Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a separator to the cache key for ActiveSupport::CachingKeyGenerator #39143

Merged
merged 1 commit into from May 4, 2020
Merged

Add a separator to the cache key for ActiveSupport::CachingKeyGenerator #39143

merged 1 commit into from May 4, 2020

Conversation

JackMc
Copy link
Contributor

@JackMc JackMc commented May 4, 2020

Summary

The ActiveSupport::CachingKeyGenerator is a thin wrapper around ActiveSupport::KeyGenerator that uses a Hash to memoize the output. The Hash key is currently a simple concatenation of the salt and the key length. This means if generate_key is called like @caching_generator.generate_key("133", 7) and then @caching_generator.generate_key("13", 37), the cache key will be the same (1337) and the output in the second case will be a 7-byte key, rather than a 37-byte key. Neither of these values should be user-controlled in normal usage of this class, so it is unlikely that a cache key collision here would be exploitable in practice.

We fix this issue by adding a separator (|) that delineates the key size from the salt.

Other Information

This PR was a result of a report to the Rails bug bounty program by https://hackerone.com/mysterican.

@tenderlove tenderlove merged commit 351e38d into rails:master May 4, 2020
@JackMc JackMc mentioned this pull request May 4, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
activesupport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@JackMc @tenderlove