that contract. That's on you to figure it out.Alternatively if you just want an easy way out, you can vendor the old
ActiveRecord::SessionStore::Extension::LoggerSilencer
in your app and just use that (you'll have to rename the method though).
That's fair, and I'm going to find my own way around this, I do appreciate your responses and suggestions. I'd just like to point out that prior to upgrading this gem, and only this gem, that logging worked perfectly for my use case.
This is just my opinion, but ripping an extension out that is documented in your README without a prior release that includes a depreciation warning is bad practice. Rails, in general, is really good about doing this, why is activerecord-session_store any different?
I understand patching the CVE was urgent, but that could have been fixed in a minor release rather than introducing almost two years worth of undocumented changes, since your last release, all at once. Again, just my opinion.
Thank you for your continued work on this project and I hope my opinions don't offend you or come off as rude, that's not my intention at all. We're on Github for collaboration and sharing our opinions, after all.
from activerecord-session_store.
@swanson Does your app use a logger other than the default? For example, mine does which is why I need to include ActiveSupport::LoggerSilence
.
It looks like the default logger includes ActiveSupport::LoggerSilence.
from activerecord-session_store.
@swanson Does your app use a logger other than the default? For example, mine does which is why I need to include
ActiveSupport::LoggerSilence
.It looks like the default logger includes ActiveSupport::LoggerSilence.
Hmm, I didn't think I was using anything fancy, but I did notice that in my test environment I am setting config.logger = Logger.new(nil)
which may be the problem.
from activerecord-session_store.
Hi, I'm having the same issue after 2.0.0 upgrade. Where should I put the following code?
Rails.logger.class.include ActiveSupport::LoggerSilence
I don't see any ActiveRecord::SessionStore::Extension::LoggerSilencer
in my repo.
from activerecord-session_store.
Hey @swanson, thanks for the reply. I added that in the initializer file, but I still get the error.
NoMethodError: undefined method `silence' for #<Logger:0x000055de16b77330>
/usr/local/bundle/gems/activerecord-session_store-2.0.0/lib/action_dispatch/session/active_record_store.rb:119:in `get_session_model'
/usr/local/bundle/gems/activerecord-session_store-2.0.0/lib/action_dispatch/session/active_record_store.rb:147:in `find_session'
Oddly it only happens on staging, so I also added
logger = ActiveSupport::Logger.new(STDOUT)
logger.formatter = config.log_formatter
config.logger = ActiveSupport::TaggedLogging.new(logger)
into config/environments/stage.rb
, but the error didn't go away.
Ruby 2.5.3
Rails 6.0.3.5
from activerecord-session_store.
This causes issues with GELF and Lograge, previously we used
GELF::Logger.send :include, ActiveRecord::SessionStore::Extension::LoggerSilencer
config.logger = GELF::Logger.new(ENV['LOGGING_SERVER'], ENV['LOGGING_PORT'], "WAN", { :facility => "Testing", :protocol => GELF::Protocol::UDP })
which resulted in an error and a failed deploy, I tried changing this to
GELF::Logger.send :include, ActiveSupport::LoggerSilence
config.logger = GELF::Logger.new(ENV['LOGGING_SERVER'], ENV['LOGGING_PORT'], "WAN", { :facility => "Testing", :protocol => GELF::Protocol::UDP })
This no longer causes an error or failed deploy, but now we don't have any logs... which is obviously a huge problem.
Any ideas?
from activerecord-session_store.
@byroot Any ideas?
from activerecord-session_store.
@byroot Any ideas?
It's all explained in this issue and in my commit, ActiveRecord::Base.logger
is expected to implement the logger silencer interface on its own. If it doesn't your are responsible for extending it yourself.
#<Logger:0x0000555d12a49218>
is the stdlib logger, use ActiveSupport::Logger
instead.
from activerecord-session_store.
It's all explained in this issue and in my commit,
ActiveRecord::Base.logger
is expected to implement the logger silencer interface on its own. If it doesn't your are responsible for extending it yourself.
#<Logger:0x0000555d12a49218>
is the stdlib logger, useActiveSupport::Logger
instead.
Thanks for the reply, I tried changing
GELF::Logger.send :include, ActiveRecord::SessionStore::Extension::LoggerSilencer
config.logger = GELF::Logger.new(ENV['LOGGING_SERVER'], ENV['LOGGING_PORT'], "WAN", { :facility => "Testing", :protocol => GELF::Protocol::UDP })
to
GELF::Logger.send :include, ActiveSupport::Logger
config.logger = GELF::Logger.new(ENV['LOGGING_SERVER'], ENV['LOGGING_PORT'], "WAN", { :facility => "Testing", :protocol => GELF::Protocol::UDP })
And my deploy fails giving an error of (first message in traceback)
TypeError: wrong argument type Class (expected Module)
I already tried, what this issue suggests with
GELF::Logger.send :include, ActiveSupport::LoggerSilence
config.logger = GELF::Logger.new(ENV['LOGGING_SERVER'], ENV['LOGGING_PORT'], "WAN", { :facility => "Testing", :protocol => GELF::Protocol::UDP })
Deploy succeeds, but nothing is transmitted to our Graylog cluster.
I confirmed this by running ngrep -W byline -d any udp and host ENV['LOGGING_SERVER'] and dst port ENV['LOGGING_PORT']
and watching the output when navigating around our rails app.
We haven't upgraded the gem to 2.0 in our production environment yet (due to these issues we're having with our logging solution), so I ran the ngrep command above there and I see messages sent. I run the same command in our staging environment with gem version 2.0 and I see no messages being sent at all.
Clearly ActiveRecord::SessionStore::Extension::LoggerSilencer
implements something in a way that ActiveSupport::LoggerSilence
doesn't.
I should point out that your README still reads
Please note that you will need to manually include the silencer module to your custom logger if you are using a logger other than Logger and Syslog::Logger and their subclasses:
MyLogger.send :include, ActiveRecord::SessionStore::Extension::LoggerSilencer
This silencer is being used to silence the logger and not leaking private information into the log, and it is required for security reason.
But obviously that doesn't work anymore with the official gem at version 2.0.
I understand that this upgrade was of an urgent priority due to the nature of the CVE, but people who use custom logging solutions are going to have problems with the removal of the LoggerSilencer extension.
Could you take a deeper look at another way to rectify the situation?
Edit: Also, I'm not asking you to drop everything and fix this, it's not of an urgent priority. I'm just going to continue using our fork where I manually added ActiveRecord::SessionStore::Extension::LoggerSilencer
back in, but like I said we would ideally want to be using the official gem.
from activerecord-session_store.
GELF::Logger.send :include, ActiveSupport::Logger
I mentioned ActiveSupport::Logger
as an answer to @swanson who pinged me not to you. Not sure what made you think AS::Logger could be included.
The AS module that can be included is https://api.rubyonrails.org/classes/ActiveSupport/LoggerSilence.html
from activerecord-session_store.
GELF::Logger.send :include, ActiveSupport::Logger
I mentioned
ActiveSupport::Logger
as an answer to @swanson who pinged me not to you. Not sure what made you think AS::Logger could be included.The AS module that can be included is https://api.rubyonrails.org/classes/ActiveSupport/LoggerSilence.html
Using MyLogger.include ActiveSupport::LoggerSilence
or more accurately for my use case GELF::Logger.include ActiveSupport::LoggerSilence
or GELF::Logger.send :include, ActiveSupport::LoggerSilence
does not work.
No errors in sight. I just stop receiving my application logs. Should I open a separate issue for this?
from activerecord-session_store.
I just stop receiving my application logs.
It's either misconfigured (LoggerSilence
makes the level
a per thread variable, which might impact you configuration) or GELF::Logger
is incompatible with LoggerSilence
. Is GELF
open source? Can you repo in isolation?
Should I open a separate issue for this?
No, this isn't a problem with activerecord-session_store
, it expects a contract from ActiveRecord::Base.logger
, and the logger in your app doesn't fulfil that contract. That's on you to figure it out.
Alternatively if you just want an easy way out, you can vendor the old ActiveRecord::SessionStore::Extension::LoggerSilencer
in your app and just use that (you'll have to rename the method though).
from activerecord-session_store.
Since I upgraded to rails6.1, I met this problem.
finally, I fixed by add this line in application.rb
:
ActiveRecord::Base.logger.class.include ActiveSupport::LoggerSilence
because in my project, Rails.logger use ActiveSupport::Logger
, but ActiveRecord::Base.logger use Logger
.
from activerecord-session_store.
The solution from @cnhuye works with ruby 2.7, but with ruby 3 it fails with:
class variable @@logger of ActiveRecord::Base is overtaken by Spawn (RuntimeError)
Has anyone experienced this issue?
from activerecord-session_store.
This causes issues with GELF and Lograge, previously we used
GELF::Logger.send :include, ActiveRecord::SessionStore::Extension::LoggerSilencer config.logger = GELF::Logger.new(ENV['LOGGING_SERVER'], ENV['LOGGING_PORT'], "WAN", { :facility => "Testing", :protocol => GELF::Protocol::UDP })
which resulted in an error and a failed deploy, I tried changing this to
GELF::Logger.send :include, ActiveSupport::LoggerSilence config.logger = GELF::Logger.new(ENV['LOGGING_SERVER'], ENV['LOGGING_PORT'], "WAN", { :facility => "Testing", :protocol => GELF::Protocol::UDP })
This no longer causes an error or failed deploy, but now we don't have any logs... which is obviously a huge problem.
Any ideas?
Hi, did you manage to solve this? I've spent a few days on this now without a solution :/
from activerecord-session_store.
Related Issues (20)
- Version bump? HOT 2
- New session not persisting in Rails 5+ HOT 3
- Ruby 3.0 breaks web-console HOT 3
- Vulnerabilities found activerecord-session_store Timing Attack HOT 2
- SqlBypass holds onto old connection, resulting in ActiveRecord::ConnectionNotEstablished: connection is closed error
- uninitialized constant ActionDispatch::Session::AbstractSecureStore HOT 4
- Write query attempted while in readonly mode: INSERT INTO "sessions HOT 1
- Invalid authenticity token when paired with Devise HOT 1
- Thread safety on 1.1.3 HOT 1
- README configuration typo
- upgrading from 1.1 to 2.0.0 issue
- documentation about CVE-2019-16782 HOT 3
- What is the main purpose of this gem? HOT 9
- what are pros and cons of this store if we use this in place of cookie store HOT 1
- How to find a session record using the session id from the cookie HOT 1
- Rails 6, losing CSRF token HOT 1
- Rack 3 compatibility HOT 5
- "Undefined method logger.silence" HOT 3
- Remove multi_json as dependency in favor of std-lib json
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from activerecord-session_store.