Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't show secrets for MessageEncryptor#inspect #48499

Merged
merged 1 commit into from
Jun 16, 2023
Merged

Don't show secrets for MessageEncryptor#inspect #48499

merged 1 commit into from
Jun 16, 2023

Conversation

p8
Copy link
Member

@p8 p8 commented Jun 16, 2023
edited

If anyone calls a message encryptor in the console it will show the secret of the encryptor.

By overriding the inspect method to only show the class name we can avoid accidentally outputting sensitive information.

Before:

ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm").inspect
"#<ActiveSupport::MessageEncryptor:0x0000000104888038 ... @secret=\"\\xAF\\bFh]LV}q\\nl\\xB2U\\xB3 ... >"

After:

ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm").inspect
"#<ActiveSupport::MessageEncryptor:0x0000000104888038>"

Checklist

Before submitting the PR make sure the following are checked:

  • This Pull Request is related to one change. Changes that are unrelated should be opened in separate PRs.
  • Commit message has a detailed description of what changed and why. If this PR fixes a related issue include it in the commit message. Ex: [Fix #issue-number]
  • Tests are added or updated if you fix a bug or add a feature.
  • CHANGELOG files are updated for the changed libraries if there is a behavior change or additional feature. Minor bug fixes and documentation changes should not be included.

@p8 p8 force-pushed the activesupport/inspect-message-encryptor branch from b5b628d to 3d3cb04 Compare June 16, 2023 13:16
@eileencodes
Copy link
Member

Thanks @p8, can you fix the conflicts?

@p8 p8 force-pushed the activesupport/inspect-message-encryptor branch from 3d3cb04 to 34fc51c Compare June 16, 2023 19:14
@p8
Don't show secrets for MessageEncryptor#inspect
3f1526a 
If anyone calls a message encryptor in the console it will
show the secret of the encryptor.

By overriding the `inspect` method to only show the class name we can
avoid accidentally outputting sensitive information.

Before:

```ruby
ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm").inspect
"#<ActiveSupport::MessageEncryptor:0x0000000104888038 ... @secret=\"\\xAF\\bFh]LV}q\\nl\\xB2U\\xB3 ... >"
```

After:

```ruby
ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm").inspect
"#<ActiveSupport::MessageEncryptor:0x0000000104888038>"
```
@p8 p8 force-pushed the activesupport/inspect-message-encryptor branch from 34fc51c to 3f1526a Compare June 16, 2023 19:14
@p8
Copy link
Member Author

p8 commented Jun 16, 2023

Thanks @eileencodes . I've rebased.

@eileencodes eileencodes merged commit d15aff4 into rails:main Jun 16, 2023
9 checks passed
@p8 p8 deleted the activesupport/inspect-message-encryptor branch June 16, 2023 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
activesupport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@p8 @eileencodes