1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Prevent leaking of user's DB credentials on rails db:create failure

Issue #27852 reports that when `rails db:create` fails, it causes
leaking of user's DB credentials to $stderr.
We print a DB's configuration hash in order to help users more quickly
to figure out what could be wrong with his configuration.

This commit changes message from
"Couldn't create database for #{configuration.inspect}" to
"Couldn't create '#{configuration['database']}' database. Please check your configuration.".

There are two PRs that fixing it #27878, #27879, but they need a bit more work.
I decided help to finish this and added Author of those PRs credit in this commit.

Since it is a security issue, I think we should backport it to
`5-2-stable`, and `5-1-stable`.
Guided by https://edgeguides.rubyonrails.org/maintenance_policy.html#security-issues

Fixes #27852
Closes #27879
Related to #27878

[Alexander Marrs & bogdanvlviv]
This commit is contained in:
bogdanvlviv 2018-08-28 09:20:18 +03:00
parent 068fe7dc90
commit 9b455fe6f0
No known key found for this signature in database
GPG key ID: E4ACD76A6DB6DFDD
4 changed files with 4 additions and 4 deletions

View file

@ -122,7 +122,7 @@ module ActiveRecord
$stderr.puts "Database '#{configuration['database']}' already exists" if verbose?
rescue Exception => error
$stderr.puts error
$stderr.puts "Couldn't create database for #{configuration.inspect}"
$stderr.puts "Couldn't create '#{configuration['database']}' database. Please check your configuration."
raise
end

View file

@ -112,7 +112,7 @@ if current_adapter?(:PostgreSQLAdapter)
ActiveRecord::Base.stub(:connection, @connection) do
ActiveRecord::Base.stub(:establish_connection, -> * { raise Exception }) do
assert_raises(Exception) { ActiveRecord::Tasks::DatabaseTasks.create @configuration }
assert_match "Couldn't create database for #{@configuration.inspect}", $stderr.string
assert_match "Couldn't create '#{@configuration['database']}' database. Please check your configuration.", $stderr.string
end
end
end

View file

@ -62,7 +62,7 @@ if current_adapter?(:SQLite3Adapter)
def test_db_create_with_error_prints_message
ActiveRecord::Base.stub(:establish_connection, proc { raise Exception }) do
assert_raises(Exception) { ActiveRecord::Tasks::DatabaseTasks.create @configuration, "/rails/root" }
assert_match "Couldn't create database for #{@configuration.inspect}", $stderr.string
assert_match "Couldn't create '#{@configuration['database']}' database. Please check your configuration.", $stderr.string
end
end
end

View file

@ -93,7 +93,7 @@ module ApplicationTests
test "db:create failure because bad permissions" do
with_bad_permissions do
output = rails("db:create", allow_failure: true)
assert_match(/Couldn't create database/, output)
assert_match("Couldn't create '#{database_url_db_name}' database. Please check your configuration.", output)
assert_equal 1, $?.exitstatus
end
end