Skip to content

Commit c16ddd2

Browse files
sikachusikachu
authored
Merge pull request #175 from thorsteneckel/patch-1
Added documentation on how to mitigate CVE-2015-9284.
2 parents 9d4dd11 + 4b705d9 commit c16ddd2

File tree

1 file changed

+24
-1
lines changed

1 file changed

+24
-1
lines changed

README.md

+24-1
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,30 @@ MyLogger.send :include, ActiveRecord::SessionStore::Extension::LoggerSilencer
109109
This silencer is being used to silence the logger and not leaking private
110110
information into the log, and it is required for security reason.
111111

112-
## Contributing to Active Record Session Store
112+
CVE-2015-9284 mitigation
113+
--------------
114+
115+
Active Record Session Store in version 1.1.3 and below are affected by [CVE-2019-25025](https://github.com/advisories/GHSA-cvw2-xj8r-mjf7). This means an attacker can perform a timing attack against the session IDs stored in the database. This issue was resolved with `activerecord-session_store` version 1.1.4 thanks to [PR 151](https://github.com/rails/activerecord-session_store/pull/151). The fix contains a backwards compatibilty fallback that migrates affected sessions whenever they are used successfully.
116+
However, as long those sessions exist in your database you are still affected by the security issue. Therefore it is strongly recommended not to rely on the fallback but to actively migrate the insecurely stored session IDs by calling the `#secure!` method on all sessions (see below for an example migration). Please be aware that you need to copy/adapt this method if you're using a custom class for storing your sessions (as described earlier in the `Configuration` part of this `README`).
117+
The following example Active Record Migration will work for the default setup of this gem:
118+
119+
```ruby
120+
# db/migrate/20210310083511_cve201925025_mitigation.rb
121+
class Cve201925025Mitigation < ActiveRecord::Migration[5.2]
122+
def up
123+
ActionDispatch::Session::ActiveRecordStore.session_class.find_each(&:secure!)
124+
end
125+
126+
def down
127+
# no-op
128+
end
129+
end
130+
```
131+
132+
After `rails db:migrate` is performed the session IDs are stored in the securely hashed format provided by `Rack::Session::SessionId`. The system is no longer affected by CVE-2015-9284.
133+
134+
Contributing to Active Record Session Store
135+
--------------
113136

114137
Active Record Session Store is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues.
115138

0 commit comments

Comments
 (0)