activerecord-session_store 1.1.3 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: af08a0134b3e5a615c2d9f400c30c9d0b4f5327e21c1254f49cfec775ef73732
-  data.tar.gz: f6dd6871a3df37d22cc652b54b3f76f41746d9f0c5e01920984a3bcc6d516cf6
+  metadata.gz: e3618fed7f080158309e682f1906af4d056b65fdbf687c7f562677cecaf17d05
+  data.tar.gz: 314cfae6877c80c6d73512f082765f083b733fcb5eb532b490b89033f37fd3aa
 SHA512:
-  metadata.gz: 300394f621b26e545ba842e3d8c4a78f733cd34768ede33ab07f7f4abfc168fc1fa60c4b10ea47a7046db896395206201e3a0b0aa1680418bd219998ebbd5b46
-  data.tar.gz: f4fd30af09711cc74e0a7365c6c529c99a1cd47a4aa91f8c0314deb4eb0cd552d8b3824e497e5d9af86ac110c98f3b9d5865b771af1db12993401774bdfd7422
+  metadata.gz: cd976a3e033d38632598f9ab5f47eee88c9e72fd624c470f385976361eba83b58e9b0e44241a7ce994f76b79ed3b71f142ce0d6547b10a04d5af4ed75812596d
+  data.tar.gz: 273a6fbec6eb0a9426d66963ee8008f91281a454fa8722d52a1f1179c1f39c68bf6a37e25ecd5db2c2031a8f344c5375121d52c8fc02fb3595654b1015057178

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2012-2016 David Heinemeier Hansson
+Copyright (c) 2012-2019 David Heinemeier Hansson
 
 MIT License
 

data/README.md

@@ -109,7 +109,33 @@ MyLogger.send :include, ActiveRecord::SessionStore::Extension::LoggerSilencer
 This silencer is being used to silence the logger and not leaking private
 information into the log, and it is required for security reason.
 
-## Contributing to Active Record Session Store
+CVE-2015-9284 mitigation
+--------------
+
+Sessions that were created by Active Record Session Store version 1.x are
+affected by [CVE-2019-25025]. This means an attacker can perform a timing
+attack against the session IDs stored in the database.
+
+[CVE-2019-25025]: https://github.com/advisories/GHSA-cvw2-xj8r-mjf7
+
+After upgrade to version 2.0.0, you should run [`db:sessions:upgrade`] rake task
+to upgrade all existing session records in your database to the secured version.
+
+[`db:sessions:upgrade`]: https://github.com/rails/activerecord-session_store/blob/master/lib/tasks/database.rake#L22
+
+```console
+$ rake db:sessions:upgrade
+```
+
+This rake task is idempotent and can be run multiple times, and session data of
+users will remain intact.
+
+Please see [#151] for more details.
+
+[#151]: https://github.com/rails/activerecord-session_store/pull/151
+
+Contributing to Active Record Session Store
+--------------
 
 Active Record Session Store is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues.
 

data/lib/action_dispatch/session/active_record_store.rb

@@ -52,26 +52,22 @@ module ActionDispatch
     #
     # The example SqlBypass class is a generic SQL session store. You may
     # use it as a basis for high-performance database-specific stores.
-    class ActiveRecordStore < ActionDispatch::Session::AbstractStore
+    class ActiveRecordStore < ActionDispatch::Session::AbstractSecureStore
       # The class used for session storage. Defaults to
       # ActiveRecord::SessionStore::Session
       cattr_accessor :session_class
 
       SESSION_RECORD_KEY = 'rack.session.record'
-      if Rack.const_defined?(:RACK_SESSION_OPTIONS)
-        ENV_SESSION_OPTIONS_KEY = Rack::RACK_SESSION_OPTIONS
-      else
-        ENV_SESSION_OPTIONS_KEY = Rack::Session::Abstract::ENV_SESSION_OPTIONS_KEY
-      end
+      ENV_SESSION_OPTIONS_KEY = Rack::RACK_SESSION_OPTIONS
 
     private
       def get_session(request, sid)
-        logger.silence_logger do
-          unless sid and session = @@session_class.find_by_session_id(sid)
+        logger.silence do
+          unless sid and session = get_session_with_fallback(sid)
             # If the sid was nil or if there is no pre-existing session under the sid,
             # force the generation of a new sid and associate a new session associated with the new sid
             sid = generate_sid
-            session = @@session_class.new(:session_id => sid, :data => {})
+            session = @@session_class.new(:session_id => sid.private_id, :data => {})
           end
           request.env[SESSION_RECORD_KEY] = session
           [sid, session.data]
@@ -79,8 +75,8 @@ module ActionDispatch
       end
 
       def write_session(request, sid, session_data, options)
-        logger.silence_logger do
-          record = get_session_model(request, sid)
+        logger.silence do
+          record, sid = get_session_model(request, sid)
           record.data = session_data
           return false unless record.save
 
@@ -96,9 +92,9 @@ module ActionDispatch
       end
 
       def delete_session(request, session_id, options)
-        logger.silence_logger do
+        logger.silence do
           if sid = current_session_id(request)
-            if model = @@session_class.find_by_session_id(sid)
+            if model = get_session_with_fallback(sid)
               data = model.data
               model.destroy
             end
@@ -110,7 +106,7 @@ module ActionDispatch
             new_sid = generate_sid
 
             if options[:renew]
-              new_model = @@session_class.new(:session_id => new_sid, :data => data)
+              new_model = @@session_class.new(:session_id => new_sid.private_id, :data => data)
               new_model.save
               request.env[SESSION_RECORD_KEY] = new_model
             end
@@ -120,11 +116,11 @@ module ActionDispatch
       end
 
       def get_session_model(request, id)
-        logger.silence_logger do
-          model = @@session_class.find_by_session_id(id)
-          if !model
+        logger.silence do
+          model = get_session_with_fallback(id)
+          unless model
             id = generate_sid
-            model = @@session_class.new(:session_id => id, :data => {})
+            model = @@session_class.new(:session_id => id.private_id, :data => {})
             model.save
           end
           if request.env[ENV_SESSION_OPTIONS_KEY][:id].nil?
@@ -132,23 +128,41 @@ module ActionDispatch
           else
             request.env[SESSION_RECORD_KEY] ||= model
           end
-          model
+          [model, id]
+        end
+      end
+
+      def get_session_with_fallback(sid)
+        if sid && !self.class.private_session_id?(sid.public_id)
+          if (secure_session = @@session_class.find_by_session_id(sid.private_id))
+            secure_session
+          elsif (insecure_session = @@session_class.find_by_session_id(sid.public_id))
+            insecure_session.session_id = sid.private_id # this causes the session to be secured
+            insecure_session
+          end
         end
       end
 
       def find_session(request, id)
-        model = get_session_model(request, id)
-        [model.session_id, model.data]
+        model, id = get_session_model(request, id)
+        [id, model.data]
+      end
+
+      module NilLogger
+        def self.silence
+          yield
+        end
       end
 
       def logger
-        ActiveRecord::Base.logger || ActiveRecord::SessionStore::NilLogger
+        ActiveRecord::Base.logger || NilLogger
+      end
+
+      def self.private_session_id?(session_id)
+        # user tried to retrieve a session by a private key?
+        session_id =~ /\A\d+::/
       end
+
     end
   end
 end
-
-if ActiveRecord::VERSION::MAJOR == 4
-  require 'action_dispatch/session/legacy_support'
-  ActionDispatch::Session::ActiveRecordStore.send(:include, ActionDispatch::Session::LegacySupport)
-end

data/lib/active_record/session_store.rb

@@ -1,7 +1,6 @@
 require 'active_record'
 require 'active_record/session_store/version'
 require 'action_dispatch/session/active_record_store'
-require "active_record/session_store/extension/logger_silencer"
 require 'active_support/core_ext/hash/keys'
 require 'multi_json'
 
@@ -21,20 +20,12 @@ module ActiveRecord
       end
 
       def drop_table!
-        if connection.schema_cache.respond_to?(:clear_data_source_cache!)
-          connection.schema_cache.clear_data_source_cache!(table_name)
-        else
-          connection.schema_cache.clear_table_cache!(table_name)
-        end
+        connection.schema_cache.clear_data_source_cache!(table_name)
         connection.drop_table table_name
       end
 
       def create_table!
-        if connection.schema_cache.respond_to?(:clear_data_source_cache!)
-          connection.schema_cache.clear_data_source_cache!(table_name)
-        else
-          connection.schema_cache.clear_table_cache!(table_name)
-        end
+        connection.schema_cache.clear_data_source_cache!(table_name)
         connection.create_table(table_name) do |t|
           t.string session_id_column, :limit => 255
           t.text data_column_name
@@ -117,10 +108,3 @@ end
 
 require 'active_record/session_store/sql_bypass'
 require 'active_record/session_store/railtie' if defined?(Rails)
-
-Logger.send :include, ActiveRecord::SessionStore::Extension::LoggerSilencer
-
-begin
-  require "syslog/logger"
-  Syslog::Logger.send :include, ActiveRecord::SessionStore::Extension::LoggerSilencer
-rescue LoadError; end

data/lib/active_record/session_store/session.rb

@@ -17,13 +17,6 @@ module ActiveRecord
       before_save :serialize_data!
       before_save :raise_on_session_data_overflow!
 
-      # This method is defiend in `protected_attributes` gem. We can't check for
-      # `attr_accessible` as Rails also define this and raise `RuntimeError`
-      # telling you to use the gem.
-      if respond_to?(:accessible_attributes)
-        attr_accessible :session_id, :data
-      end
-
       class << self
         def data_column_size_limit
           @data_column_size_limit ||= columns_hash[data_column_name].limit
@@ -45,8 +38,8 @@ module ActiveRecord
             # Reset column info since it may be stale.
             reset_column_information
             if columns_hash['sessid']
-              def self.find_by_session_id(*args)
-                find_by_sessid(*args)
+              def self.find_by_session_id(session_id)
+                find_by_sessid(session_id)
               end
 
               define_method(:session_id)  { sessid }
@@ -78,10 +71,30 @@ module ActiveRecord
         @data
       end
 
+      # This method was introduced when addressing CVE-2019-16782
+      # (see https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3).
+      # Sessions created on version <= 1.1.3 were guessable via a timing attack.
+      # To secure sessions created on those old versions, this method can be called
+      # on all existing sessions in the database. Users will not lose their session
+      # when this is done.
+      def secure!
+        session_id_column = if self.class.columns_hash['sessid']
+          :sessid
+        else
+          :session_id
+        end
+        raw_session_id = read_attribute(session_id_column)
+        if ActionDispatch::Session::ActiveRecordStore.private_session_id?(raw_session_id)
+          # is already private, nothing to do
+        else
+          session_id_object = Rack::Session::SessionId.new(raw_session_id)
+          update_column(session_id_column, session_id_object.private_id)
+        end
+      end
+
       private
         def serialize_data!
           unless loaded?
-            return false if Rails::VERSION::MAJOR < 5
             throw :abort
           end
           write_attribute(@@data_column_name, self.class.serialize(data))
@@ -92,7 +105,6 @@ module ActiveRecord
         # ActionController::SessionOverflowError.
         def raise_on_session_data_overflow!
           unless loaded?
-            return false if Rails::VERSION::MAJOR < 5
             throw :abort
           end
           limit = self.class.data_column_size_limit

data/lib/active_record/session_store/sql_bypass.rb

@@ -60,15 +60,16 @@ module ActiveRecord
 
         # Look up a session by id and deserialize its data if found.
         def find_by_session_id(session_id)
-          if record = connection.select_one("SELECT #{connection.quote_column_name(data_column)} AS data FROM #{@@table_name} WHERE #{connection.quote_column_name(@@session_id_column)}=#{connection.quote(session_id.to_s)}")
-            new(:session_id => session_id, :serialized_data => record['data'])
+          if record = connection.select_one("SELECT #{connection.quote_column_name(data_column)} AS data FROM #{@@table_name} WHERE #{connection.quote_column_name(@@session_id_column)}=#{connection.quote(session_id)}")
+            new(:session_id => session_id, :retrieved_by => session_id, :serialized_data => record['data'])
           end
         end
       end
 
       delegate :connection, :connection=, :connection_pool, :connection_pool=, :to => self
 
-      attr_reader :session_id, :new_record
+      attr_reader :new_record
+      attr_accessor :session_id
       alias :new_record? :new_record
 
       attr_writer :data
@@ -77,7 +78,8 @@ module ActiveRecord
       # telling us to postpone deserializing until the data is requested.
       # We need to handle a normal data attribute in case of a new record.
       def initialize(attributes)
-        @session_id     = attributes[:session_id]
+        @session_id = attributes[:session_id]
+        @retrieved_by = attributes[:retrieved_by]
         @data           = attributes[:data]
         @serialized_data = attributes[:serialized_data]
         @new_record     = @serialized_data.nil?
@@ -122,8 +124,10 @@ module ActiveRecord
         else
           connect.update <<-end_sql, 'Update session'
             UPDATE #{table_name}
-            SET #{connect.quote_column_name(data_column)}=#{connect.quote(serialized_data)}
-            WHERE #{connect.quote_column_name(session_id_column)}=#{connect.quote(session_id)}
+            SET
+              #{connect.quote_column_name(data_column)}=#{connect.quote(serialized_data)},
+              #{connect.quote_column_name(session_id_column)}=#{connect.quote(@session_id)}
+            WHERE #{connect.quote_column_name(session_id_column)}=#{connect.quote(@retrieved_by)}
           end_sql
         end
       end
@@ -134,7 +138,7 @@ module ActiveRecord
         connect = connection
         connect.delete <<-end_sql, 'Destroy session'
           DELETE FROM #{table_name}
-          WHERE #{connect.quote_column_name(session_id_column)}=#{connect.quote(session_id.to_s)}
+          WHERE #{connect.quote_column_name(session_id_column)}=#{connect.quote(session_id)}
         end_sql
       end
     end

data/lib/active_record/session_store/version.rb

@@ -1,5 +1,5 @@
 module ActiveRecord
   module SessionStore
-    VERSION = "1.1.3".freeze
+    VERSION = "2.0.0".freeze
   end
 end

data/lib/generators/active_record/session_migration_generator.rb

@@ -21,7 +21,7 @@ module ActiveRecord
         end
 
         def migration_version
-          "[#{ActiveRecord::Migration.current_version}]" if ActiveRecord::Migration.respond_to?(:current_version)
+          "[#{ActiveRecord::Migration.current_version}]"
         end
     end
   end

data/lib/tasks/database.rake

@@ -18,4 +18,9 @@ namespace 'db:sessions' do
       where("updated_at < ?", cutoff_period).
       delete_all
   end
+
+  desc "Upgrade current sessions in the database to the secure version"
+  task :upgrade => [:environment, 'db:load_config'] do
+    ActionDispatch::Session::ActiveRecordStore.session_class.find_each(&:secure!)
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activerecord-session_store
 version: !ruby/object:Gem::Version
-  version: 1.1.3
+  version: 2.0.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-03-23 00:00:00.000000000 Z
+date: 2021-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -16,49 +16,49 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 5.2.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 5.2.4.1
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 5.2.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 5.2.4.1
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 5.2.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 5.2.4.1
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.2
+        version: 2.0.8
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
@@ -68,7 +68,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.2
+        version: 2.0.8
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
@@ -106,7 +106,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email: david@loudthinking.com
 executables: []
 extensions: []
@@ -116,9 +116,7 @@ files:
 - MIT-LICENSE
 - README.md
 - lib/action_dispatch/session/active_record_store.rb
-- lib/action_dispatch/session/legacy_support.rb
 - lib/active_record/session_store.rb
-- lib/active_record/session_store/extension/logger_silencer.rb
 - lib/active_record/session_store/railtie.rb
 - lib/active_record/session_store/session.rb
 - lib/active_record/session_store/sql_bypass.rb
@@ -131,7 +129,7 @@ homepage: https://github.com/rails/activerecord-session_store
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--main"
 - README.md
@@ -141,15 +139,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.9.3
+      version: 2.2.2
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: An Action Dispatch session store backed by an Active Record class.
 test_files: []

data/lib/action_dispatch/session/legacy_support.rb

@@ -1,51 +0,0 @@
-module ActionDispatch
-  module Session
-    module LegacySupport
-      EnvWrapper = Struct.new(:env)
-
-      def self.included(klass)
-        [
-          :get_session,
-          :get_session_model,
-          :write_session,
-          :delete_session,
-          :find_session
-        ].each do |m|
-          klass.send(:alias_method, "#{m}_rails5".to_sym, m)
-          klass.send(:remove_method, m)
-        end
-      end
-
-      def get_session(env, sid)
-        request = EnvWrapper.new(env)
-        get_session_rails5(request, sid)
-      end
-
-      def set_session(env, sid, session_data, options)
-        request = EnvWrapper.new(env)
-        write_session_rails5(request, sid, session_data, options)
-      end
-
-      def destroy_session(env, session_id, options)
-        request = EnvWrapper.new(env)
-        if sid = current_session_id(request.env)
-          get_session_model(request, sid).destroy
-          request.env[self.class::SESSION_RECORD_KEY] = nil
-        end
-        generate_sid unless options[:drop]
-      end
-
-      def get_session_model(request, sid)
-        if request.env[self.class::ENV_SESSION_OPTIONS_KEY][:id].nil?
-          request.env[self.class::SESSION_RECORD_KEY] = find_session(sid)
-        else
-          request.env[self.class::SESSION_RECORD_KEY] ||= find_session(sid)
-        end
-      end
-
-      def find_session(id)
-        self.class.session_class.find_by_session_id(id) || self.class.session_class.new(:session_id => id, :data => {})
-      end
-    end
-  end
-end

data/lib/active_record/session_store/extension/logger_silencer.rb

@@ -1,78 +0,0 @@
-require "thread"
-require "active_support/core_ext/class/attribute_accessors"
-require "active_support/core_ext/module/aliasing"
-require "active_support/core_ext/module/attribute_accessors"
-require "active_support/concern"
-
-module ActiveRecord
-  module SessionStore
-    module Extension
-      module LoggerSilencer
-        extend ActiveSupport::Concern
-
-        included do
-          cattr_accessor :silencer
-          self.silencer = true
-          alias_method :level_without_threadsafety, :level
-          alias_method :level, :level_with_threadsafety
-          alias_method :add_without_threadsafety, :add
-          alias_method :add, :add_with_threadsafety
-        end
-
-        def thread_level
-          Thread.current[thread_hash_level_key]
-        end
-
-        def thread_level=(level)
-          Thread.current[thread_hash_level_key] = level
-        end
-
-        def level_with_threadsafety
-          thread_level || level_without_threadsafety
-        end
-
-        def add_with_threadsafety(severity, message = nil, progname = nil, &block)
-          if (defined?(@logdev) && @logdev.nil?) || (severity || UNKNOWN) < level
-            true
-          else
-            add_without_threadsafety(severity, message, progname, &block)
-          end
-        end
-
-        # Silences the logger for the duration of the block.
-        def silence_logger(temporary_level = Logger::ERROR)
-          if silencer
-            begin
-              self.thread_level = temporary_level
-              yield self
-            ensure
-              self.thread_level = nil
-            end
-          else
-            yield self
-          end
-        end
-
-        for severity in Logger::Severity.constants
-          class_eval <<-EOT, __FILE__, __LINE__ + 1
-            def #{severity.downcase}?                # def debug?
-              Logger::#{severity} >= level           #   DEBUG >= level
-            end                                      # end
-          EOT
-        end
-
-        private
-
-        def thread_hash_level_key
-          @thread_hash_level_key ||= :"ThreadSafeLogger##{object_id}@level"
-        end
-      end
-    end
-
-    class NilLogger
-      def self.silence_logger
-        yield
-      end
-    end
-  end
-end