auth-sanitizer is vulnerable to Information Disclosure
32
Low Risk
Auth::Sanitizer::FilteredAttributes#inspect redacts sensitive values so host objects can be printed to logs, exceptions, and consoles safely. Before the fix, the method rebuilt inspect output and only redacted configured names when they were top-level instance variables, so configured names stored inside hash-valued instance variables (for example an adapter model holding attributes in an internal hash) were printed in cleartext. This exposes secrets such as tokens and password digests in standard Ruby hash inspect fragments, including nested hashes. The fix delegates to super.inspect and applies constrained pattern redaction that also covers configured names appearing as symbol or string hash keys.
You are affected if you are using a version that falls within the vulnerable range and you rely on FilteredAttributes to redact configured attribute names that can appear inside hash inspect output.
auth-sanitizer is vulnerable to Information Disclosure in versions 0.1.0 - 0.1.5.
Upgrade the auth-sanitizer library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant