Activeadmin: CSV includes sensitive attributes by default
When defining a resource for the Devise User class, Active Admin by default includes sensitive data like encrypted passwords in the CSV output accessible via the download links.
While Devise itself takes precautions to exclude sensitive data from JSON and XML serializations, the default CSV builder includes all attributes.
To avoid exposing the data, one needs to add a csv block to the resource definition.
While I understand, that this more or less also applies to the HTML view of the default index table, I have found the download endpoints to be far easier to miss.
tf
All 3 comments
Interesting. I didn't realize my application is allowing the download of sensitive data via the exports (CSV, JSON, and XML). This deserves more investigation and a clear warning/reminder about models with sensitive data.
zorab47
on 30 Nov 2017
I monkey patched the default behavior to be closed instead of open. It doesn't make an incredibly useful csv, but the default export often isn't either
module ActiveAdmin
class CSVBuilder
def self.default_for_resource(resource)
new resource: resource do
column :id
column "Name" do |res|
display_name(res)
end
end
end
end
end
ALacker
on 26 May 2018
I agree that the default behavior should be closed instead of open, Active Admin exports should be secure by default. If the default behavior is changed configuration flags should also be provided to make it easy to revert.
varyonic
on 28 Sep 2018
Related issues
seanlinsley
路
3Comments
gcerquant
路
3Comments
kaspernj
路
3Comments
starrychloe
路
3Comments
Plinpod
路
3Comments