From 4c743587ad6a31908503ab317e37d70361d49e66 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Sun, 10 Mar 2019 16:37:46 -0700 Subject: Fix possible dev mode RCE If the secret_key_base is nil in dev or test generate a key from random bytes and store it in a tmp file. This prevents the app developers from having to share / checkin the secret key for dev / test but also maintains a key between app restarts in dev/test. [CVE-2019-5420] Co-Authored-By: eileencodes Co-Authored-By: John Hawthorn --- railties/lib/rails/application.rb | 19 +++++++++++++++++-- railties/test/application/configuration_test.rb | 22 +++++++++++++++++++++- railties/test/isolation/abstract_unit.rb | 1 + 3 files changed, 39 insertions(+), 3 deletions(-) (limited to 'railties') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index fbad3e5db3..558a4d1f57 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -415,8 +415,8 @@ module Rails # then credentials.secret_key_base, and finally secrets.secret_key_base. For most applications, # the correct place to store it is in the encrypted credentials file. def secret_key_base - if Rails.env.test? || Rails.env.development? - secrets.secret_key_base || Digest::MD5.hexdigest(self.class.name) + if Rails.env.development? || Rails.env.test? + secrets.secret_key_base ||= generate_development_secret else validate_secret_key_base( ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || secrets.secret_key_base @@ -581,6 +581,21 @@ module Rails private + def generate_development_secret + if secrets.secret_key_base.nil? + key_file = Rails.root.join("tmp/development_secret.txt") + + if !File.exist?(key_file) + random_key = SecureRandom.hex(64) + File.binwrite(key_file, random_key) + end + + secrets.secret_key_base = File.binread(key_file) + end + + secrets.secret_key_base + end + def build_request(env) req = super env["ORIGINAL_FULLPATH"] = req.fullpath diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index 73773602a3..377dab1a13 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -596,6 +596,27 @@ module ApplicationTests assert_equal "some_value", verifier.verify(message) end + test "application will generate secret_key_base in tmp file if blank in development" do + app_file "config/initializers/secret_token.rb", <<-RUBY + Rails.application.credentials.secret_key_base = nil + RUBY + + app "development" + + assert_not_nil app.secrets.secret_key_base + assert File.exist?(app_path("tmp/development_secret.txt")) + end + + test "application will not generate secret_key_base in tmp file if blank in production" do + app_file "config/initializers/secret_token.rb", <<-RUBY + Rails.application.credentials.secret_key_base = nil + RUBY + + assert_raises ArgumentError do + app "production" + end + end + test "raises when secret_key_base is blank" do app_file "config/initializers/secret_token.rb", <<-RUBY Rails.application.credentials.secret_key_base = nil @@ -619,7 +640,6 @@ module ApplicationTests test "application verifier can build different verifiers" do make_basic_app do |application| - application.credentials.secret_key_base = "b3c631c314c0bbca50c1b2843150fe33" application.config.session_store :disabled end diff --git a/railties/test/isolation/abstract_unit.rb b/railties/test/isolation/abstract_unit.rb index 3f1638a516..b10701aa55 100644 --- a/railties/test/isolation/abstract_unit.rb +++ b/railties/test/isolation/abstract_unit.rb @@ -226,6 +226,7 @@ module TestHelpers @app.config.session_store :cookie_store, key: "_myapp_session" @app.config.active_support.deprecation = :log @app.config.log_level = :info + @app.secrets.secret_key_base = "b3c631c314c0bbca50c1b2843150fe33" yield @app if block_given? @app.initialize! -- cgit v1.2.3 From 7c87fd5635fd830905e17d3cbf1eb2a2215acedf Mon Sep 17 00:00:00 2001 From: eileencodes Date: Mon, 11 Mar 2019 11:58:15 -0400 Subject: Prep release * Update RAILS_VERSION * Bundle * rake update_versions * rake changelog:header --- railties/CHANGELOG.md | 5 +++++ railties/lib/rails/gem_version.rb | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'railties') diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index 9e8b38733a..907a41933b 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.0.0.beta3 (March 11, 2019) ## + +* No changes. + + ## Rails 6.0.0.beta2 (February 25, 2019) ## * Fix non-symbol access to nested hashes returned from `Rails::Application.config_for` diff --git a/railties/lib/rails/gem_version.rb b/railties/lib/rails/gem_version.rb index 249894f9d0..fea24810f5 100644 --- a/railties/lib/rails/gem_version.rb +++ b/railties/lib/rails/gem_version.rb @@ -10,7 +10,7 @@ module Rails MAJOR = 6 MINOR = 0 TINY = 0 - PRE = "beta2" + PRE = "beta3" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end -- cgit v1.2.3