Don't show secrets for MessageEncryptor#inspect
If anyone calls a message encryptor in the console it will show the secret of the encryptor. By overriding the `inspect` method to only show the class name we can avoid accidentally outputting sensitive information. Before: ```ruby ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm").inspect "#<ActiveSupport::MessageEncryptor:0x0000000104888038 ... @secret=\"\\xAF\\bFh]LV}q\\nl\\xB2U\\xB3 ... >" ``` After: ```ruby ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm").inspect "#<ActiveSupport::MessageEncryptor:0x0000000104888038>" ```
This commit is contained in:
parent
5f4f9166c1
commit
3f1526ae76
@ -1,3 +1,21 @@
|
||||
* Don't show secrets for `MessageEncryptor#inspect`.
|
||||
|
||||
Before:
|
||||
|
||||
```ruby
|
||||
ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm").inspect
|
||||
"#<ActiveSupport::MessageEncryptor:0x0000000104888038 ... @secret=\"\\xAF\\bFh]LV}q\\nl\\xB2U\\xB3 ... >"
|
||||
```
|
||||
|
||||
After:
|
||||
|
||||
```ruby
|
||||
ActiveSupport::MessageEncryptor.new(secret, cipher: "aes-256-gcm").inspect
|
||||
"#<ActiveSupport::MessageEncryptor:0x0000000104888038>"
|
||||
```
|
||||
|
||||
*Petrik de Heus*
|
||||
|
||||
* Don't show contents for `EncryptedConfiguration#inspect`.
|
||||
|
||||
Before:
|
||||
@ -10,7 +28,6 @@
|
||||
```ruby
|
||||
Rails.application.credentials.inspect
|
||||
"#<ActiveSupport::EncryptedConfiguration:0x000000010d2b38e8>"
|
||||
```
|
||||
|
||||
*Petrik de Heus*
|
||||
|
||||
|
@ -261,6 +261,10 @@ def read_message(message, **options) # :nodoc:
|
||||
deserialize_with_metadata(decrypt(verify(message)), **options)
|
||||
end
|
||||
|
||||
def inspect # :nodoc:
|
||||
"#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>"
|
||||
end
|
||||
|
||||
private
|
||||
def sign(data)
|
||||
@verifier ? @verifier.create_message(data) : data
|
||||
|
@ -152,6 +152,11 @@ def test_backwards_compatibility_decrypt_previously_encrypted_messages_without_m
|
||||
assert_equal "Ruby on Rails", encryptor.decrypt_and_verify(encrypted_message)
|
||||
end
|
||||
|
||||
def test_inspect_does_not_show_secrets
|
||||
encryptor = ActiveSupport::MessageEncryptor.new(@secret, cipher: "aes-256-gcm")
|
||||
assert_match(/\A#<ActiveSupport::MessageEncryptor:0x[0-9a-f]+>\z/, encryptor.inspect)
|
||||
end
|
||||
|
||||
private
|
||||
def make_codec(**options)
|
||||
ActiveSupport::MessageEncryptor.new(@secret, **options)
|
||||
|
Loading…
Reference in New Issue
Block a user