| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
CSRF token mask from breach-mitigation-rails gem
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.
The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.
|
| |
| |
| |
| | |
Related with #11795.
|
|\ \
| | |
| | | |
Update `ActionController::Parameters` to be more secure on parameters handling
|
| | |
| | |
| | |
| | | |
Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* `each`
* `each_pair`
* `delete`
* `select!`
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is to make sure that `permitted` status is maintained on the
resulting object.
I found these methods that needs to be redefined by looking for
`self.class.new` in the code.
* extract!
* transform_keys
* transform_values
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Conflicts:
actionpack/lib/action_controller/metal/mime_responds.rb
actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb
activerecord/lib/active_record/type/value.rb
|
| | | |
| | | |
| | | |
| | | | |
[skip ci]
|
| | | | |
|
| | | | |
|
| | | | |
|
| |/ /
|/| | |
|
| | | |
|
|\ \ \
| | | |
| | | |
| | | | |
Use #model_name on instances instead of classes
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This allows rails code to be more confdent when asking for a model name, instead of having to ask for the class.
Rails core discussion here: https://groups.google.com/forum/#!topic/rubyonrails-core/ThSaXw9y1F8
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
Conflicts:
Gemfile
|
| |\ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Conflicts:
actionpack/CHANGELOG.md
|
| |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Conflicts:
actionpack/CHANGELOG.md
actionpack/test/controller/integration_test.rb
actionview/CHANGELOG.md
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
We can just use nokogiri
|
| |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Loofah-integration
Conflicts:
actionpack/CHANGELOG.md
actionview/CHANGELOG.md
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
assert_select can be called without specifying a root.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Rails::Dom::Testing::Assertions there as well.
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
abstract_unit.rb.
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
<encoded> wrapper. Updated tests to reflect this.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
tested anywhere.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
substitution values.
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
without it.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
via default xml namespaces didn't work.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
users don't have to care about enclosing values in double quotes.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
selector.message.
|
| | | | | | | | |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
select.
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
alias of html_document.
|
| | | | | | | | |
|