From 879a7ba33fc05e8effd7132545b33d8e22257391 Mon Sep 17 00:00:00 2001 From: Nicolas Florentin Date: Fri, 29 Jul 2022 14:53:08 +0200 Subject: [PATCH 1/6] improvement: makes rmagick, minimagick and mime types less explicit to improve security --- config/locales/en.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/locales/en.yml b/config/locales/en.yml index 4ee542f12..5521ed13a 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -19,9 +19,9 @@ en: extension_whitelist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}" extension_blacklist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}" content_type_whitelist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}" - rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image? Original Error: %{e}" - mime_types_processing_error: "Failed to process file with MIME::Types, maybe not valid content-type? Original Error: %{e}" - mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}" + rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?" + mime_types_processing_error: "Failed to process file with MIME::Types, maybe not valid content-type?" + mini_magick_processing_error: "Failed to manipulate the file, maybe it is not an image?" wrong_size: "is the wrong size (should be %{file_size})" size_too_small: "is too small (should be at least %{file_size})" size_too_big: "is too big (should be at most %{file_size})" From 792b899d29644f7ae33fddfc669626d89660d947 Mon Sep 17 00:00:00 2001 From: Nicolas Florentin Date: Fri, 29 Jul 2022 15:28:57 +0200 Subject: [PATCH 2/6] improvement: adds redis-session-store to store session and improves session security --- Gemfile | 2 ++ Gemfile.lock | 4 ++++ config/initializers/session_store.rb | 10 +++++++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 272c0fd78..fa5abd22d 100644 --- a/Gemfile +++ b/Gemfile @@ -144,3 +144,5 @@ gem 'tzinfo-data' # compilation of dynamic stylesheets (home page & theme) gem 'sassc', '= 2.1.0' + +gem 'redis-session-store' \ No newline at end of file diff --git a/Gemfile.lock b/Gemfile.lock index d3b3a069e..dfb8000e3 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -351,6 +351,9 @@ GEM activesupport i18n redis (4.6.0) + redis-session-store (0.11.4) + actionpack (>= 3, < 8) + redis (>= 3, < 5) regexp_parser (2.5.0) repost (0.3.2) responders (2.4.1) @@ -542,6 +545,7 @@ DEPENDENCIES rails_12factor rb-readline recurrence + redis-session-store repost responders (~> 2.0) rolify diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index d9c5c4111..a86375742 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -2,6 +2,14 @@ # Be sure to restart your server when you modify this file. -Rails.application.config.session_store :cookie_store, +redis_host = ENV['REDIS_HOST'] || 'localhost' + +Rails.application.config.session_store :redis_session_store, + redis: { + expire_after: 14.days, # cookie expiration + ttl: 14.days, # Redis expiration, defaults to 'expire_after' + key_prefix: 'fabmanager:session:', + url: "redis://#{redis_host}:6379", + }, key: '_Fab-manager_session', secure: (Rails.env.production? || Rails.env.staging?) && !Rails.application.secrets.allow_insecure_http From 98c7da492d2ab57a5a8937a0ca9bd1d520cbce58 Mon Sep 17 00:00:00 2001 From: Nicolas Florentin Date: Fri, 29 Jul 2022 16:02:58 +0200 Subject: [PATCH 3/6] prevents users enumeration attacks by not giving any info about the validity of the email --- app/controllers/confirmations_controller.rb | 11 +++++++++++ app/controllers/passwords_controller.rb | 2 -- .../src/javascript/controllers/application.js | 12 ------------ .../templates/shared/ConfirmationNewModal.html | 1 - app/frontend/templates/shared/passwordNewModal.html | 1 - config/locales/app.public.en.yml | 5 ++--- 6 files changed, 13 insertions(+), 19 deletions(-) diff --git a/app/controllers/confirmations_controller.rb b/app/controllers/confirmations_controller.rb index af20152b6..0531b60de 100644 --- a/app/controllers/confirmations_controller.rb +++ b/app/controllers/confirmations_controller.rb @@ -2,6 +2,17 @@ # Devise controller to handle validation of email addresses class ConfirmationsController < Devise::ConfirmationsController + + # POST /resource/confirmation + def create + self.resource = resource_class.send_confirmation_instructions(resource_params) + yield resource if block_given? + + if successfully_sent?(resource) + respond_with({}, location: after_resending_confirmation_instructions_path_for(resource_name)) + end + end + # The path used after confirmation. def after_confirmation_path_for(_resource_name, resource) signed_in_root_path(resource) diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb index 1bdd0e19e..285e87e3c 100644 --- a/app/controllers/passwords_controller.rb +++ b/app/controllers/passwords_controller.rb @@ -9,8 +9,6 @@ class PasswordsController < Devise::PasswordsController if successfully_sent?(resource) respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name)) - else - head 404 end end diff --git a/app/frontend/src/javascript/controllers/application.js b/app/frontend/src/javascript/controllers/application.js index 723c4dcbb..93d9e6c1e 100644 --- a/app/frontend/src/javascript/controllers/application.js +++ b/app/frontend/src/javascript/controllers/application.js @@ -504,14 +504,8 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco controller: ['$scope', '$uibModalInstance', '$http', function ($scope, $uibModalInstance, $http) { $scope.user = { email: '' }; $scope.sendReset = function () { - $scope.alerts = []; return $http.post('/users/password.json', { user: $scope.user }).then(function () { $uibModalInstance.close(); - }).catch(function () { - $scope.alerts.push({ - msg: _t('app.public.common.your_email_address_is_unknown'), - type: 'danger' - }); }); }; }] @@ -526,14 +520,8 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco controller: ['$scope', '$uibModalInstance', '$http', function ($scope, $uibModalInstance, $http) { $scope.user = { email: '' }; $scope.submitConfirmationNewForm = function () { - $scope.alerts = []; return $http.post('/users/confirmation.json', { user: $scope.user }).then(function () { $uibModalInstance.close(); - }).catch(function (res) { - $scope.alerts.push({ - msg: res.data.errors.email[0], - type: 'danger' - }); }); }; }] diff --git a/app/frontend/templates/shared/ConfirmationNewModal.html b/app/frontend/templates/shared/ConfirmationNewModal.html index ae131353f..e183e6928 100644 --- a/app/frontend/templates/shared/ConfirmationNewModal.html +++ b/app/frontend/templates/shared/ConfirmationNewModal.html @@ -4,7 +4,6 @@

{{ 'app.public.common.confirm_my_account' }}

- {{alert.msg}}

{{ 'app.public.common.you_will_receive_confirmation_instructions_by_email' }}

diff --git a/app/frontend/templates/shared/passwordNewModal.html b/app/frontend/templates/shared/passwordNewModal.html index 3d5d44b77..4101b3f60 100644 --- a/app/frontend/templates/shared/passwordNewModal.html +++ b/app/frontend/templates/shared/passwordNewModal.html @@ -4,7 +4,6 @@

{{ 'app.public.common.password_forgotten' }}

- {{alert.msg}}
diff --git a/config/locales/app.public.en.yml b/config/locales/app.public.en.yml index 2949bb1e8..6803c6d4c 100644 --- a/config/locales/app.public.en.yml +++ b/config/locales/app.public.en.yml @@ -101,7 +101,7 @@ en: used_for_reservation: "This data will be used in case of change on one of your bookings" used_for_profile: "This data will only be displayed on your profile" public_profile: "You will have a public profile and other users will be able to associate you in their projects" - you_will_receive_confirmation_instructions_by_email_detailed: "You will receive an email with instructions about how to confirm your account in a few minutes." + you_will_receive_confirmation_instructions_by_email_detailed: "If your e-mail address is valid, you will receive an email with instructions about how to confirm your account in a few minutes." #password modification modal change_your_password: "Change your password" your_new_password: "Your new password" @@ -117,8 +117,7 @@ en: #confirmation modal you_will_receive_confirmation_instructions_by_email: "You will receive confirmation instructions by email." #forgotten password modal - your_email_address_is_unknown: "Your e-mail address is unknown." - you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "You will receive in a moment, an e-mail with instructions to reset your password." + you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "If your e-mail address is valid, you will receive in a moment an e-mail with instructions to reset your password." #Fab-manager's version version: "Version:" upgrade_fabmanager: "Upgrade Fab-manager" From 1d6a59dd67e0e6200c855e3478ffe65a18a6e5bc Mon Sep 17 00:00:00 2001 From: Nicolas Florentin Date: Fri, 29 Jul 2022 17:37:42 +0200 Subject: [PATCH 4/6] improvement: add complexity check of the user password --- .../templates/shared/_member_form.html | 4 ++-- .../templates/shared/passwordEditModal.html | 4 ++-- app/frontend/templates/shared/signupModal.html | 2 +- app/models/concerns/single_sign_on_concern.rb | 2 +- app/models/user.rb | 7 +++++++ app/services/members/members_service.rb | 2 +- app/services/secure_password.rb | 18 ++++++++++++++++++ app/services/user_service.rb | 6 +++--- config/initializers/devise.rb | 2 +- config/locales/app.public.en.yml | 4 +++- test/models/user_test.rb | 2 +- 11 files changed, 40 insertions(+), 13 deletions(-) create mode 100644 app/services/secure_password.rb diff --git a/app/frontend/templates/shared/_member_form.html b/app/frontend/templates/shared/_member_form.html index 0dc2e53fe..0b0690626 100644 --- a/app/frontend/templates/shared/_member_form.html +++ b/app/frontend/templates/shared/_member_form.html @@ -142,7 +142,7 @@ class="form-control" id="user_password" placeholder="{{ 'app.shared.user.new_password' | translate }}" - ng-minlength="8" + ng-minlength="12" required/>
{{ 'app.shared.user.password_is_required' }} @@ -158,7 +158,7 @@ class="form-control" id="user_password_confirmation" placeholder="{{ 'app.shared.user.confirmation_of_new_password' | translate }}" - ng-minlength="8" + ng-minlength="12" required match="user.password"/>
diff --git a/app/frontend/templates/shared/passwordEditModal.html b/app/frontend/templates/shared/passwordEditModal.html index 00149b9a9..ac94f38a5 100644 --- a/app/frontend/templates/shared/passwordEditModal.html +++ b/app/frontend/templates/shared/passwordEditModal.html @@ -18,7 +18,7 @@ class="form-control" placeholder="{{ 'app.public.common.your_new_password' | translate }}" required - ng-minlength="8"> + ng-minlength="12">
{{ 'app.public.common.password_is_required' }} {{ 'app.public.common.password_is_too_short' }} @@ -35,7 +35,7 @@ class="form-control" placeholder="{{ 'app.public.common.type_your_password_again' | translate }}" required - ng-minlength="8" + ng-minlength="12" match="user.password">
{{ 'app.public.common.password_confirmation_is_required' }} diff --git a/app/frontend/templates/shared/signupModal.html b/app/frontend/templates/shared/signupModal.html index e9594d948..60ead0663 100644 --- a/app/frontend/templates/shared/signupModal.html +++ b/app/frontend/templates/shared/signupModal.html @@ -96,7 +96,7 @@ class="form-control" placeholder="{{ 'app.public.common.your_password' | translate }}" required - ng-minlength="8"> + ng-minlength="12">
{{ 'app.public.common.password_is_required' }} diff --git a/app/models/concerns/single_sign_on_concern.rb b/app/models/concerns/single_sign_on_concern.rb index 4e851eb4f..f23a6985c 100644 --- a/app/models/concerns/single_sign_on_concern.rb +++ b/app/models/concerns/single_sign_on_concern.rb @@ -161,7 +161,7 @@ module SingleSignOnConcern user.set_data_from_sso_mapping(key, value) end logger.debug 'generating a new password' - user.password = Devise.friendly_token[0, 20] + user.password = SecurePassword.generate end end end diff --git a/app/models/user.rb b/app/models/user.rb index 4050a2793..94721c2e9 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -78,6 +78,7 @@ class User < ApplicationRecord validate :cgu_must_accept, if: :new_record? validates :username, presence: true, uniqueness: true, length: { maximum: 30 } + validate :password_complexity scope :active, -> { where(is_active: true) } scope :without_subscription, -> { includes(statistic_profile: [:subscriptions]).where(subscriptions: { statistic_profile_id: nil }) } @@ -347,4 +348,10 @@ class User < ApplicationRecord last_name: last_name ) end + + def password_complexity + return if password.blank? || SecurePassword.is_secured?(password) + + errors.add I18n.t("app.public.common.password_is_too_weak"), I18n.t("app.public.common.password_is_too_weak_explanations") + end end diff --git a/app/services/members/members_service.rb b/app/services/members/members_service.rb index f89a2c459..48ca5101e 100644 --- a/app/services/members/members_service.rb +++ b/app/services/members/members_service.rb @@ -128,7 +128,7 @@ class Members::MembersService def password(params) if !params[:password] && !params[:password_confirmation] - Devise.friendly_token.first(8) + SecurePassword.generate else params[:password] end diff --git a/app/services/secure_password.rb b/app/services/secure_password.rb new file mode 100644 index 000000000..cbbfc13e5 --- /dev/null +++ b/app/services/secure_password.rb @@ -0,0 +1,18 @@ +class SecurePassword + LOWER_LETTERS = ('a'..'z').to_a + UPPER_LETTERS = ('A'..'Z').to_a + DIGITS = ('0'..'9').to_a + SPECIAL_CHARS = ["!", "#", "$", "%", "&", "(", ")", "*", "+", ",", "-", ".", "/", ":", ";", "<", "=", ">", "?", "@", "[", "]", "^", "_", "{", "|", "}", "~", "'", "`", '"'] + + def self.generate + (LOWER_LETTERS.shuffle.first(4) + UPPER_LETTERS.shuffle.first(4) + DIGITS.shuffle.first(4) + SPECIAL_CHARS.shuffle.first(4)).shuffle.join + end + + def self.is_secured?(password) + password_as_array = password.split("") + password_as_array.any? {|c| c.in? LOWER_LETTERS } && + password_as_array.any? {|c| c.in? UPPER_LETTERS } && + password_as_array.any? {|c| c.in? DIGITS } && + password_as_array.any? {|c| c.in? SPECIAL_CHARS } + end +end \ No newline at end of file diff --git a/app/services/user_service.rb b/app/services/user_service.rb index 83b1cf6e6..d117193fb 100644 --- a/app/services/user_service.rb +++ b/app/services/user_service.rb @@ -3,7 +3,7 @@ # helpers for managing users with special roles class UserService def self.create_partner(params) - generated_password = Devise.friendly_token.first(8) + generated_password = SecurePassword.generate group_id = Group.first.id user = User.new( email: params[:email], @@ -31,7 +31,7 @@ class UserService end def self.create_admin(params) - generated_password = Devise.friendly_token.first(8) + generated_password = SecurePassword.generate admin = User.new(params.merge(password: generated_password)) admin.send :set_slug @@ -52,7 +52,7 @@ class UserService end def self.create_manager(params) - generated_password = Devise.friendly_token.first(8) + generated_password = SecurePassword.generate manager = User.new(params.merge(password: generated_password)) manager.send :set_slug diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 3e9b6ec3c..0afb3b735 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -134,7 +134,7 @@ Devise.setup do |config| # ==> Configuration for :validatable # Range for password length. - config.password_length = 8..128 + config.password_length = 12..128 # Email regex used to validate email formats. It simply asserts that # one (and only one) @ exists in the given string. This is mainly diff --git a/config/locales/app.public.en.yml b/config/locales/app.public.en.yml index 2949bb1e8..e063b3f10 100644 --- a/config/locales/app.public.en.yml +++ b/config/locales/app.public.en.yml @@ -71,7 +71,9 @@ en: email_is_required: "E-mail address is required." your_password: "Your password" password_is_required: "Password is required." - password_is_too_short: "Password is too short (minimum 8 characters)" + password_is_too_short: "Password is too short (minimum 12 characters)" + password_is_too_weak: "Password is too weak:" + password_is_too_weak_explanations: "minimum 12 characters, at least one uppercase letter, one lowercase letter, one number and one special character" type_your_password_again: "Type your password again" password_confirmation_is_required: "Password confirmation is required." password_does_not_match_with_confirmation: "Password does not match with confirmation." diff --git a/test/models/user_test.rb b/test/models/user_test.rb index 88f34b1a7..a68b7f367 100644 --- a/test/models/user_test.rb +++ b/test/models/user_test.rb @@ -4,7 +4,7 @@ require 'test_helper' class UserTest < ActiveSupport::TestCase test 'must create wallet and profiles after create user' do - u = User.create(username: 'user', email: 'userwallet@fabmanager.com', password: 'testpassword', password_confirmation: 'testpassword', + u = User.create(username: 'user', email: 'userwallet@fabmanager.com', password: 'Testpassword1$', password_confirmation: 'Testpassword1$', profile_attributes: { first_name: 'user', last_name: 'wallet', phone: '0123456789' }, statistic_profile_attributes: { gender: true, birthday: 18.years.ago }) assert u.wallet.present? From 1d71cae9d9c4abd67edbf21f7b8fb3bd8bd04438 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 1 Aug 2022 19:57:40 +0200 Subject: [PATCH 5/6] New Crowdin updates (#386) * New translations en.yml (French) * New translations en.yml (Spanish) * New translations en.yml (German) * New translations en.yml (Norwegian) * New translations en.yml (Portuguese) * New translations en.yml (Zulu) * New translations app.public.en.yml (French) * New translations app.public.en.yml (Spanish) * New translations app.public.en.yml (German) * New translations app.public.en.yml (Norwegian) * New translations app.public.en.yml (Portuguese) * New translations app.public.en.yml (Zulu) * New translations app.public.en.yml (French) * New translations en.yml (French) --- config/locales/app.public.de.yml | 9 +++++---- config/locales/app.public.es.yml | 9 +++++---- config/locales/app.public.fr.yml | 9 +++++---- config/locales/app.public.no.yml | 9 +++++---- config/locales/app.public.pt.yml | 9 +++++---- config/locales/app.public.zu.yml | 9 +++++---- config/locales/de.yml | 6 +++--- config/locales/es.yml | 6 +++--- config/locales/fr.yml | 6 +++--- config/locales/no.yml | 6 +++--- config/locales/pt.yml | 6 +++--- config/locales/zu.yml | 6 +++--- 12 files changed, 48 insertions(+), 42 deletions(-) diff --git a/config/locales/app.public.de.yml b/config/locales/app.public.de.yml index 202666c39..463641eeb 100644 --- a/config/locales/app.public.de.yml +++ b/config/locales/app.public.de.yml @@ -71,7 +71,9 @@ de: email_is_required: "E-Mail-Adresse ist erforderlich." your_password: "Passwort" password_is_required: "Passwort ist erforderlich." - password_is_too_short: "Paßwort ist zu kurz (mindestens 8 Zeichen)" + password_is_too_short: "Password is too short (minimum 12 characters)" + password_is_too_weak: "Password is too weak:" + password_is_too_weak_explanations: "minimum 12 characters, at least one uppercase letter, one lowercase letter, one number and one special character" type_your_password_again: "Passwort erneut eingeben" password_confirmation_is_required: "Passwortbestätigung ist erforderlich." password_does_not_match_with_confirmation: "Die beiden Passworteingaben sind nicht identisch." @@ -101,7 +103,7 @@ de: used_for_reservation: "Diese Daten werden im Fall einer Buchungsänderung verwendet" used_for_profile: "Diese Daten werden nur auf deinem Profil angezeigt" public_profile: "Sie werden über ein öffentliches Profil verfügen, andere Nutzer können Sie in ihren Projekten einbinden" - you_will_receive_confirmation_instructions_by_email_detailed: "In wenigen Minuten wirst Du eine Email erhalten mit der du deine Anmeldung bestätigen kannst." + you_will_receive_confirmation_instructions_by_email_detailed: "If your e-mail address is valid, you will receive an email with instructions about how to confirm your account in a few minutes." #password modification modal change_your_password: "Passwort ändern" your_new_password: "Ihr neues Passwort" @@ -117,8 +119,7 @@ de: #confirmation modal you_will_receive_confirmation_instructions_by_email: "Sie erhalten eine Bestätigungsanleitung per E-Mail." #forgotten password modal - your_email_address_is_unknown: "Ihre E-Mail-Adresse ist unbekannt." - you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "Sie erhalten in Kürze eine E-Mail mit Anweisungen zum Zurücksetzen Ihres Passworts." + you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "If your e-mail address is valid, you will receive in a moment an e-mail with instructions to reset your password." #Fab-manager's version version: "Version:" upgrade_fabmanager: "Fab-Manager aktualisieren" diff --git a/config/locales/app.public.es.yml b/config/locales/app.public.es.yml index 9bf9162d3..09e22f0b2 100644 --- a/config/locales/app.public.es.yml +++ b/config/locales/app.public.es.yml @@ -71,7 +71,9 @@ es: email_is_required: "El e-mail es obligatorio." your_password: "Su contraseña" password_is_required: "La contraseña es obligatoria." - password_is_too_short: "La contraseña es demasiado corta (minimo 8 caracteres)" + password_is_too_short: "Password is too short (minimum 12 characters)" + password_is_too_weak: "Password is too weak:" + password_is_too_weak_explanations: "minimum 12 characters, at least one uppercase letter, one lowercase letter, one number and one special character" type_your_password_again: "Escriba su contraseña otra vez" password_confirmation_is_required: "Confirmar su contraseña es obligatorio." password_does_not_match_with_confirmation: "Las contraseñas no coinciden." @@ -101,7 +103,7 @@ es: used_for_reservation: "This data will be used in case of change on one of your bookings" used_for_profile: "This data will only be displayed on your profile" public_profile: "You will have a public profile and other users will be able to associate you in their projects" - you_will_receive_confirmation_instructions_by_email_detailed: "Recibirá un correo electrónico con instrucciones sobre cómo confirmar su cuenta en unos minutos." + you_will_receive_confirmation_instructions_by_email_detailed: "If your e-mail address is valid, you will receive an email with instructions about how to confirm your account in a few minutes." #password modification modal change_your_password: "Cambiar contraseña" your_new_password: "Nueva contraseña" @@ -117,8 +119,7 @@ es: #confirmation modal you_will_receive_confirmation_instructions_by_email: "Recibirá las instrucciones de confirmación por email." #forgotten password modal - your_email_address_is_unknown: "Se desconoce su email." - you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "En un momento recibirá las instrucciones para restablecer su contraseña en su mail." + you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "If your e-mail address is valid, you will receive in a moment an e-mail with instructions to reset your password." #Fab-manager's version version: "Versión:" upgrade_fabmanager: "Upgrade Fab-manager" diff --git a/config/locales/app.public.fr.yml b/config/locales/app.public.fr.yml index 49396ba84..881334a0e 100644 --- a/config/locales/app.public.fr.yml +++ b/config/locales/app.public.fr.yml @@ -71,7 +71,9 @@ fr: email_is_required: "L'adresse de courriel est requise." your_password: "Votre mot de passe" password_is_required: "Le mot de passe est requis." - password_is_too_short: "Le mot de passe est trop court (au moins 8 caractères)" + password_is_too_short: "Le mot de passe est trop court (au moins 12 caractères)" + password_is_too_weak: "La sécurité du mot de passe trop faible :" + password_is_too_weak_explanations: "12 caractères minimum, au moins une lettre majuscule, une lettre minuscule, un chiffre et un caractère spécial" type_your_password_again: "Ressaisissez votre mot de passe" password_confirmation_is_required: "La confirmation du mot de passe est requise." password_does_not_match_with_confirmation: "Le mot de passe ne concorde pas avec la confirmation." @@ -101,7 +103,7 @@ fr: used_for_reservation: "Cette donnée sera utilisée en cas de changement sur une de vos réservations" used_for_profile: "Cette donnée sera seulement affichée sur votre profil" public_profile: "Vous aurez un profil public et les autres utilisateurs pourront vous associer à leurs projets" - you_will_receive_confirmation_instructions_by_email_detailed: "Vous allez recevoir dans quelques minutes un email comportant des instructions pour confirmer votre compte." + you_will_receive_confirmation_instructions_by_email_detailed: "Si votre adresse e-mail est valide, vous recevrez dans quelques minutes un e-mail comportant des instructions pour confirmer votre compte." #password modification modal change_your_password: "Modifier votre mot de passe" your_new_password: "Votre nouveau mot de passe" @@ -117,8 +119,7 @@ fr: #confirmation modal you_will_receive_confirmation_instructions_by_email: "Vous recevrez les instructions de confirmation par email." #forgotten password modal - your_email_address_is_unknown: "Votre adresse de courriel est inconnue." - you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "Vous allez recevoir sous quelques minutes un courriel vous indiquant comment réinitialiser votre mot de passe." + you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "Si votre adresse e-mail est valide, vous recevrez dans un instant un e-mail contenant les instructions pour réinitialiser votre mot de passe." #Fab-manager's version version: "Version :" upgrade_fabmanager: "Mettez à jour Fab-manager" diff --git a/config/locales/app.public.no.yml b/config/locales/app.public.no.yml index 90cf837f7..e6453557a 100644 --- a/config/locales/app.public.no.yml +++ b/config/locales/app.public.no.yml @@ -71,7 +71,9 @@ email_is_required: "E-post adresse er påkrevd." your_password: "Ditt passord" password_is_required: "Passord må fylles ut." - password_is_too_short: "Passordet er for kort (minimum 8 tegn)" + password_is_too_short: "Password is too short (minimum 12 characters)" + password_is_too_weak: "Password is too weak:" + password_is_too_weak_explanations: "minimum 12 characters, at least one uppercase letter, one lowercase letter, one number and one special character" type_your_password_again: "Skriv inn passordet igjen" password_confirmation_is_required: "Passordbekreftelse er påkrevd." password_does_not_match_with_confirmation: "Passordet stemmer ikke med bekreftelsen." @@ -101,7 +103,7 @@ used_for_reservation: "Disse dataene vil bli brukt i tilfelle endring på en av dine bestillinger" used_for_profile: "Disse dataene vil bare bli vist i profilen din" public_profile: "Du vil ha en offentlig profil og andre brukere vil kunne knytte deg til deres prosjekter" - you_will_receive_confirmation_instructions_by_email_detailed: "Du vil om noen minutter motta en e-post med instruksjoner om hvordan du bekrefter din e-postadresse." + you_will_receive_confirmation_instructions_by_email_detailed: "If your e-mail address is valid, you will receive an email with instructions about how to confirm your account in a few minutes." #password modification modal change_your_password: "Endre passord" your_new_password: "Ditt nye passord" @@ -117,8 +119,7 @@ #confirmation modal you_will_receive_confirmation_instructions_by_email: "Du vil motta instruksjoner om bekreftelse via e-post." #forgotten password modal - your_email_address_is_unknown: "E-postadressen er ukjent." - you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "Vi har sendt deg en e-post med instruksjoner for å resette passordet ditt." + you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "If your e-mail address is valid, you will receive in a moment an e-mail with instructions to reset your password." #Fab-manager's version version: "Versjon:" upgrade_fabmanager: "Oppgrader Fab-manager" diff --git a/config/locales/app.public.pt.yml b/config/locales/app.public.pt.yml index 563876261..c3a7f769f 100755 --- a/config/locales/app.public.pt.yml +++ b/config/locales/app.public.pt.yml @@ -71,7 +71,9 @@ pt: email_is_required: "E-mail é obrigatório." your_password: "Sua senha" password_is_required: "Senha é obrigatório." - password_is_too_short: "Senha muito curta (mínimo 8 caracteres)" + password_is_too_short: "Password is too short (minimum 12 characters)" + password_is_too_weak: "Password is too weak:" + password_is_too_weak_explanations: "minimum 12 characters, at least one uppercase letter, one lowercase letter, one number and one special character" type_your_password_again: "Digite sua senha novamente" password_confirmation_is_required: "Confirmação de senha é obrigatório." password_does_not_match_with_confirmation: "A senha não é igual ao da confirmação." @@ -101,7 +103,7 @@ pt: used_for_reservation: "Estes dados serão utilizados em caso de alteração em uma das suas reservas" used_for_profile: "Estes dados serão exibidos apenas no seu perfil" public_profile: "Você terá um perfil público e outros usuários poderão associá-lo em seus projetos" - you_will_receive_confirmation_instructions_by_email_detailed: "Você receberá um email com instruções sobre como confirmar sua conta em alguns minutos." + you_will_receive_confirmation_instructions_by_email_detailed: "If your e-mail address is valid, you will receive an email with instructions about how to confirm your account in a few minutes." #password modification modal change_your_password: "Mudar sua senha" your_new_password: "Sua nova senha" @@ -117,8 +119,7 @@ pt: #confirmation modal you_will_receive_confirmation_instructions_by_email: "Você receberá instruções de confirmação por e-mail." #forgotten password modal - your_email_address_is_unknown: "Seu e-mail não está cadastrado." - you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "Você irá receber um e-mail com as instruções para resetar sua senha." + you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "If your e-mail address is valid, you will receive in a moment an e-mail with instructions to reset your password." #Fab-manager's version version: "Versão:" upgrade_fabmanager: "Atualizar Fab-manager" diff --git a/config/locales/app.public.zu.yml b/config/locales/app.public.zu.yml index 2f0d93fa0..51fe00c83 100644 --- a/config/locales/app.public.zu.yml +++ b/config/locales/app.public.zu.yml @@ -71,7 +71,9 @@ zu: email_is_required: "crwdns8907:0crwdne8907:0" your_password: "crwdns8909:0crwdne8909:0" password_is_required: "crwdns8911:0crwdne8911:0" - password_is_too_short: "crwdns8913:0crwdne8913:0" + password_is_too_short: "crwdns24030:0crwdne24030:0" + password_is_too_weak: "crwdns24032:0crwdne24032:0" + password_is_too_weak_explanations: "crwdns24034:0crwdne24034:0" type_your_password_again: "crwdns8915:0crwdne8915:0" password_confirmation_is_required: "crwdns8917:0crwdne8917:0" password_does_not_match_with_confirmation: "crwdns8919:0crwdne8919:0" @@ -101,7 +103,7 @@ zu: used_for_reservation: "crwdns8959:0crwdne8959:0" used_for_profile: "crwdns8961:0crwdne8961:0" public_profile: "crwdns8963:0crwdne8963:0" - you_will_receive_confirmation_instructions_by_email_detailed: "crwdns19598:0crwdne19598:0" + you_will_receive_confirmation_instructions_by_email_detailed: "crwdns24036:0crwdne24036:0" #password modification modal change_your_password: "crwdns8965:0crwdne8965:0" your_new_password: "crwdns8967:0crwdne8967:0" @@ -117,8 +119,7 @@ zu: #confirmation modal you_will_receive_confirmation_instructions_by_email: "crwdns19602:0crwdne19602:0" #forgotten password modal - your_email_address_is_unknown: "crwdns8983:0crwdne8983:0" - you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "crwdns8985:0crwdne8985:0" + you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "crwdns24038:0crwdne24038:0" #Fab-manager's version version: "crwdns8987:0crwdne8987:0" upgrade_fabmanager: "crwdns19604:0crwdne19604:0" diff --git a/config/locales/de.yml b/config/locales/de.yml index 4336dc330..71f5150d5 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -19,9 +19,9 @@ de: extension_whitelist_error: "Sie sind nicht berechtigt, %{extension} Dateien hochzuladen, erlaubt sind die Typen: %{allowed_types}" extension_blacklist_error: "Sie sind nicht berechtigt, %{extension} Dateien hochzuladen. Unerlaubte Typen: %{prohibited_types}" content_type_whitelist_error: "Sie sind nicht berechtigt, %{content_type} Dateien hochzuladen, erlaubt sind die Typen: %{allowed_types}" - rmagick_processing_error: "Fehler beim Bearbeiten mit rmagick, vielleicht ist es kein Bild? Original Fehler: %{e}" - mime_types_processing_error: "Fehler beim Verarbeiten der Datei mit MIME::Typen, möglicherweise kein gültiger Inhaltstyp? Original Fehler: %{e}" - mini_magick_processing_error: "Fehler beim Bearbeiten mit MiniMagick, vielleicht ist es kein Bild? Original Fehler: %{e}" + rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?" + mime_types_processing_error: "Failed to process file with MIME::Types, maybe not valid content-type?" + mini_magick_processing_error: "Failed to manipulate the file, maybe it is not an image?" wrong_size: "hat die falsche Größe (sollte %{file_size} sein)" size_too_small: "ist zu klein (sollte mindestens %{file_size} sein)" size_too_big: "ist zu groß (sollte höchstens %{file_size} sein)" diff --git a/config/locales/es.yml b/config/locales/es.yml index 7813f93e0..7f45d5fed 100644 --- a/config/locales/es.yml +++ b/config/locales/es.yml @@ -19,9 +19,9 @@ es: extension_whitelist_error: "No puede subir archivos de extensión %{extension}, tipos permitidos: %{allowed_types}" extension_blacklist_error: "No puede subir archivos de extensión %{extension}, tipos prohibidos: %{prohibited_types}" content_type_whitelist_error: "No puede subir archivos de tipo %{content_type}, tipos permitidos: %{allowed_types}" - rmagick_processing_error: "Error al manipular con rmagick, ¿Está seguro de que el archivo es una imagen? Error original: %{e}" - mime_types_processing_error: "Error al procesar archivo con MIME::Types, puede ser que el contenido no sea válido. Error original: %{e}" - mini_magick_processing_error: "Error al editar con MiniMagick, ¿Está seguro de que el archivo es una imagen? Error original: %{e}" + rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?" + mime_types_processing_error: "Failed to process file with MIME::Types, maybe not valid content-type?" + mini_magick_processing_error: "Failed to manipulate the file, maybe it is not an image?" wrong_size: "es de tamaño incorrecto (debería ser de %{file_size})" size_too_small: "es demasiado pequeño (debería ser de minimo %{file_size})" size_too_big: "es demasiado grande (deberia ser de maximo %{file_size})" diff --git a/config/locales/fr.yml b/config/locales/fr.yml index dde37f57b..2c2c2df07 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -19,9 +19,9 @@ fr: extension_whitelist_error: "Vous n'êtes pas autorisé à envoyer des fichiers %{extension}, les types autorisés sont : %{allowed_types}" extension_blacklist_error: "Vous n'êtes pas autorisé à envoyer des fichiers %{extension}, les types interdits sont : %{prohibited_types}" content_type_whitelist_error: "Vous n'êtes pas autorisé à envoyer des fichiers %{content_type}, les types autorisés sont : %{allowed_types}" - rmagick_processing_error: "La manipulation avec rmagick a échoué, peut-être ne s'agit-il pas d'une image ? Erreur d'origine : %{e}" - mime_types_processing_error: "Le traitement avec MIME::Types a échoué, le content-type est-il correct ? Erreur d'origine : %{e}" - mini_magick_processing_error: "La manipulation avec MiniMagick a échoué, peut-être ne s'agit-il pas d'une image ? Erreur d'origine : %{e}" + rmagick_processing_error: "Impossible de manipuler avec rmagick, peut-être n'est-ce pas une image ?" + mime_types_processing_error: "Impossible de traiter le fichier avec MIME::Types , peut-être pas de type de contenu valide ?" + mini_magick_processing_error: "Impossible de manipuler le fichier, peut-être n'est-ce pas une image ?" wrong_size: "ne fait pas la bonne taille (doit comporter %{file_size})" size_too_small: "est trop petit (au moins %{file_size})" size_too_big: "est trop grand (pas plus de %{file_size})" diff --git a/config/locales/no.yml b/config/locales/no.yml index f7e2446f3..edc1d2df8 100644 --- a/config/locales/no.yml +++ b/config/locales/no.yml @@ -19,9 +19,9 @@ extension_whitelist_error: "Det er ikk tillatt å laste opp %{extension} filer. Tillatte filtyper er: %{allowed_types}" extension_blacklist_error: "Det er ikk tillatt å laste opp %{extension} filer. Ikke tillate filtyper er: %{prohibited_types}" content_type_whitelist_error: "Det er ikk tillatt å laste opp %{content_type} filer. Tillatte filtyper er: %{allowed_types}" - rmagick_processing_error: "Kan ikke manipulere med rmagick, kanskje er det ikke et bilde? Opprinnelig feil: %{e}" - mime_types_processing_error: "Kunne ikke behandle filen med MIME::Types, kanskje ikke gyldig innholdstype? Opprinnelig feil: %{e}" - mini_magick_processing_error: "Kunne ikke manipulere med MiniMagick, kanskje er det ikke et bilde? Opprinnelig feil: %{e}" + rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?" + mime_types_processing_error: "Failed to process file with MIME::Types, maybe not valid content-type?" + mini_magick_processing_error: "Failed to manipulate the file, maybe it is not an image?" wrong_size: "har feil filstørrelse (skal være %{file_size})" size_too_small: "er for liten (må være minst %{file_size})" size_too_big: "er for stor (må være maks %{file_size})" diff --git a/config/locales/pt.yml b/config/locales/pt.yml index b8805ecd1..5e0b6614f 100755 --- a/config/locales/pt.yml +++ b/config/locales/pt.yml @@ -19,9 +19,9 @@ pt: extension_whitelist_error: "Você não tem permissão para fazer o upload de arquivos com esta extensão %{extension}, tipos permitidos: %{allowed_types}" extension_blacklist_error: "Você não tem permissão para carregar arquivos %{extension}, tipos proibidos: %{prohibited_types}" content_type_whitelist_error: "Você não tem permissão para enviar arquivos %{content_type}, tipos permitidos: %{allowed_types}" - rmagick_processing_error: "Falha ao manipular com rmagick, talvez não seja uma imagem? Erro original: %{e}" - mime_types_processing_error: "Falha ao processar arquivo com MIME::Types, talvez o conteúdo não seja válido? Erro original: %{e}" - mini_magick_processing_error: "Falha na manipulação com MiniMagick, talvez isso não seja uma imagem? Erro original: %{e}" + rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?" + mime_types_processing_error: "Failed to process file with MIME::Types, maybe not valid content-type?" + mini_magick_processing_error: "Failed to manipulate the file, maybe it is not an image?" wrong_size: "é o tamanho errado (deveria ser %{file_size})" size_too_small: "é muito pequeno (deve ser pelo menos %{file_size})" size_too_big: "é muito grande (deve ser no máximo %{file_size})" diff --git a/config/locales/zu.yml b/config/locales/zu.yml index 5c0787148..290102033 100644 --- a/config/locales/zu.yml +++ b/config/locales/zu.yml @@ -19,9 +19,9 @@ zu: extension_whitelist_error: "crwdns20842:0%{extension}crwdnd20842:0%{allowed_types}crwdne20842:0" extension_blacklist_error: "crwdns20844:0%{extension}crwdnd20844:0%{prohibited_types}crwdne20844:0" content_type_whitelist_error: "crwdns20846:0%{content_type}crwdnd20846:0%{allowed_types}crwdne20846:0" - rmagick_processing_error: "crwdns3175:0%{e}crwdne3175:0" - mime_types_processing_error: "crwdns3177:0%{e}crwdne3177:0" - mini_magick_processing_error: "crwdns3179:0%{e}crwdne3179:0" + rmagick_processing_error: "crwdns24024:0crwdne24024:0" + mime_types_processing_error: "crwdns24026:0crwdne24026:0" + mini_magick_processing_error: "crwdns24028:0crwdne24028:0" wrong_size: "crwdns3181:0%{file_size}crwdne3181:0" size_too_small: "crwdns3183:0%{file_size}crwdne3183:0" size_too_big: "crwdns3185:0%{file_size}crwdne3185:0" From d3d03cb749389421d45ffd7c035f942270d66e39 Mon Sep 17 00:00:00 2001 From: Du Peng Date: Mon, 1 Aug 2022 20:03:43 +0200 Subject: [PATCH 6/6] Version 5.4.15 --- CHANGELOG.md | 7 +++++++ package.json | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 20e5af9fb..80bea673a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ ## next release +## v5.4.15 2022 August 1 + +- Improved security: adds redis-session-store to store session +- Improved security: makes rmagick, minimagick and mime types less explicit +- Improved security: add complexity check of the user password +- Improved security: prevents users enumeration attacks by not giving any info about the validity of the email + ## v5.4.14 2022 August 1 - Added a test for multiple reservations on the same space slot diff --git a/package.json b/package.json index 3c6061ffd..da9ca0f0a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "fab-manager", - "version": "5.4.14", + "version": "5.4.15", "description": "Fab-manager is the FabLab management solution. It provides a comprehensive, web-based, open-source tool to simplify your administrative tasks and your marker's projects.", "keywords": [ "fablab",