kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity
73525 commits 72 branches 493 tags 355 MiB
Commit graph

12 commits

Author SHA1 Message Date
Bart de Water
c76a8c72d5 Don't encode in secure_compare for speedup 
Hex encoding is base 16 which makes the original input twice as big. With this change less time need to be spent in fixed_length_secure_compare.
 2019-03-26 21:43:52 -04:00
Rafael Mendonça França
f76ca450f5
Compare the actual string after comparing the HMAC proccessed strings 
Even that collisions are unlikely we need to make sure the two strings
are equal.

Timing is not important in this case because this only runs after the
comparison between the SHA256 digested strings returns true.
 2017-11-25 11:39:41 -05:00
Rafael Mendonça França
0623b5d194
Merge pull request #24510 from vipulnsward/make-variable_size_secure_compare-public 
Make variable_size_secure_compare public
 2017-11-25 11:39:37 -05:00
Francesco Rodriguez
ff56fdb08d Preload digest/sha2 to avoid thread safe error. 
I got this error in production using Puma in multi-threaded mode:

```
RuntimeError: Digest::Base cannot be directly inherited in Ruby
from active_support/security_utils.rb:23:in `variable_size_secure_compare'
from active_support/security_utils.rb:23:in `hexdigest'
from active_support/security_utils.rb:23:in `digest'
```

Looks like Digest uses const_missing to load Digest::SHA256 (https://github.com/ruby/ruby/blob/trunk/ext/digest/lib/digest.rb#L8)

- https://bugs.ruby-lang.org/issues/9494
- c02fa39463
 2017-09-25 17:07:00 +02:00
Koichi ITO
ac717d65a3 [Active Support] rubocop -a --only Layout/EmptyLineAfterMagicComment 2017-07-11 13:12:32 +09:00
Kir Shatrov
72950568dd Use frozen-string-literal in ActiveSupport 2017-07-09 15:08:29 +03:00
Matthew Draper
87b3e226d6 Revert "Merge pull request #29540 from kirs/rubocop-frozen-string" 
This reverts commit 3420a14590, reversing
changes made to afb66a5a59.
 2017-07-02 02:15:17 +09:30
Kir Shatrov
cfade1ec7e Enforce frozen string in Rubocop 2017-07-01 02:11:03 +03:00
Vipul A M
fa487763d9
Changed default behaviour of ActiveSupport::SecurityUtils.secure_compare, 
to make it not leak length information even for variable length string.

    Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`,
    and started raising `ArgumentError` in case of length mismatch of passed strings.
 2017-06-07 03:45:10 +05:30
Xavier Noria
d66e7835be applies new string literal convention in activesupport/lib 
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
 2016-08-06 18:10:53 +02:00
Aaron Patterson
17e6f1507b use secure string comparisons for basic auth username / password 
this will avoid timing attacks against applications that use basic auth.

CVE-2015-7576
 2016-01-22 14:55:14 -08:00
Guillermo Iguaran
c8c660002f Add AS::SecurityUtils.secure_compare for constant time string comparison 2014-10-23 14:54:06 -03:00