40 lines
1.7 KiB
Diff
40 lines
1.7 KiB
Diff
|
From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Aaron Patterson <aaron@rubyonrails.org>
|
||
|
|
Date: Tue, 22 Aug 2023 09:58:43 -0700
|
||
|
|
Subject: [PATCH] Use a temporary file for storing unencrypted files while
|
||
|
|
editing
|
||
|
|
|
||
|
|
Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
|
||
|
|
|
||
|
|
When we're editing the contents of encrypted files, we should use the
|
||
|
|
`Tempfile` class because it creates temporary files with restrictive
|
||
|
|
permissions. This prevents other users on the same system from reading
|
||
|
|
the contents of those files while the user is editing them.
|
||
|
|
|
||
|
|
[CVE-2023-38037]
|
||
|
|
---
|
||
|
|
.../lib/active_support/encrypted_file.rb | 17 ++++++++---------
|
||
|
|
activesupport/test/encrypted_file_test.rb | 8 ++++++++
|
||
|
|
railties/lib/rails/secrets.rb | 18 ++++++++++--------
|
||
|
|
3 files changed, 26 insertions(+), 17 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb
|
||
|
|
index 9c4f289f7b1cf..92a3ecf972f1d 100644
|
||
|
|
--- a/activesupport/test/encrypted_file_test.rb
|
||
|
|
+++ b/activesupport/test/encrypted_file_test.rb
|
||
|
|
@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase
|
||
|
|
assert_equal "#{@content} and went by the lake", @encrypted_file.read
|
||
|
|
end
|
||
|
|
|
||
|
|
+ test "change sets restricted permissions" do
|
||
|
|
+ @encrypted_file.write(@content)
|
||
|
|
+ @encrypted_file.change do |file|
|
||
|
|
+ assert_predicate file, :owned?
|
||
|
|
+ assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}"
|
||
|
|
+ end
|
||
|
|
+ end
|
||
|
|
+
|
||
|
|
test "raise MissingKeyError when key is missing" do
|
||
|
|
assert_raise ActiveSupport::EncryptedFile::MissingKeyError do
|
||
|
|
encrypted_file(@content_path, key_path: "", env_key: "").read
|