Marking virtual attributes in Rails 5.1 may be exposing decrypted data #353
Comments
|
Has there been any update on this? I am facing the same issue as well. Pretty much kills the whole point of using encryption in the first place. |
This is a very old issue. None of the maintainers from that time are still active, so issues like this ended up getting pretty stale. If you are still having this issue, could you please open a new issue including what version of Rails, Ruby and attry_encrypted you are on? I would also suggest trying the latest release if you can as the linked code above no longer exists. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When upgrading an application from Rails 5.0.7.2 to 5.1.7, I noticed that decrypted fields that used to be filtered out of our JSON responses are now included.
I believe this was caused by #263, if I comment out this line, the secrets stay secret.
attr_encrypted/lib/attr_encrypted/adapters/active_record.rb
Line 56 in 11df93a
My theory is that this is enabled because the field is now in
attributes, which is enumerated when ActiveRecord creates aserializable_hashof a model.https://github.com/rails/rails/blob/66cabeda2c46c582d19738e1318be8d59584cc5b/activemodel/lib/active_model/serialization.rb#L126
The text was updated successfully, but these errors were encountered: