Bug #2109
closed
session_token should not be static
Description
The session token of rails app should not be public available and static for all installations.
http://biggestfool.tumblr.com/post/24049554541/reminder-secret-token-rb-is-named-so-for-a-reason
Solution:
Generate the session token using SecureRandom, maybe as Rake Task, and add it to the installation and upgrade guides.
if RUBY_VERSION >= 1.9
require 'securerandom'
SecureRandom.urlsafe_base64(64)[0..63]
#=> "sZT3OdJVpHeIdbH5O8YLflOBXJbOv2ZY76GqsN1Clg1c1aiOzcMFZzKrRfUtJDTS"
else
...
end
Files
Updated by Ohad Levy over 11 years ago
also, some more background http://blog.phusion.nl/2013/01/04/securing-the-rails-session-secret/
Updated by Sandor Szücs over 11 years ago
Ohad Levy wrote:
also, some more background http://blog.phusion.nl/2013/01/04/securing-the-rails-session-secret/
I don't think that this: hash("#{machine_uuid}-#{hostname}-#{app_name}")
is good enough. If there are users with an operator role which have ssh access to look into logs or do some cleanup tasks that are not administrators in foreman webapp, then we have privilege escalation here. Hostname and app_name are known and uuid can be read with ssh access from a machine....
Anyway nice read, Ohad.
Greets Sandor
Updated by Dominic Cleal over 11 years ago
I like the rake task idea. To make it usable without running the task, we could comment out or delete secret_token.rb, then add an initializer after that generates + stores a key in tmp/ if the token's unset. People are then able to generate a static one with the rake task if they need it, which overrides the temporary secret.
Updated by Dominic Cleal over 11 years ago
- Status changed from New to Ready For Testing
Implemented the above, kept the rake task: https://github.com/theforeman/foreman/pull/353
Katello generates a secret during RPM installation too, we could do the same in our package post installs by running the rake task.
Updated by Sandor Szücs over 11 years ago
Dominic Cleal wrote:
Implemented the above, kept the rake task: https://github.com/theforeman/foreman/pull/353
Katello generates a secret during RPM installation too, we could do the same in our package post installs by running the rake task.
It's not a good idea to use activesupport's SecureRandom, because they removed it: https://github.com/rails/rails/commit/1170cceaaec8c0c8aef173913405be1456e4b2be#activesupport/lib/active_support
Updated by Dominic Cleal over 11 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset adfcf8f0fa17dd352588fbd9eb24286502ccc90f.
Updated by Ohad Levy over 11 years ago
- Assignee set to Dominic Cleal
- Target version set to 1.1