Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #10286 (closed defect: fixed)

Opened 7 months ago

Last modified 7 months ago

[PATCH] Rails generates insecure secret keys for CookieStore

Reported by: FooBarWidget Assigned to: bitsweat
Priority: normal Milestone: 2.0
Component: Railties Version: edge
Severity: major Keywords: session cookiestore security
Cc:

Description

CookieStore has generated a lot of controversy. Jamie Flournoy has pointed out that Rails uses an insecure way to generate the default secret key for CookieStore. See http://izumi.plan99.net/blog/index.php/2007/11/25/rails-20-cookie-session-store-and-security/#comments for details.

The attached patch tries its best to generate a secure secret key, using whatever best method is available on the current platform.

Attachments

rails-more-secure-secret-keys.diff (9.4 kB) - added by FooBarWidget on 11/26/07 17:26:23.
rails-more-secure-secret-keys-2.diff (8.7 kB) - added by FooBarWidget on 11/28/07 11:07:56.

Change History

11/26/07 17:26:23 changed by FooBarWidget

  • attachment rails-more-secure-secret-keys.diff added.

11/26/07 17:58:30 changed by lifofifo

I think rails should include securerandom.rb from ruby 1.9 and have the code for windows in rescue section so that it's compatible with future versions of ruby.

11/26/07 19:49:25 changed by dkubb

The individual generate_* methods are pretty good, but I think the dispatching done in generate is a bit convoluted. Perhaps something like this might work better: 

GENERATORS = [ :secure_random, :win32_api, :urandom, :openssl, :prng ].freeze

def included(base)
  generator = GENERATORS.find { |g| send("supports_#{g}?") }
  base.alias_method_chain :generate_secret, generator
end

# ...

private
  def supports_secure_random?
    begin
      require 'securerandom'
      true
    rescue LoadError
      false
    end
  end

  def supports_win32_api?
    return false unless RUBY_PLATFORM =~ /(:?mswin|mingw)/
    begin
      require 'Win32API'
      true
    rescue LoadError
      false
    end
  end

  def supports_urandom?
    File.exists?('/dev/urandom')
  end

  def supports_openssl?
    begin
      require 'openssl'
      true
    rescue LoadError
      false
    end
  end

  def supports_prng?
    true
  end

This way the decision on which generator to load is made when the module is included and not at runtime. Plus its easier to add/subtract generators over time. You can even remove the supports_* methods from your tests and just reference the ones in module.

11/27/07 03:37:00 changed by nzkoz

  • owner changed from core to bitsweat.

11/28/07 11:07:56 changed by FooBarWidget

  • attachment rails-more-secure-secret-keys-2.diff added.

11/28/07 11:08:47 changed by FooBarWidget

Here is a new patch which includes the suggestions by dkubb.

11/28/07 19:37:03 changed by bitsweat

  • status changed from new to closed.
  • resolution set to fixed.

(In [8229]) Introduce SecretKeyGenerator for more secure session secrets than CGI::Session's pseudo-random id generator. Consider extracting to Active Support later. Closes #10286.