diff options
author | Dennis Schubert <mail@dennis-schubert.de> | 2022-04-27 22:10:20 +0300 |
---|---|---|
committer | Dennis Schubert <mail@dennis-schubert.de> | 2022-04-27 22:11:26 +0300 |
commit | 02eba842aed40e6411fbed8db9e32fcd0e59c642 (patch) | |
tree | 267cf69085580548d388a3611b494ca8b1872a7a | |
parent | 6ad4eb3be7a1c60af726449c98b510097fa002c1 (diff) | |
parent | 9212fd3f46d279ce7ffa8e581afdc8cad22fa166 (diff) |
Merge branch 'next-minor'v0.7.17.0
-rw-r--r-- | Changelog.md | 9 | ||||
-rw-r--r-- | Gemfile | 2 | ||||
-rw-r--r-- | Gemfile.lock | 80 | ||||
-rw-r--r-- | app/controllers/users_controller.rb | 41 | ||||
-rw-r--r-- | app/views/two_factor_authentications/_activate.haml | 1 | ||||
-rw-r--r-- | config/defaults.yml | 2 | ||||
-rw-r--r-- | config/locales/diaspora/en.yml | 4 | ||||
-rw-r--r-- | spec/controllers/users_controller_spec.rb | 69 |
8 files changed, 119 insertions, 89 deletions
diff --git a/Changelog.md b/Changelog.md index 7514bf999..31c081fb0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,3 +1,12 @@ +# 0.7.17.0 + +## Security +* Bump Rails to 5.2.7 to address [CVE-2022-22577](https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533) and [CVE-2022-27777](https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534) [#8350](https://github.com/diaspora/diaspora/pull/8350) +* Do not allow the user to mass assign their own password and 2fa settings alongside other parameters. Reported by Breno Vitório (@brenu) - thank you! [#8351](https://github.com/diaspora/diaspora/pull/8351) + +## Bug fixes +* Don't suggest to retry exports on failure [#8343](https://github.com/diaspora/diaspora/pull/8343) + # 0.7.16.0 ## Security @@ -2,7 +2,7 @@ source "https://rubygems.org" -gem "rails", "5.2.6.2" +gem "rails", "5.2.7.1" # Legacy Rails features, remove me! # responders (class level) diff --git a/Gemfile.lock b/Gemfile.lock index ae2d48981..c0fb9eecf 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -2,25 +2,25 @@ GEM remote: https://rubygems.org/ remote: https://gems.diasporafoundation.org/ specs: - actioncable (5.2.6.2) - actionpack (= 5.2.6.2) + actioncable (5.2.7.1) + actionpack (= 5.2.7.1) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailer (5.2.6.2) - actionpack (= 5.2.6.2) - actionview (= 5.2.6.2) - activejob (= 5.2.6.2) + actionmailer (5.2.7.1) + actionpack (= 5.2.7.1) + actionview (= 5.2.7.1) + activejob (= 5.2.7.1) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.2.6.2) - actionview (= 5.2.6.2) - activesupport (= 5.2.6.2) + actionpack (5.2.7.1) + actionview (= 5.2.7.1) + activesupport (= 5.2.7.1) rack (~> 2.0, >= 2.0.8) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.2.6.2) - activesupport (= 5.2.6.2) + actionview (5.2.7.1) + activesupport (= 5.2.7.1) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) @@ -28,22 +28,22 @@ GEM active_model_serializers (0.9.7) activemodel (>= 3.2) concurrent-ruby (~> 1.0) - activejob (5.2.6.2) - activesupport (= 5.2.6.2) + activejob (5.2.7.1) + activesupport (= 5.2.7.1) globalid (>= 0.3.6) - activemodel (5.2.6.2) - activesupport (= 5.2.6.2) - activerecord (5.2.6.2) - activemodel (= 5.2.6.2) - activesupport (= 5.2.6.2) + activemodel (5.2.7.1) + activesupport (= 5.2.7.1) + activerecord (5.2.7.1) + activemodel (= 5.2.7.1) + activesupport (= 5.2.7.1) arel (>= 9.0) activerecord-import (1.1.0) activerecord (>= 3.2) - activestorage (5.2.6.2) - actionpack (= 5.2.6.2) - activerecord (= 5.2.6.2) + activestorage (5.2.7.1) + actionpack (= 5.2.7.1) + activerecord (= 5.2.7.1) marcel (~> 1.0.0) - activesupport (5.2.6.2) + activesupport (5.2.7.1) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) @@ -139,7 +139,7 @@ GEM compass (~> 1.0.0) sass-rails (< 5.1) sprockets (< 4.0) - concurrent-ruby (1.1.9) + concurrent-ruby (1.1.10) configurate (0.5.0) connection_pool (2.2.5) crack (0.4.5) @@ -337,7 +337,7 @@ GEM mime-types (~> 3.0) multi_xml (>= 0.5.2) httpclient (2.8.3) - i18n (1.9.1) + i18n (1.10.0) concurrent-ruby (~> 1.0) i18n-inflector (2.6.7) i18n (>= 0.4.1) @@ -392,7 +392,7 @@ GEM multi_json (~> 1.14) logging-rails (0.6.0) logging (>= 1.8) - loofah (2.14.0) + loofah (2.16.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) macaddr (1.7.2) @@ -527,18 +527,18 @@ GEM rack rack-test (1.1.0) rack (>= 1.0, < 3) - rails (5.2.6.2) - actioncable (= 5.2.6.2) - actionmailer (= 5.2.6.2) - actionpack (= 5.2.6.2) - actionview (= 5.2.6.2) - activejob (= 5.2.6.2) - activemodel (= 5.2.6.2) - activerecord (= 5.2.6.2) - activestorage (= 5.2.6.2) - activesupport (= 5.2.6.2) + rails (5.2.7.1) + actioncable (= 5.2.7.1) + actionmailer (= 5.2.7.1) + actionpack (= 5.2.7.1) + actionview (= 5.2.7.1) + activejob (= 5.2.7.1) + activemodel (= 5.2.7.1) + activerecord (= 5.2.7.1) + activestorage (= 5.2.7.1) + activesupport (= 5.2.7.1) bundler (>= 1.3.0) - railties (= 5.2.6.2) + railties (= 5.2.7.1) sprockets-rails (>= 2.0.0) rails-assets-autosize (4.0.2) rails-assets-backbone (1.3.3) @@ -602,9 +602,9 @@ GEM rails-timeago (2.19.1) actionpack (>= 3.1) activesupport (>= 3.1) - railties (5.2.6.2) - actionpack (= 5.2.6.2) - activesupport (= 5.2.6.2) + railties (5.2.7.1) + actionpack (= 5.2.7.1) + activesupport (= 5.2.7.1) method_source rake (>= 0.8.7) thor (>= 0.19.0, < 2.0) @@ -878,7 +878,7 @@ DEPENDENCIES rack-piwik (= 0.3.0) rack-rewrite (= 1.5.1) rack-ssl (= 1.4.1) - rails (= 5.2.6.2) + rails (= 5.2.7.1) rails-assets-autosize (= 4.0.2)! rails-assets-backbone (= 1.3.3)! rails-assets-blueimp-gallery (= 2.33.0)! diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 726f46f2e..99a0297a0 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -18,25 +18,17 @@ class UsersController < ApplicationController end def update - password_changed = false - user_data = user_params @user = current_user - if user_data - # change password - if params[:change_password] - password_changed = change_password(user_data) - else - update_user(user_data) - end + if params[:change_password] && user_password_params + password_changed = change_password(user_password_params) + return redirect_to new_user_session_path if password_changed + elsif user_params + update_user(user_params) end - if password_changed - redirect_to new_user_session_path - else - set_email_preferences - render :edit - end + set_email_preferences + render :edit end def update_privacy_settings @@ -137,13 +129,9 @@ class UsersController < ApplicationController private - # rubocop:disable Metrics/MethodLength def user_params params.fetch(:user).permit( :email, - :current_password, - :password, - :password_confirmation, :language, :color_theme, :disable_mail, @@ -152,12 +140,17 @@ class UsersController < ApplicationController :auto_follow_back_aspect_id, :getting_started, :post_default_public, - :otp_required_for_login, - :otp_secret, email_preferences: UserPreference::VALID_EMAIL_TYPES.map(&:to_sym) ) end - # rubocop:enable Metrics/MethodLength + + def user_password_params + params.fetch(:user).permit( + :current_password, + :password, + :password_confirmation + ) + end def update_user(user_data) if user_data[:email_preferences] @@ -177,8 +170,8 @@ class UsersController < ApplicationController end end - def change_password(user_data) - if @user.update_with_password(user_data) + def change_password(password_params) + if @user.update_with_password(password_params) flash[:notice] = t("users.update.password_changed") true else diff --git a/app/views/two_factor_authentications/_activate.haml b/app/views/two_factor_authentications/_activate.haml index ef6b0a7ff..960f48e6b 100644 --- a/app/views/two_factor_authentications/_activate.haml +++ b/app/views/two_factor_authentications/_activate.haml @@ -6,6 +6,5 @@ .well= t("two_factor_auth.deactivated.status") = form_for "user", url: two_factor_authentication_path, html: {method: :post} do |f| - = f.hidden_field :otp_required_for_login, value: true .clearfix.form-group= f.submit t("two_factor_auth.deactivated.change_button"), class: "btn btn-primary pull-right" diff --git a/config/defaults.yml b/config/defaults.yml index 3d8241653..ecd38c6a8 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -4,7 +4,7 @@ defaults: version: - number: "0.7.16.0" # Do not touch unless doing a release, do not backport the version number that's in master + number: "0.7.17.0" # Do not touch unless doing a release, do not backport the version number that's in master heroku: false environment: url: "http://localhost:3000/" diff --git a/config/locales/diaspora/en.yml b/config/locales/diaspora/en.yml index 4558214f9..c9ffd03b3 100644 --- a/config/locales/diaspora/en.yml +++ b/config/locales/diaspora/en.yml @@ -814,7 +814,7 @@ en: Hello %{name} We’ve encountered an issue while processing your personal data for download. - Please try again! + If this issue persists, please contact your podmin for help. Sorry, @@ -835,7 +835,7 @@ en: Hello %{name} We’ve encountered an issue while processing your photos for download. - Please try again! + If this issue persists, please contact your podmin for help. Sorry, diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index 85c70f18d..ac3e79727 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -110,38 +110,67 @@ describe UsersController, :type => :controller do end end - describe '#update' do - before do - @params = { :id => @user.id, - :user => { :diaspora_handle => "notreal@stuff.com" } } - end - - it "doesn't overwrite random attributes" do - expect { - put :update, params: @params - }.not_to change(@user, :diaspora_handle) - end + describe "#update" do + context "with random params" do + let(:params) { {id: @user.id, user: {diaspora_handle: "notreal@stuff.com"}} } + + it "doesn't overwrite random attributes" do + expect { + put :update, params: params + }.not_to change(@user, :diaspora_handle) + end - it 'renders the user edit page' do - put :update, params: @params - expect(response).to render_template('edit') + it "renders the user edit page" do + put :update, params: params + expect(response).to render_template('edit') + end end - describe 'password updates' do + describe "password updates" do let(:password_params) do - {:current_password => 'bluepin7', - :password => "foobaz", - :password_confirmation => "foobaz"} + {current_password: "bluepin7", password: "foobaz", password_confirmation: "foobaz"} end let(:params) do - {id: @user.id, user: password_params, change_password: 'Change Password'} + {id: @user.id, user: password_params, change_password: "Change Password"} + end + + before do + allow(@controller).to receive(:current_user).and_return(@user) + allow(@user).to receive(:update_with_password) + allow(@user).to receive(:update_attributes) end it "uses devise's update with password" do - expect(@user).to receive(:update_with_password).with(hash_including(password_params)) + put :update, params: params + + expect(@user).to have_received(:update_with_password).with(hash_including(password_params)) + expect(@user).not_to have_received(:update_attributes).with(hash_including(password_params)) + end + + it "does not update the password without the change_password param" do + put :update, params: params.except(:change_password).deep_merge(user: {language: "de"}) + + expect(@user).not_to have_received(:update_with_password).with(hash_including(password_params)) + expect(@user).not_to have_received(:update_attributes).with(hash_including(password_params)) + expect(@user).to have_received(:update_attributes).with(hash_including(language: "de")) + end + end + + context "with otp params" do + let(:otp_params) { {otp_required_for_login: false, otp_secret: "mykey"} } + let(:params) { {id: @user.id, user: otp_params} } + + before do allow(@controller).to receive(:current_user).and_return(@user) + allow(@user).to receive(:update_attributes) + end + + it "does not accept the params" do put :update, params: params + + expect(@user).not_to have_received(:update_attributes) + .with(hash_including(:otp_required_for_login, :otp_secret)) end end |