You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today, calling Model.signed_id there is a chance of generating URL unsafe strings.
From my research, this has always been true, but I believe it may be more likely to happen due to changes in how ruby objects might be serialized after #47916 was merged (which IMO is a great change).
In my view, when @dhh introduced signed_ids he always intended them to be url safe.
Since the intent of signed_ids is to be included in things like URL params, we should be passing url_safe: true option to MessageVerifier.
Steps to reproduce
# frozen_string_literal: truerequire"bundler/inline"gemfile(true)dosource"https://rubygems.org"git_source(:github){ |repo| "https://github.com/#{repo}.git"}# Activate the gem you are reporting the issue against.gem"activerecord","~> 7.1.0"gem"sqlite3"endrequire"active_record"require"minitest/autorun"require"logger"# This connection will do for database-independent bug reports.ActiveRecord::Base.establish_connection(adapter: "sqlite3",database: ":memory:")ActiveRecord::Base.logger=Logger.new(STDOUT)ActiveRecord::Base.signed_id_verifier_secret="foobar"ActiveRecord::Schema.definedocreate_table:users,force: truedo |t|
endendclassUser < ActiveRecord::BaseendclassBugTest < Minitest::Testdefcheck_for_unsafe_base64_charactersuser=User.create!signed_id=user.signed_id(purpose: "~~~~~~~~~")# `+` is not a url-safe characterassert !signed_id.include?("+")endend
Expected behavior
user.signed_id should generate base64 strings that are url safe
Actual behavior
The + is included which is not safe for URLs.
System configuration
Rails version: 7.1.0
Ruby version: 3.2.2
Monkey Patch
Here is the patch I am using in my app that fixes the issue.
moduleActiveRecordmoduleSignedIdmoduleClassMethods# Overriding this method because we want Rails to support signed_ids that are url_safedefsigned_id_verifier@signed_id_verifier ||= beginsecret=signed_id_verifier_secretsecret=secret.callifsecret.respond_to?(:call)ifsecret.nil?raiseArgumentError,"You must set ActiveRecord::Base.signed_id_verifier_secret to use signed ids"elseActiveSupport::MessageVerifier.newsecret,digest: "SHA256",serializer: JSON,url_safe: trueendendendendendend
The text was updated successfully, but these errors were encountered:
Today, calling
Model.signed_id
there is a chance of generating URL unsafe strings.From my research, this has always been true, but I believe it may be more likely to happen due to changes in how ruby objects might be serialized after #47916 was merged (which IMO is a great change).
In my view, when @dhh introduced signed_ids he always intended them to be url safe.
Since the intent of signed_ids is to be included in things like URL params, we should be passing
url_safe: true
option toMessageVerifier
.Steps to reproduce
Expected behavior
user.signed_id
should generate base64 strings that are url safeActual behavior
The
+
is included which is not safe for URLs.System configuration
Rails version: 7.1.0
Ruby version: 3.2.2
Monkey Patch
Here is the patch I am using in my app that fixes the issue.
The text was updated successfully, but these errors were encountered: