aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/lib/active_support/security_utils.rb
Commit message (Collapse)AuthorAgeFilesLines
* Compare the actual string after comparing the HMAC proccessed stringsRafael Mendonça França2017-11-251-1/+1
| | | | | | | | Even that collisions are unlikely we need to make sure the two strings are equal. Timing is not important in this case because this only runs after the comparison between the SHA256 digested strings returns true.
* Merge pull request #24510 from ↵Rafael Mendonça França2017-11-251-10/+12
|\ | | | | | | | | | | vipulnsward/make-variable_size_secure_compare-public Make variable_size_secure_compare public
| * Changed default behaviour of `ActiveSupport::SecurityUtils.secure_compare`,Vipul A M2017-06-071-10/+12
| | | | | | | | | | | | | | to make it not leak length information even for variable length string. Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`, and started raising `ArgumentError` in case of length mismatch of passed strings.
* | Preload digest/sha2 to avoid thread safe error.Francesco Rodriguez2017-09-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I got this error in production using Puma in multi-threaded mode: ``` RuntimeError: Digest::Base cannot be directly inherited in Ruby from active_support/security_utils.rb:23:in `variable_size_secure_compare' from active_support/security_utils.rb:23:in `hexdigest' from active_support/security_utils.rb:23:in `digest' ``` Looks like Digest uses const_missing to load Digest::SHA256 (https://github.com/ruby/ruby/blob/trunk/ext/digest/lib/digest.rb#L8) - https://bugs.ruby-lang.org/issues/9494 - https://github.com/ruby/ruby/commit/c02fa39463a0c6bf698b01bc610135604aca2ff4
* | [Active Support] `rubocop -a --only Layout/EmptyLineAfterMagicComment`Koichi ITO2017-07-111-0/+1
| |
* | Use frozen-string-literal in ActiveSupportKir Shatrov2017-07-091-0/+1
| |
* | Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | | | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
* | Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
|/
* applies new string literal convention in activesupport/libXavier Noria2016-08-061-1/+1
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* use secure string comparisons for basic auth username / passwordAaron Patterson2016-01-221-0/+7
| | | | | | this will avoid timing attacks against applications that use basic auth. CVE-2015-7576
* Add AS::SecurityUtils.secure_compare for constant time string comparisonGuillermo Iguaran2014-10-231-0/+20