studio-engine 0.4.1 → 0.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/app/controllers/concerns/studio/error_handling.rb +0 -13
- data/lib/studio/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c2cff93b3aa059d4b0542abe34622157f0d0928f758b4f656878cfab6e4e25a2
|
|
4
|
+
data.tar.gz: fb784e5e6ace872de9d92d3a035e85caaa2085b6b72e18b1f380459f997221c5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7862911114e91fde7662c540229703184be955af01116c8ced37160751b8d1b09093ebba1fe410602d03b6f562e261e995884e78041fea02b720fafbfd027bf1
|
|
7
|
+
data.tar.gz: e7424e7e280e8ba717807d3b690fad5929d150e6c3c298a8ace724a4e1ebdec8fd261f8bf9f40b8abff2f299d223a8954cc3a7abd5a0493f0cc0def677fc7649
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,16 @@
|
|
|
2
2
|
|
|
3
3
|
The format is [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html) — `MAJOR.MINOR.PATCH`. Both consumer Rails apps pin to a tag in their `Gemfile`; bumping the tag is a release.
|
|
4
4
|
|
|
5
|
+
## v0.4.2 (2026-05-19)
|
|
6
|
+
|
|
7
|
+
Security follow-up to v0.4.1 — closes a cross-app session-fixation surface.
|
|
8
|
+
|
|
9
|
+
### Fixed (security)
|
|
10
|
+
- **Removed legacy `session[:user_id]` fallback in `Studio::ErrorHandling#current_user`** (OPSEC-042). Previously, if `session[Studio.session_key]` was empty but `session[:user_id]` was present, the engine would look up the user by that ID and silently call `set_app_session(user)` — promoting an arbitrary user ID to logged-in status. Combined with the shared `*.mcritchie.studio` cookie scope, any XSS on any subdomain that wrote `session[:user_id]` became cross-app login-as-anyone. The legacy key was a Devise-era migration carrier; consumer apps no longer write to it. Removing the fallback closes the fixation surface.
|
|
11
|
+
|
|
12
|
+
### Breaking
|
|
13
|
+
- Any user with a stale session that still has `session[:user_id]` set but NOT `session[Studio.session_key]` will be logged out on next request. Practically: nobody, since the engine has been writing `session[Studio.session_key]` since v0.2.x.
|
|
14
|
+
|
|
5
15
|
## v0.4.1 (2026-05-17)
|
|
6
16
|
|
|
7
17
|
Pre-public-release security hardening per `SECURITY-AUDIT-2026-05-17.md`.
|
|
@@ -15,20 +15,7 @@ module Studio
|
|
|
15
15
|
|
|
16
16
|
def current_user
|
|
17
17
|
return @current_user if defined?(@current_user)
|
|
18
|
-
|
|
19
|
-
# Try app-specific session key
|
|
20
18
|
@current_user = User.find_by(id: session[Studio.session_key])
|
|
21
|
-
|
|
22
|
-
# Legacy migration: old shared session[:user_id]
|
|
23
|
-
if @current_user.nil? && session[:user_id].present? && Studio.session_key != :user_id
|
|
24
|
-
@current_user = User.find_by(id: session[:user_id])
|
|
25
|
-
if @current_user
|
|
26
|
-
set_app_session(@current_user) # Migrate to new key
|
|
27
|
-
session.delete(:user_id) # Clean up old key
|
|
28
|
-
end
|
|
29
|
-
end
|
|
30
|
-
|
|
31
|
-
@current_user
|
|
32
19
|
end
|
|
33
20
|
|
|
34
21
|
def set_app_session(user)
|
data/lib/studio/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: studio-engine
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Alex McRitchie
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2026-05-
|
|
11
|
+
date: 2026-05-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|