aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/dispatch/cookies_test.rb
diff options
context:
space:
mode:
authorVipul A M <vipulnsward@gmail.com>2016-07-09 04:03:43 -0700
committerVipul A M <vipulnsward@gmail.com>2016-09-01 02:53:48 +0530
commitae32b69ab9647f4072d6852c4d4d1f2a939360c1 (patch)
tree16e711ce8df8e449a5281fd75a5d73abfc56a305 /actionpack/test/dispatch/cookies_test.rb
parentfd2446cd8156f288598cdb47172cfe31ec24c1ee (diff)
downloadrails-ae32b69ab9647f4072d6852c4d4d1f2a939360c1.tar.gz
rails-ae32b69ab9647f4072d6852c4d4d1f2a939360c1.tar.bz2
rails-ae32b69ab9647f4072d6852c4d4d1f2a939360c1.zip
Follow up of #25602
Since keys are truncated, ruby 2.4 doesn't accept keys greater than their lenghts. keys of same value but different lenght and greater than key size of cipher, produce the same results as reproduced at https://gist.github.com/rhenium/b81355fe816dcfae459cc5eadfc4f6f9 Since our default cipher is 'aes-256-cbc', key length for which is 32 bytes, limit the length of key being passed to Encryptor to 32 bytes. This continues to support backwards compat with any existing signed data, already encrupted and signed with 32+ byte keys. Also fixes the passing of this value in multiple tests.
Diffstat (limited to 'actionpack/test/dispatch/cookies_test.rb')
-rw-r--r--actionpack/test/dispatch/cookies_test.rb36
1 files changed, 25 insertions, 11 deletions
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index 4d3d83f45a..2bee6c75bb 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -603,7 +603,7 @@ class CookiesTest < ActionController::TestCase
secret = key_generator.generate_key(encrypted_cookie_salt)
sign_secret = key_generator.generate_key(encrypted_signed_cookie_salt)
- marshal_value = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: Marshal).encrypt_and_sign("bar")
+ marshal_value = ActiveSupport::MessageEncryptor.new(secret[0..31], sign_secret, serializer: Marshal).encrypt_and_sign("bar")
@request.headers["Cookie"] = "foo=#{marshal_value}"
get :get_encrypted_cookie
@@ -612,7 +612,7 @@ class CookiesTest < ActionController::TestCase
assert_not_equal "bar", cookies[:foo]
assert_equal "bar", cookies.encrypted[:foo]
- encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: JSON)
+ encryptor = ActiveSupport::MessageEncryptor.new(secret[0..31], sign_secret, serializer: JSON)
assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
end
@@ -624,7 +624,7 @@ class CookiesTest < ActionController::TestCase
encrypted_signed_cookie_salt = @request.env["action_dispatch.encrypted_signed_cookie_salt"]
secret = key_generator.generate_key(encrypted_cookie_salt)
sign_secret = key_generator.generate_key(encrypted_signed_cookie_salt)
- json_value = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: JSON).encrypt_and_sign("bar")
+ json_value = ActiveSupport::MessageEncryptor.new(secret[0..31], sign_secret, serializer: JSON).encrypt_and_sign("bar")
@request.headers["Cookie"] = "foo=#{json_value}"
get :get_encrypted_cookie
@@ -636,6 +636,20 @@ class CookiesTest < ActionController::TestCase
assert_nil @response.cookies["foo"]
end
+
+ def test_compat_encrypted_cookie_using_64_byte_key
+ # Cookie generated with 64 bytes secret
+ message = ["566d4e75536d686e633246564e6b493062557079626c566d51574d30515430394c53315665564a694e4563786555744f57537454576b396a5a31566a626e52525054303d2d2d34663234333330623130623261306163363562316266323335396164666364613564643134623131"].pack('H*')
+ @request.headers["Cookie"] = "foo=#{message}"
+
+ get :get_encrypted_cookie
+
+ cookies = @controller.send :cookies
+ assert_not_equal "bar", cookies[:foo]
+ assert_equal "bar", cookies.encrypted[:foo]
+ assert_nil @response.cookies["foo"]
+ end
+
def test_accessing_nonexistent_encrypted_cookie_should_not_raise_invalid_message
get :set_encrypted_cookie
assert_nil @controller.send(:cookies).encrypted[:non_existent_attribute]
@@ -799,8 +813,8 @@ class CookiesTest < ActionController::TestCase
key_generator = @request.env["action_dispatch.key_generator"]
secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_cookie_salt"])
sign_secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_signed_cookie_salt"])
- encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
- assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
+ encryptor = ActiveSupport::MessageEncryptor.new(secret[0..31], sign_secret)
+ assert_equal 'bar', encryptor.decrypt_and_verify(@response.cookies["foo"])
end
def test_legacy_json_signed_cookie_is_read_and_transparently_upgraded_by_signed_json_cookie_jar_if_both_secret_token_and_secret_key_base_are_set
@@ -838,8 +852,8 @@ class CookiesTest < ActionController::TestCase
key_generator = @request.env["action_dispatch.key_generator"]
secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_cookie_salt"])
sign_secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_signed_cookie_salt"])
- encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: JSON)
- assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
+ encryptor = ActiveSupport::MessageEncryptor.new(secret[0..31], sign_secret, serializer: JSON)
+ assert_equal 'bar', encryptor.decrypt_and_verify(@response.cookies["foo"])
end
def test_legacy_json_signed_cookie_is_read_and_transparently_upgraded_by_signed_json_hybrid_jar_if_both_secret_token_and_secret_key_base_are_set
@@ -877,8 +891,8 @@ class CookiesTest < ActionController::TestCase
key_generator = @request.env["action_dispatch.key_generator"]
secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_cookie_salt"])
sign_secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_signed_cookie_salt"])
- encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: JSON)
- assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
+ encryptor = ActiveSupport::MessageEncryptor.new(secret[0..31], sign_secret, serializer: JSON)
+ assert_equal 'bar', encryptor.decrypt_and_verify(@response.cookies["foo"])
end
def test_legacy_marshal_signed_cookie_is_read_and_transparently_upgraded_by_signed_json_hybrid_jar_if_both_secret_token_and_secret_key_base_are_set
@@ -916,8 +930,8 @@ class CookiesTest < ActionController::TestCase
key_generator = @request.env["action_dispatch.key_generator"]
secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_cookie_salt"])
sign_secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_signed_cookie_salt"])
- encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: JSON)
- assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
+ encryptor = ActiveSupport::MessageEncryptor.new(secret[0..31], sign_secret, serializer: JSON)
+ assert_equal 'bar', encryptor.decrypt_and_verify(@response.cookies["foo"])
end
def test_legacy_signed_cookie_is_treated_as_nil_by_signed_cookie_jar_if_tampered