Add parameter filter capability for redirect locations

It uses the `config.filter_parameters` to match what needs to be
filtered. The result would be like this:

```
Redirected to http://secret.foo.bar?username=roque&password=[FILTERED]
```

Author: repinel

actionpack/CHANGELOG.md

@@ -90,4 +90,15 @@
 
     *Rafael Mendonça França*
 
+*   Add parameter filter capability for redirect locations.
+
+    It uses the `config.filter_parameters` to match what needs to be filtered.
+    The result would be like this:
+
+        Redirected to http://secret.foo.bar?username=roque&password=[FILTERED]
+
+    Fixes #14055.
+
+    *Roque Pinel*, *Trevor Turk*, *tonytonyjan*
+
 Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionpack/CHANGELOG.md) for previous changes.

actionpack/lib/action_dispatch/http/filter_redirect.rb

@@ -11,7 +11,7 @@ def filtered_location # :nodoc:
         if location_filter_match?
           FILTERED
         else
-          location
+          parameter_filtered_location
         end
       end
 
@@ -33,6 +33,16 @@ def location_filter_match?
           end
         end
       end
+
+      def parameter_filtered_location
+        uri = URI.parse(location)
+        unless uri.query.nil? || uri.query.empty?
+          uri.query.gsub!(FilterParameters::PAIR_RE) do
+            request.parameter_filter.filter($1 => $2).first.join("=")
+          end
+        end
+        uri.to_s
+      end
     end
   end
 end

actionpack/test/controller/log_subscriber_test.rb

@@ -32,6 +32,10 @@ def filterable_redirector
       redirect_to "http://secret.foo.bar/"
     end
 
+    def filterable_redirector_with_params
+      redirect_to "http://secret.foo.bar?username=repinel&password=1234"
+    end
+
     def data_sender
       send_data "cool data", filename: "file.txt"
     end
@@ -266,6 +270,32 @@ def test_filter_redirect_url_by_regexp
     assert_equal "Redirected to [FILTERED]", logs[1]
   end
 
+  def test_does_not_filter_redirect_params_by_default
+    get :filterable_redirector_with_params
+    wait
+
+    assert_equal 3, logs.size
+    assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=1234", logs[1]
+  end
+
+  def test_filter_redirect_params_by_string
+    @request.env["action_dispatch.parameter_filter"] = ["password"]
+    get :filterable_redirector_with_params
+    wait
+
+    assert_equal 3, logs.size
+    assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=[FILTERED]", logs[1]
+  end
+
+  def test_filter_redirect_params_by_regexp
+    @request.env["action_dispatch.parameter_filter"] = [/pass.+/]
+    get :filterable_redirector_with_params
+    wait
+
+    assert_equal 3, logs.size
+    assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=[FILTERED]", logs[1]
+  end
+
   def test_send_data
     get :data_sender
     wait

guides/source/action_controller_overview.md

@@ -1210,7 +1210,8 @@ You can set it to a String, a Regexp, or an array of both.
 config.filter_redirect.concat ['s3.amazonaws.com', /private_path/]
 ```
 
-Matching URLs will be marked as '[FILTERED]'.
+Matching URLs will be replaced with '[FILTERED]'. However, if you only wish to filter the parameters, not the whole URLs,
+please take a look at [Parameters Filtering](#parameters-filtering).
 
 Rescue
 ------