Fix: #51254: Update filter_attributes to only add exact match

activerecord/CHANGELOG.md

@@ -1,3 +1,7 @@
+*   Encrypted attributes will now be filtered by exact matches by FilterParameters.
+
+    *Keshav Biswa*
+
 *   Raise an `ActiveRecord::ActiveRecordError` error when the MySQL database returns an invalid version string.
 
     *Kevin McPhillips*

activerecord/lib/active_record/encryption/auto_filtered_parameters.rb

@@ -54,7 +54,7 @@ def apply_filter(klass, attribute)
           filter = [("#{klass.model_name.element}" if klass.name), attribute.to_s].compact.join(".")
           unless excluded_from_filter_parameters?(filter)
             app.config.filter_parameters << filter unless app.config.filter_parameters.include?(filter)
-            klass.filter_attributes += [ attribute ]
+            klass.filter_attributes += [ /^#{attribute}$/ ]
           end
         end
 

railties/test/application/configuration_test.rb

@@ -3758,7 +3758,7 @@ class MyLogger < ::Logger
       assert_equal [ :password, :credit_card_number ], ActiveRecord::Base.filter_attributes
     end
 
-    test "encrypted attributes are added to record's filter_attributes by default" do
+    test "encrypted attributes are added to record's filter_attributes as exact matches by default" do
       app_file "app/models/post.rb", <<-RUBY
         class Post < ActiveRecord::Base
           encrypts :content
@@ -3772,7 +3772,7 @@ class Post < ActiveRecord::Base
 
       app "production"
 
-      assert_includes Post.filter_attributes, :content
+      assert_includes Post.filter_attributes, /^content$/
       assert_not_includes ActiveRecord::Base.filter_attributes, :content
     end