From b7dee05514529b0d2743fdaaaa80239ad700d07a Mon Sep 17 00:00:00 2001 From: Zachary Belzer Date: Wed, 23 Jun 2021 16:52:08 -0500 Subject: [PATCH 1/3] Use AbstractSecureStore This allows the store to take advantage of security fix added in https://github.com/rack/rack/commit/cc1d162d28396b6a71f266e6a40ffc19a258792b --- lib/redis-session-store.rb | 2 +- spec/redis_session_store_spec.rb | 7 +++++++ spec/support.rb | 19 ++++++++++++++++--- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/lib/redis-session-store.rb b/lib/redis-session-store.rb index 89d020c..d0200b9 100644 --- a/lib/redis-session-store.rb +++ b/lib/redis-session-store.rb @@ -2,7 +2,7 @@ # Redis session storage for Rails, and for Rails only. Derived from # the MemCacheStore code, simply dropping in Redis instead. -class RedisSessionStore < ActionDispatch::Session::AbstractStore +class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore VERSION = '0.11.3'.freeze # Rails 3.1 and beyond defines the constant elsewhere unless defined?(ENV_SESSION_OPTIONS_KEY) diff --git a/spec/redis_session_store_spec.rb b/spec/redis_session_store_spec.rb index 5767603..f00a90a 100644 --- a/spec/redis_session_store_spec.rb +++ b/spec/redis_session_store_spec.rb @@ -281,6 +281,13 @@ let(:fake_key) { 'thisisarediskey' } + describe 'generate_sid' do + it 'generates a secure ID' do + sid = store.send(:generate_sid) + expect(sid).to be_a(Rack::Session::SessionId) + end + end + it 'retrieves the prefixed key from redis' do redis = double('redis') allow(store).to receive(:redis).and_return(redis) diff --git a/spec/support.rb b/spec/support.rb index 32ccea9..a1bad2f 100644 --- a/spec/support.rb +++ b/spec/support.rb @@ -7,11 +7,24 @@ module Abstract end end end +unless defined?(Rack::Session::SessionId) + module Rack + module Session + class SessionId + attr_reader :public_id + + def initialize(public_id) + @public_id + end + end + end + end +end -unless defined?(ActionDispatch::Session::AbstractStore) +unless defined?(ActionDispatch::Session::AbstractSecureStore) module ActionDispatch module Session - class AbstractStore + class AbstractSecureStore ENV_SESSION_OPTIONS_KEY = 'rack.session.options'.freeze DEFAULT_OPTIONS = { key: '_session_id', @@ -33,7 +46,7 @@ def initialize(app, options = {}) private def generate_sid - rand(999..9999).to_s(16) + Rack::Session::SessionId.new(rand(999..9999).to_s(16)) end end end From 8d33539ff70508cdf98245e3272f45540a464b36 Mon Sep 17 00:00:00 2001 From: Zachary Belzer Date: Wed, 23 Jun 2021 16:54:04 -0500 Subject: [PATCH 2/3] Add myself as an author --- AUTHORS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/AUTHORS.md b/AUTHORS.md index 64438a6..e590a1f 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -23,3 +23,4 @@ Redis Session Store authors - Anton Kolodii - Peter Karman - Zach Margolis +- Zachary Belzer From 07d556d7e5fd479bf4c6bfe6a178dc5303bf6227 Mon Sep 17 00:00:00 2001 From: Zach Margolis Date: Mon, 15 Nov 2021 11:43:59 -0800 Subject: [PATCH 3/3] Bump version --- lib/redis-session-store.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/redis-session-store.rb b/lib/redis-session-store.rb index d0200b9..4240f47 100644 --- a/lib/redis-session-store.rb +++ b/lib/redis-session-store.rb @@ -3,7 +3,7 @@ # Redis session storage for Rails, and for Rails only. Derived from # the MemCacheStore code, simply dropping in Redis instead. class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore - VERSION = '0.11.3'.freeze + VERSION = '0.11.4-18f'.freeze # Rails 3.1 and beyond defines the constant elsewhere unless defined?(ENV_SESSION_OPTIONS_KEY) ENV_SESSION_OPTIONS_KEY = if Rack.release.split('.').first.to_i > 1