diff options
| author | Assain <assainjaleel20@gmail.com> | 2018-05-19 13:31:57 +0530 |
|---|---|---|
| committer | Assain <assainjaleel20@gmail.com> | 2018-08-12 21:50:35 +0530 |
| commit | 1cda4fb5df519080032c9c0a16d3c4f8cf1f3d2c (patch) | |
| tree | 5e3b2acdd55627088a99e91494481645e365c35e /railties | |
| parent | ba1dab1e3b32a7c81cb9b8bdc22429f6620a3833 (diff) | |
| download | rails-1cda4fb5df519080032c9c0a16d3c4f8cf1f3d2c.tar.gz rails-1cda4fb5df519080032c9c0a16d3c4f8cf1f3d2c.tar.bz2 rails-1cda4fb5df519080032c9c0a16d3c4f8cf1f3d2c.zip | |
Purpose Metadata For Signed And Encrypted Cookies
Purpose metadata prevents cookie values from being
copy-pasted and ensures that the cookie is used only
for its originally intended purpose.
The Purpose and Expiry metadata are embedded inside signed/encrypted
cookies and will not be readable on previous versions of Rails.
We can switch off purpose and expiry metadata embedded in
signed and encrypted cookies using
config.action_dispatch.use_cookies_with_metadata = false
if you want your cookies to be readable on older versions of Rails.
Diffstat (limited to 'railties')
5 files changed, 22 insertions, 10 deletions
diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index 31d0d65a30..99e42ebefb 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -267,6 +267,7 @@ module Rails "action_dispatch.cookies_serializer" => config.action_dispatch.cookies_serializer, "action_dispatch.cookies_digest" => config.action_dispatch.cookies_digest, "action_dispatch.cookies_rotations" => config.action_dispatch.cookies_rotations, + "action_dispatch.use_cookies_with_metadata" => config.action_dispatch.use_cookies_with_metadata, "action_dispatch.content_security_policy" => config.content_security_policy, "action_dispatch.content_security_policy_report_only" => config.content_security_policy_report_only, "action_dispatch.content_security_policy_nonce_generator" => config.content_security_policy_nonce_generator diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb index 9c54cc1f37..9eb07219e0 100644 --- a/railties/lib/rails/application/configuration.rb +++ b/railties/lib/rails/application/configuration.rb @@ -120,6 +120,10 @@ module Rails if respond_to?(:action_view) action_view.default_enforce_utf8 = false end + + if respond_to?(:action_dispatch) + action_dispatch.use_cookies_with_metadata = true + end else raise "Unknown version #{target_version.to_s.inspect}" end diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_6_0.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_6_0.rb.tt index 179b97de4a..54eb0cb1d2 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_6_0.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_6_0.rb.tt @@ -8,3 +8,10 @@ # Don't force requests from old versions of IE to be UTF-8 encoded # Rails.application.config.action_view.default_enforce_utf8 = false + +# Embed purpose and expiry metadata inside signed and encrypted +# cookies for increased security. +# +# This option is not backwards compatible with earlier Rails versions. +# It's best enabled when your entire app is migrated and stable on 6.0. +# Rails.application.config.action_dispatch.use_cookies_with_metadata = true diff --git a/railties/test/application/middleware/cookies_test.rb b/railties/test/application/middleware/cookies_test.rb index ecb4ee3446..fe48ef3f03 100644 --- a/railties/test/application/middleware/cookies_test.rb +++ b/railties/test/application/middleware/cookies_test.rb @@ -110,14 +110,14 @@ module ApplicationTests assert_equal "signed cookie".inspect, last_response.body get "/foo/read_raw_cookie" - assert_equal "signed cookie", verifier_sha512.verify(last_response.body) + assert_equal "signed cookie", verifier_sha512.verify(last_response.body, purpose: "cookie.signed_cookie") get "/foo/write_raw_cookie_sha256" get "/foo/read_signed" assert_equal "signed cookie".inspect, last_response.body get "/foo/read_raw_cookie" - assert_equal "signed cookie", verifier_sha512.verify(last_response.body) + assert_equal "signed cookie", verifier_sha512.verify(last_response.body, purpose: "cookie.signed_cookie") end test "encrypted cookies rotating multiple encryption keys" do @@ -180,14 +180,14 @@ module ApplicationTests assert_equal "encrypted cookie".inspect, last_response.body get "/foo/read_raw_cookie" - assert_equal "encrypted cookie", encryptor.decrypt_and_verify(last_response.body) + assert_equal "encrypted cookie", encryptor.decrypt_and_verify(last_response.body, purpose: "cookie.encrypted_cookie") - get "/foo/write_raw_cookie_sha256" + get "/foo/write_raw_cookie_two" get "/foo/read_encrypted" assert_equal "encrypted cookie".inspect, last_response.body get "/foo/read_raw_cookie" - assert_equal "encrypted cookie", encryptor.decrypt_and_verify(last_response.body) + assert_equal "encrypted cookie", encryptor.decrypt_and_verify(last_response.body, purpose: "cookie.encrypted_cookie") end end end diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb index 9182a63ab7..b25e56b625 100644 --- a/railties/test/application/middleware/session_test.rb +++ b/railties/test/application/middleware/session_test.rb @@ -183,7 +183,7 @@ module ApplicationTests encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher) get "/foo/read_raw_cookie" - assert_equal 1, encryptor.decrypt_and_verify(last_response.body)["foo"] + assert_equal 1, encryptor.decrypt_and_verify(last_response.body, purpose: "cookie._myapp_session")["foo"] end test "session upgrading signature to encryption cookie store works the same way as encrypted cookie store" do @@ -235,7 +235,7 @@ module ApplicationTests encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher) get "/foo/read_raw_cookie" - assert_equal 1, encryptor.decrypt_and_verify(last_response.body)["foo"] + assert_equal 1, encryptor.decrypt_and_verify(last_response.body, purpose: "cookie._myapp_session")["foo"] end test "session upgrading signature to encryption cookie store upgrades session to encrypted mode" do @@ -297,7 +297,7 @@ module ApplicationTests encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher) get "/foo/read_raw_cookie" - assert_equal 2, encryptor.decrypt_and_verify(last_response.body)["foo"] + assert_equal 2, encryptor.decrypt_and_verify(last_response.body, purpose: "cookie._myapp_session")["foo"] end test "session upgrading from AES-CBC-HMAC encryption to AES-GCM encryption" do @@ -364,7 +364,7 @@ module ApplicationTests encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher) get "/foo/read_raw_cookie" - assert_equal 2, encryptor.decrypt_and_verify(last_response.body)["foo"] + assert_equal 2, encryptor.decrypt_and_verify(last_response.body, purpose: "cookie._myapp_session")["foo"] ensure ENV["RAILS_ENV"] = old_rails_env end @@ -428,7 +428,7 @@ module ApplicationTests verifier = ActiveSupport::MessageVerifier.new(app.secrets.secret_token) get "/foo/read_raw_cookie" - assert_equal 2, verifier.verify(last_response.body)["foo"] + assert_equal 2, verifier.verify(last_response.body, purpose: "cookie._myapp_session")["foo"] ensure ENV["RAILS_ENV"] = old_rails_env end |