diff options
Diffstat (limited to 'railties')
| -rw-r--r-- | railties/CHANGELOG.md | 12 | ||||
| -rw-r--r-- | railties/lib/rails/application.rb | 3 | ||||
| -rw-r--r-- | railties/lib/rails/commands/credentials/credentials_command.rb | 13 | ||||
| -rw-r--r-- | railties/test/commands/credentials_test.rb | 13 |
4 files changed, 37 insertions, 4 deletions
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index 1fb0a94b2d..cad5ae02a8 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -12,7 +12,17 @@ ## Rails 6.0.0.beta3 (March 11, 2019) ## -* No changes. +* Generate random development secrets + + A random development secret is now generated to tmp/development_secret.txt + + This avoids an issue where development mode servers were vulnerable to + remote code execution. + + Fixes CVE-2019-5420 + + *Eileen M. Uchitelle*, *Aaron Patterson*, *John Hawthorn* + ## Rails 6.0.0.beta2 (February 25, 2019) ## diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index 6bc6c548d2..038284ebdd 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -409,7 +409,8 @@ module Rails # The secret_key_base is used as the input secret to the application's key generator, which in turn # is used to create all MessageVerifiers/MessageEncryptors, including the ones that sign and encrypt cookies. # - # In test and development, this is simply derived as a MD5 hash of the application's name. + # In development and test, this is randomly generated and stored in a + # temporary file in <tt>tmp/development_secret.txt</tt>. # # In all other environments, we look for it first in ENV["SECRET_KEY_BASE"], # then credentials.secret_key_base, and finally secrets.secret_key_base. For most applications, diff --git a/railties/lib/rails/commands/credentials/credentials_command.rb b/railties/lib/rails/commands/credentials/credentials_command.rb index a22b1f3f84..e23a1b3008 100644 --- a/railties/lib/rails/commands/credentials/credentials_command.rb +++ b/railties/lib/rails/commands/credentials/credentials_command.rb @@ -56,7 +56,11 @@ module Rails end def ensure_credentials_have_been_added - encrypted_file_generator.add_encrypted_file_silently(content_path, key_path) + if options[:environment] + encrypted_file_generator.add_encrypted_file_silently(content_path, key_path) + else + credentials_generator.add_credentials_file_silently + end end def change_credentials_in_system_editor @@ -96,6 +100,13 @@ module Rails Rails::Generators::EncryptedFileGenerator.new end + + def credentials_generator + require "rails/generators" + require "rails/generators/rails/credentials/credentials_generator" + + Rails::Generators::CredentialsGenerator.new + end end end end diff --git a/railties/test/commands/credentials_test.rb b/railties/test/commands/credentials_test.rb index 3654e96aed..2f2c50de6c 100644 --- a/railties/test/commands/credentials_test.rb +++ b/railties/test/commands/credentials_test.rb @@ -79,6 +79,15 @@ class Rails::Command::CredentialsCommandTest < ActiveSupport::TestCase assert_match(/access_key_id: 123/, run_edit_command(environment: "qa")) end + test "edit command generate template file when the file does not exist" do + FileUtils.rm("#{app_path}/config/credentials.yml.enc") + run_edit_command + + output = run_show_command + assert_match(/access_key_id: 123/, output) + assert_match(/secret_key_base/, output) + end + test "show credentials" do assert_match(/access_key_id: 123/, run_show_command) end @@ -106,7 +115,9 @@ class Rails::Command::CredentialsCommandTest < ActiveSupport::TestCase test "show command properly expand environment option" do run_edit_command(environment: "production") - assert_match(/access_key_id: 123/, run_show_command(environment: "prod")) + output = run_show_command(environment: "prod") + assert_match(/access_key_id: 123/, output) + assert_no_match(/secret_key_base/, output) end private |