From 5cdaa014eff7b0a0137fac707e68d77acda838ed Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 25 Mar 2019 14:57:48 +0100 Subject: [PATCH] [security] updated devise + updated rails --- CHANGELOG.md | 4 + Gemfile | 5 +- Gemfile.lock | 86 +++++++++---------- README.md | 2 +- .../controllers/application.js.erb | 2 +- app/assets/templates/shared/header.html.erb | 4 +- app/controllers/application_controller.rb | 15 ++-- app/controllers/sessions_controller.rb | 2 +- app/models/notification_type.rb | 1 - app/models/user.rb | 6 +- .../api/auth_providers/active.json.jbuilder | 4 +- .../notify_user_auth_migration.html.erb | 2 +- .../notify_user_account_created.html.erb | 2 +- config/initializers/devise_async.rb | 5 -- 14 files changed, 71 insertions(+), 69 deletions(-) delete mode 100644 config/initializers/devise_async.rb diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b89ecc0d..3d71debc1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog Fab Manager +- Fix a security issue: updated to devise 4.6.0 to fix [CVE-2019-5421](https://github.com/plataformatec/devise/issues/4981) +- Fix a security issue: updated Rails to 4.2.11.1 to fix [CVE-2019-5418](https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q) and [CVE-2019-5419](https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI) +- [TODO DEPLOY] (dev) if applicable, you must first downgrade bundler to v1 `gem uninstall bundler --version=2.0.1 && gem install bundler --version=1.7.3 && bundle install`emi + ## v2.8.4 2019 March 18 - Limit members search to 50 results to speed up queries diff --git a/Gemfile b/Gemfile index 964fbddea..457d8da2b 100644 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' gem 'compass-rails', '2.0.4' # Bundle edge Rails instead: gem 'rails', github: 'rails/rails' -gem 'rails', '4.2.11' +gem 'rails', '4.2.11.1' # Use SCSS for stylesheets gem 'sass-rails', '5.0.1' @@ -73,8 +73,7 @@ gem 'seed_dump' gem 'pg' -gem 'devise' -gem 'devise-async' +gem 'devise', ">= 4.6.0" gem 'omniauth', '~> 1.6.0' gem 'omniauth-oauth2' diff --git a/Gemfile.lock b/Gemfile.lock index 22fe64557..d7fbb1192 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -14,39 +14,39 @@ GEM specs: Ascii85 (1.0.2) aasm (4.1.0) - actionmailer (4.2.11) - actionpack (= 4.2.11) - actionview (= 4.2.11) - activejob (= 4.2.11) + actionmailer (4.2.11.1) + actionpack (= 4.2.11.1) + actionview (= 4.2.11.1) + activejob (= 4.2.11.1) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.11) - actionview (= 4.2.11) - activesupport (= 4.2.11) + actionpack (4.2.11.1) + actionview (= 4.2.11.1) + activesupport (= 4.2.11.1) rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) actionpack-page_caching (1.0.2) actionpack (>= 4.0.0, < 5) - actionview (4.2.11) - activesupport (= 4.2.11) + actionview (4.2.11.1) + activesupport (= 4.2.11.1) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.3) active_record_query_trace (1.4) - activejob (4.2.11) - activesupport (= 4.2.11) + activejob (4.2.11.1) + activesupport (= 4.2.11.1) globalid (>= 0.3.0) - activemodel (4.2.11) - activesupport (= 4.2.11) + activemodel (4.2.11.1) + activesupport (= 4.2.11.1) builder (~> 3.1) - activerecord (4.2.11) - activemodel (= 4.2.11) - activesupport (= 4.2.11) + activerecord (4.2.11.1) + activemodel (= 4.2.11.1) + activesupport (= 4.2.11.1) arel (~> 6.0) - activesupport (4.2.11) + activesupport (4.2.11.1) i18n (~> 0.7) minitest (~> 5.1) thread_safe (~> 0.3, >= 0.3.4) @@ -70,7 +70,7 @@ GEM axlsx_rails (0.4.0) axlsx (>= 2.0.1) rails (>= 3.1) - bcrypt (3.1.10) + bcrypt (3.1.12) binding_of_caller (0.7.3) debug_inspector (>= 0.0.1) bootstrap-sass (3.4.1) @@ -119,7 +119,7 @@ GEM compass (~> 1.0.0) sass-rails (<= 5.0.1) sprockets (< 2.13) - concurrent-ruby (1.1.4) + concurrent-ruby (1.1.5) connection_pool (2.2.0) coveralls (0.8.16) json (>= 1.8, < 3) @@ -135,15 +135,12 @@ GEM debug_inspector (0.0.3) descendants_tracker (0.0.4) thread_safe (~> 0.3, >= 0.3.1) - devise (3.4.1) + devise (4.6.1) bcrypt (~> 3.0) orm_adapter (~> 0.1) - railties (>= 3.2.6, < 5) + railties (>= 4.1.0, < 6.0) responders - thread_safe (~> 0.1) warden (~> 1.2.3) - devise-async (0.9.0) - devise (~> 3.2) docile (1.1.5) domain_name (0.5.25) unf (>= 0.0.5, < 1.0.0) @@ -185,7 +182,7 @@ GEM forgery (0.6.0) friendly_id (5.1.0) activerecord (>= 4.0.0) - globalid (0.4.1) + globalid (0.4.2) activesupport (>= 4.2.0) has_secure_token (1.0.0) activerecord (>= 3.0) @@ -249,7 +246,7 @@ GEM mimemagic (0.3.2) mini_magick (4.2.0) mini_mime (1.0.1) - mini_portile2 (2.3.0) + mini_portile2 (2.4.0) minitest (5.11.3) minitest-reporters (1.1.8) ansi @@ -268,8 +265,8 @@ GEM net-ssh-gateway (1.2.0) net-ssh (>= 2.6.5) netrc (0.10.3) - nokogiri (1.8.5) - mini_portile2 (~> 2.3.0) + nokogiri (1.10.1) + mini_portile2 (~> 2.4.0) notify_with (0.0.2) jbuilder (~> 2.0) rails (>= 4.2.0) @@ -318,16 +315,16 @@ GEM rack-test (0.6.3) rack (>= 1.0) railroady (1.5.3) - rails (4.2.11) - actionmailer (= 4.2.11) - actionpack (= 4.2.11) - actionview (= 4.2.11) - activejob (= 4.2.11) - activemodel (= 4.2.11) - activerecord (= 4.2.11) - activesupport (= 4.2.11) + rails (4.2.11.1) + actionmailer (= 4.2.11.1) + actionpack (= 4.2.11.1) + actionview (= 4.2.11.1) + activejob (= 4.2.11.1) + activemodel (= 4.2.11.1) + activerecord (= 4.2.11.1) + activesupport (= 4.2.11.1) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.11) + railties (= 4.2.11.1) sprockets-rails rails-deprecated_sanitizer (1.0.3) activesupport (>= 4.2.0.alpha) @@ -344,9 +341,9 @@ GEM rails_stdout_logging rails_serve_static_assets (0.0.4) rails_stdout_logging (0.0.3) - railties (4.2.11) - actionpack (= 4.2.11) - activesupport (= 4.2.11) + railties (4.2.11.1) + actionpack (= 4.2.11.1) + activesupport (= 4.2.11.1) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rainbow (3.0.0) @@ -494,7 +491,7 @@ GEM coercible (~> 1.0) descendants_tracker (~> 0.0, >= 0.0.3) equalizer (~> 0.0, >= 0.0.9) - warden (1.2.3) + warden (1.2.7) rack (>= 1.0) web-console (2.1.3) activemodel (>= 4.0) @@ -528,8 +525,7 @@ DEPENDENCIES compass-rails (= 2.0.4) coveralls database_cleaner - devise - devise-async + devise (>= 4.6.0) elasticsearch-model (~> 5) elasticsearch-persistence (~> 5) elasticsearch-rails (~> 5) @@ -562,7 +558,7 @@ DEPENDENCIES pundit rack-protection (= 1.5.5) railroady - rails (= 4.2.11) + rails (= 4.2.11.1) rails-observers rails_12factor rb-readline @@ -591,4 +587,4 @@ DEPENDENCIES webmock BUNDLED WITH - 1.17.2 + 1.17.3 diff --git a/README.md b/README.md index b575911c0..b9f9fe3ba 100644 --- a/README.md +++ b/README.md @@ -136,7 +136,7 @@ This procedure is not easy to follow so if you don't need to write some code for 10. Install bundler in the current RVM gemset ```bash - gem install bundler + gem install bundler --version=1.17.3 ``` 11. Install the required ruby gems and javascript plugins diff --git a/app/assets/javascripts/controllers/application.js.erb b/app/assets/javascripts/controllers/application.js.erb index 7bae15ddb..7e89ca850 100644 --- a/app/assets/javascripts/controllers/application.js.erb +++ b/app/assets/javascripts/controllers/application.js.erb @@ -340,7 +340,7 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco var openLoginModal = function (toState, toParams, callback) { <% active_provider = AuthProvider.active %> <% if active_provider.providable_type != DatabaseProvider.name %> - $window.location.href = '<%=user_omniauth_authorize_path(AuthProvider.active.strategy_name.to_sym)%>'; + $window.location.href = '<%="/users/auth/#{active_provider.strategy_name}"%>'; <% else %> return $uibModal.open({ templateUrl: '<%= asset_path "shared/deviseModal.html" %>', diff --git a/app/assets/templates/shared/header.html.erb b/app/assets/templates/shared/header.html.erb index 3a2c59502..9a3fe9cfc 100644 --- a/app/assets/templates/shared/header.html.erb +++ b/app/assets/templates/shared/header.html.erb @@ -53,9 +53,9 @@ {{ 'sign_in' | translate }} <% else %> -
  • {{ 'sign_up' | translate }}
    • +
  • " class="font-sbold label text-md"> {{ 'sign_up' | translate }}
  • - {{ 'sign_in' | translate }} + " class="font-sbold label text-md"> {{ 'sign_in' | translate }}
    • <% end %> diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 90a61671c..f59db1763 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -30,11 +30,16 @@ class ApplicationController < ActionController::Base end def configure_permitted_parameters - devise_parameter_sanitizer.for(:sign_up) << - { profile_attributes: [:phone, :last_name, :first_name, :gender, :birthday, :interest, :software_mastered, - organization_attributes: [:name, address_attributes: [:address]]] } - - devise_parameter_sanitizer.for(:sign_up).concat %i[username is_allow_contact is_allow_newsletter cgu group_id] + devise_parameter_sanitizer.permit(:sign_up, + keys: [ + { profile_attributes: [ + :phone, :last_name, :first_name, :gender, :birthday, + :interest, :software_mastered, organization_attributes: [ + :name, address_attributes: [:address] + ] + ] }, + :username, :is_allow_contact, :is_allow_newsletter, :cgu, :group_id + ]) end def default_url_options diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 5488450ad..e7ee47a0e 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -4,7 +4,7 @@ class SessionsController < Devise::SessionsController def new active_provider = AuthProvider.active if active_provider.providable_type != DatabaseProvider.name - redirect_to user_omniauth_authorize_path(active_provider.strategy_name.to_sym) + redirect_to "/users/auth/#{active_provider.strategy_name}" else super end diff --git a/app/models/notification_type.rb b/app/models/notification_type.rb index 54503aa56..11230db24 100644 --- a/app/models/notification_type.rb +++ b/app/models/notification_type.rb @@ -42,7 +42,6 @@ class NotificationType notify_admin_export_complete notify_member_about_coupon notify_member_reservation_reminder - notify_admin_free_disk_space ] # deprecated: # - notify_member_subscribed_plan_is_changed diff --git a/app/models/user.rb b/app/models/user.rb index ca5dd6963..11a842552 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -8,7 +8,7 @@ class User < ActiveRecord::Base # Include default devise modules. Others available are: # :lockable, :timeoutable and :omniauthable devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, - :confirmable, :async + :confirmable rolify # enable OmniAuth authentication only if needed @@ -318,6 +318,10 @@ class User < ActiveRecord::Base create_wallet end + def send_devise_notification(notification, *args) + devise_mailer.send(notification, self, *args).deliver_later + end + def notify_admin_when_user_is_created if need_completion? && !provider.nil? NotificationCenter.call type: 'notify_admin_when_user_is_imported', diff --git a/app/views/api/auth_providers/active.json.jbuilder b/app/views/api/auth_providers/active.json.jbuilder index fc0a96351..1f35ece38 100644 --- a/app/views/api/auth_providers/active.json.jbuilder +++ b/app/views/api/auth_providers/active.json.jbuilder @@ -4,9 +4,9 @@ json.link_to_sso_profile @provider.link_to_sso_profile if @provider.providable_type == DatabaseProvider.name json.link_to_sso_connect '/#' else - json.link_to_sso_connect user_omniauth_authorize_path(@provider.strategy_name.to_sym) + json.link_to_sso_connect "/users/auth/#{@provider.strategy_name}" end if @provider.providable_type == OAuth2Provider.name json.domain @provider.providable.domain -end \ No newline at end of file +end diff --git a/app/views/notifications_mailer/notify_user_auth_migration.html.erb b/app/views/notifications_mailer/notify_user_auth_migration.html.erb index a366d776f..d72a262e5 100644 --- a/app/views/notifications_mailer/notify_user_auth_migration.html.erb +++ b/app/views/notifications_mailer/notify_user_auth_migration.html.erb @@ -15,7 +15,7 @@ <% active_provider = AuthProvider.active %> <%= render 'notifications_mailer/shared/hello', recipient: @recipient %> <% - url_path = user_omniauth_authorize_path(active_provider.strategy_name.to_sym) + url_path = "/users/auth/#{active_provider.strategy_name}" if url_path[0] == '/' and root_url[-1] == '/' url_path = root_url + url_path[1..-1] else diff --git a/app/views/users_mailer/notify_user_account_created.html.erb b/app/views/users_mailer/notify_user_account_created.html.erb index b0377fc14..1c3bfac6e 100644 --- a/app/views/users_mailer/notify_user_account_created.html.erb +++ b/app/views/users_mailer/notify_user_account_created.html.erb @@ -38,7 +38,7 @@

    <%= t('.body.thanks_to_') %> - + " target="_blank"> <%= t('body.logon_or_login', PROVIDER: active_provider.name )%>

    diff --git a/config/initializers/devise_async.rb b/config/initializers/devise_async.rb deleted file mode 100644 index 1ae610c44..000000000 --- a/config/initializers/devise_async.rb +++ /dev/null @@ -1,5 +0,0 @@ -Devise::Async.setup do |config| - config.enabled = true - config.backend = :sidekiq - config.queue = :devise_mailer -end \ No newline at end of file