Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added documentation on how to mitigate CVE-2015-9284. #175

Merged
merged 3 commits into from
Mar 10, 2021
Merged

Added documentation on how to mitigate CVE-2015-9284. #175

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
59755d3
Added documentation on how to mitigate CVE-2015-9284.
thorsteneckel Mar 10, 2021
90a4cb2
Applied suggestions by @kratob
thorsteneckel Mar 10, 2021
4b705d9
Migration can not rolled back as sessions are now secure hashes. Than…
thorsteneckel Mar 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,26 @@ MyLogger.send :include, ActiveRecord::SessionStore::Extension::LoggerSilencer
This silencer is being used to silence the logger and not leaking private
information into the log, and it is required for security reason.

## Contributing to Active Record Session Store
CVE-2015-9284 mitigation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thorsteneckel was this just a mistake or does CVE-2015-9284 have any connection to CVE-2019-25025 ?

--------------

Active Record Session Store in version 1.1.3 and below are affected by [CVE-2019-25025](https://github.com/advisories/GHSA-cvw2-xj8r-mjf7). This means an attacker can perform a timing attack against the session IDs stored in the database. This issue was resolved with `activerecord-session_store` version 1.1.4 thanks to [PR 151](https://github.com/rails/activerecord-session_store/pull/151). The fix contains a backwards compatibilty fallback that migrates affected sessions whenever they are used successfully.
However, as long those sessions exist in your database you are still affected by the security issue. Therefore it is strongly recommended not to rely on the fallback but to actively migrate the insecurely stored session IDs by calling the `#secure!` method on all sessions (see below for an example migration). Please be aware that you need to copy/adapt this method if you're using a custom class for storing your sessions (as described earlier in the `Configuration` part of this `README`).
The following example Active Record Migration will work for the default setup of this gem:

```ruby
# db/migrate/20210310083511_cve201925025_mitigation.rb
class Cve201925025Mitigation < ActiveRecord::Migration[5.2]
def change
ActionDispatch::Session::ActiveRecordStore.session_class.find_each(&:secure!)
end
thorsteneckel marked this conversation as resolved.
Show resolved Hide resolved
end
```

After `rails db:migrate` is performed the session IDs are stored in the securely hashed format provided by `Rack::Session::SessionId`. The system is no longer affected by CVE-2015-9284.

Contributing to Active Record Session Store
--------------

Active Record Session Store is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues.

Expand Down