From 6b0724f1289f5f2f16b00c54dc5393541507554e Mon Sep 17 00:00:00 2001
From: Keshav Biswa <keshavbiswa21@gmail.com>
Date: Sat, 6 Apr 2024 18:25:35 +0530
Subject: [PATCH] Fix: #51254: Update filter_attributes to only add exact match

---
 activerecord/CHANGELOG.md                                     | 4 ++++
 .../lib/active_record/encryption/auto_filtered_parameters.rb  | 2 +-
 railties/test/application/configuration_test.rb               | 4 ++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 75195bbc8adc9..78fca2f324e8c 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Encrypted attributes will now be filtered by exact matches by FilterParameters.
+
+    *Keshav Biswa*
+
 *   Raise an `ActiveRecord::ActiveRecordError` error when the MySQL database returns an invalid version string.
 
     *Kevin McPhillips*
diff --git a/activerecord/lib/active_record/encryption/auto_filtered_parameters.rb b/activerecord/lib/active_record/encryption/auto_filtered_parameters.rb
index 313c8f3ef68d3..0081d87817998 100644
--- a/activerecord/lib/active_record/encryption/auto_filtered_parameters.rb
+++ b/activerecord/lib/active_record/encryption/auto_filtered_parameters.rb
@@ -54,7 +54,7 @@ def apply_filter(klass, attribute)
           filter = [("#{klass.model_name.element}" if klass.name), attribute.to_s].compact.join(".")
           unless excluded_from_filter_parameters?(filter)
             app.config.filter_parameters << filter unless app.config.filter_parameters.include?(filter)
-            klass.filter_attributes += [ attribute ]
+            klass.filter_attributes += [ /^#{attribute}$/ ]
           end
         end
 
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index 1fce0d209a7a2..a54807fcc584a 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -3758,7 +3758,7 @@ class MyLogger < ::Logger
       assert_equal [ :password, :credit_card_number ], ActiveRecord::Base.filter_attributes
     end
 
-    test "encrypted attributes are added to record's filter_attributes by default" do
+    test "encrypted attributes are added to record's filter_attributes as exact matches by default" do
       app_file "app/models/post.rb", <<-RUBY
         class Post < ActiveRecord::Base
           encrypts :content
@@ -3772,7 +3772,7 @@ class Post < ActiveRecord::Base
 
       app "production"
 
-      assert_includes Post.filter_attributes, :content
+      assert_includes Post.filter_attributes, /^content$/
       assert_not_includes ActiveRecord::Base.filter_attributes, :content
     end