diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2019-03-10 16:37:46 -0700 |
|---|---|---|
| committer | John Hawthorn <john@hawthorn.email> | 2019-03-10 21:30:03 -0700 |
| commit | 4c743587ad6a31908503ab317e37d70361d49e66 (patch) | |
| tree | dea618c58eb9c761555d60d20030372c1ecc3131 /railties/test/isolation | |
| parent | f4c70c2222180b8d9d924f00af0c7fd632e26715 (diff) | |
| download | rails-4c743587ad6a31908503ab317e37d70361d49e66.tar.gz rails-4c743587ad6a31908503ab317e37d70361d49e66.tar.bz2 rails-4c743587ad6a31908503ab317e37d70361d49e66.zip | |
Fix possible dev mode RCE
If the secret_key_base is nil in dev or test generate a key from random
bytes and store it in a tmp file. This prevents the app developers from
having to share / checkin the secret key for dev / test but also
maintains a key between app restarts in dev/test.
[CVE-2019-5420]
Co-Authored-By: eileencodes <eileencodes@gmail.com>
Co-Authored-By: John Hawthorn <john@hawthorn.email>
Diffstat (limited to 'railties/test/isolation')
| -rw-r--r-- | railties/test/isolation/abstract_unit.rb | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/railties/test/isolation/abstract_unit.rb b/railties/test/isolation/abstract_unit.rb index 3f1638a516..b10701aa55 100644 --- a/railties/test/isolation/abstract_unit.rb +++ b/railties/test/isolation/abstract_unit.rb @@ -226,6 +226,7 @@ module TestHelpers @app.config.session_store :cookie_store, key: "_myapp_session" @app.config.active_support.deprecation = :log @app.config.log_level = :info + @app.secrets.secret_key_base = "b3c631c314c0bbca50c1b2843150fe33" yield @app if block_given? @app.initialize! |