diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2019-03-10 16:37:46 -0700 |
|---|---|---|
| committer | John Hawthorn <john@hawthorn.email> | 2019-03-10 21:30:03 -0700 |
| commit | 4c743587ad6a31908503ab317e37d70361d49e66 (patch) | |
| tree | dea618c58eb9c761555d60d20030372c1ecc3131 /railties/test | |
| parent | f4c70c2222180b8d9d924f00af0c7fd632e26715 (diff) | |
| download | rails-4c743587ad6a31908503ab317e37d70361d49e66.tar.gz rails-4c743587ad6a31908503ab317e37d70361d49e66.tar.bz2 rails-4c743587ad6a31908503ab317e37d70361d49e66.zip | |
Fix possible dev mode RCE
If the secret_key_base is nil in dev or test generate a key from random
bytes and store it in a tmp file. This prevents the app developers from
having to share / checkin the secret key for dev / test but also
maintains a key between app restarts in dev/test.
[CVE-2019-5420]
Co-Authored-By: eileencodes <eileencodes@gmail.com>
Co-Authored-By: John Hawthorn <john@hawthorn.email>
Diffstat (limited to 'railties/test')
| -rw-r--r-- | railties/test/application/configuration_test.rb | 22 | ||||
| -rw-r--r-- | railties/test/isolation/abstract_unit.rb | 1 |
2 files changed, 22 insertions, 1 deletions
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index 73773602a3..377dab1a13 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -596,6 +596,27 @@ module ApplicationTests assert_equal "some_value", verifier.verify(message) end + test "application will generate secret_key_base in tmp file if blank in development" do + app_file "config/initializers/secret_token.rb", <<-RUBY + Rails.application.credentials.secret_key_base = nil + RUBY + + app "development" + + assert_not_nil app.secrets.secret_key_base + assert File.exist?(app_path("tmp/development_secret.txt")) + end + + test "application will not generate secret_key_base in tmp file if blank in production" do + app_file "config/initializers/secret_token.rb", <<-RUBY + Rails.application.credentials.secret_key_base = nil + RUBY + + assert_raises ArgumentError do + app "production" + end + end + test "raises when secret_key_base is blank" do app_file "config/initializers/secret_token.rb", <<-RUBY Rails.application.credentials.secret_key_base = nil @@ -619,7 +640,6 @@ module ApplicationTests test "application verifier can build different verifiers" do make_basic_app do |application| - application.credentials.secret_key_base = "b3c631c314c0bbca50c1b2843150fe33" application.config.session_store :disabled end diff --git a/railties/test/isolation/abstract_unit.rb b/railties/test/isolation/abstract_unit.rb index 3f1638a516..b10701aa55 100644 --- a/railties/test/isolation/abstract_unit.rb +++ b/railties/test/isolation/abstract_unit.rb @@ -226,6 +226,7 @@ module TestHelpers @app.config.session_store :cookie_store, key: "_myapp_session" @app.config.active_support.deprecation = :log @app.config.log_level = :info + @app.secrets.secret_key_base = "b3c631c314c0bbca50c1b2843150fe33" yield @app if block_given? @app.initialize! |