New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Bump devise from 2.2.8 to 3.5.10 #4084
Conversation
This PR has been moved to the new security private repo https://github.com/openfoodfoundation/ofn-security/issues/3 |
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
I don't see any way of deleting a pull request either. Apparently Github staff would delete it on request if it contained sensitive information. Not sure if this PR is sensitive enough for that. I still think that someone who wants to exploit this will search Github for projects with this dependency. The chance that someone is inspired to use this after crawling through closed pull requests is very low. But this is feedback we should give to Dependabot. Github displays security alerts only to collaborators or owners. Dependabot (now owned by Github) breaches that rule. |
very interesting @mkllnk 👍 |
Can we just mention @dependabot to get this feedback across? |
👋 If you need additional help with Dependabot, please fill out GitHub's Support form and your request will be routed to the right team at GitHub. Be sure to include the details of any troubleshooting steps you've tried so far. |
Now that we are on rails 4, I am re-opening this PR to seee if we can now make this step. btw, the high severity security vulnerability related to devise is only solved after upgrading to devise 4.7.1 |
@dependabot rebase |
Looks like this PR is closed. If you re-open it, I'll rebase it, as long as no-one else has edited it. |
@dependabot recreate |
Looks like this PR is closed. If you re-open it I'll rebase it as long as no-one else has edited it (you can use |
@dependabot reopen |
@dependabot rebase |
49c91b4
to
888a103
Compare
748e223
to
7dbdb0b
Compare
I added a few commits.
I think it's related to the fact that now the token that is sent by email is not the same as the token stored in the DB so we may need to do this trick in our specs as well: There's also this embedded shop spec broken:
|
263be4d
to
38a4956
Compare
This was tough 🤕 but it's working now. I think there's only a problem with logout on embedded pages, I'll have a look tomorrow. Almost there 🤞 |
215b2c9
to
68826ee
Compare
68826ee
to
52d0a7b
Compare
52d0a7b
to
6f28435
Compare
@@ -49,14 +45,14 @@ def admin? | |||
has_spree_role?('admin') | |||
end | |||
|
|||
def send_reset_password_instructions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where did this go then? How is it now implemented?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to get our code review process faster, I mean, this was written 1 month ago, I am not the author anymore.
Let's see what this Luis from one month ago wanted to do.... I'll investigate now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, got it. this is now done in vanilla devise:
https://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable/ClassMethods#send_reset_password_instructions-instance_method
It comes into our User.rb through the recoverable decorator 👍 and we dont need to change it on our side anymore.
Looks pretty good to me |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@luisramos0 I found one pre-existing issue. Usually I would still approve the PR to get the current improvements in but to save on testing, we should do the change here. Do you agree?
Bumps [devise](https://github.com/plataformatec/devise) from 2.2.8 to 3.5.10. **This update includes a security fix.** - [Release notes](https://github.com/plataformatec/devise/releases) - [Changelog](https://github.com/plataformatec/devise/blob/v3.5.10/CHANGELOG.md) - [Commits](heartcombo/devise@v2.2.8...v3.5.10) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
… db is a encrypted version of the token sent in the email In this particular case, the user confirmations controller is redirecting to the reset password page but it doesnt know what is the raw reset_password_token So we regenerate the reset password token so that it can know what's the raw value for the redirect The method User#regenerate_reset_password_token is a proxy to the protected method in Devise::Recoverable
… confirming their email
6f28435
to
7c498a5
Compare
Co-authored-by: Maikel <maikel@email.org.au>
e44b210
to
d052a7b
Compare
Hi @luisramos0 ! I manually test the workflows for signup, forgotten password, logging-in and -out:
Ready to go. |
@luisramos0 can we close this one? |
I extended this dependabot PR with quite a few commits to adapt OFN to devise 3.5.10. Ready for Review!
What to test:
We need to manually test all the login/logout/signup/forgotten password workflows in the app.
Dependabot original PR
Bumps devise from 2.2.8 to 3.5.10. This update includes a security fix.
Vulnerabilities fixed
Sourced from The Ruby Advisory Database.
Release notes
Sourced from devise's releases.
Changelog
Sourced from devise's changelog.
Commits
321fe1d
Release 3.5.10a7dcf98
Fix overwriting the remember_token when a valid one already exists (#4101)7e658a2
Release 3.5.90252f0e
Extract list of both strategies into class constant07e907e
🪲 Fix strategy checking in #unlock_strategy_enabled? for :none and und...e9ed3e2
Support for older rails versions.2fa6735
Lock mime-types to ~> 2.99b8cddc3
Release 3.5.81d57169
Send confirmation instructions when a user updates the email address from nil812c1de
Release 3.5.7 version.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot ignore this [patch|minor|major] version
will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it). To ignore the version in this PR you can just close it@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language@dependabot badge me
will comment on this PR with code to add a "Dependabot enabled" badge to your readmeAdditionally, you can set the following in your Dependabot dashboard:
Finally, you can contact us by mentioning @dependabot.