Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ActionController::TestSession#id to return Rack::Session::SessionId instance #38063

Merged
merged 3 commits into from Jan 10, 2020

Conversation

@abcang
Copy link
Contributor

abcang commented Dec 21, 2019

When testing with ActionController::TestCase, session.id returns a string value. With the update to rack v2.0.8, session.id now returns an instance of Rack::Session::SessionId. Therefore, fix session.id to return an instance of Rack::Session::SessionId when testing with ActionController::TestCase.

@rails-bot rails-bot bot added the actionpack label Dec 21, 2019
Copy link
Contributor

bquorning left a comment

On 2a52a38#commitcomment-36521253, I commented exactly that ActionController::TestSession.initialize should be updated to use Rack::Session::SessionId for its @id assignment. Happy to see this PR 👍

@@ -176,12 +176,12 @@ class LiveTestResponse < Live::Response

# Methods #destroy and #load! are overridden to avoid calling methods on the
# @store object, which does not exist for the TestSession class.
class TestSession < Rack::Session::Abstract::SessionHash #:nodoc:
class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:

This comment has been minimized.

Copy link
@bquorning

bquorning Jan 5, 2020

Contributor

I am not sure why the superclass has to change. Can you please explain?

This comment has been minimized.

Copy link
@abcang

abcang Jan 6, 2020

Author Contributor

Rack::Session::Abstract::PersistedSecure uses Rack::Session::Abstract::PersistedSecure::SecureSessionHash instead of Rack::Session::Abstract::SessionHash. Therefore, I changed the super class of TestSession to use SecureSessionHash as well.
The difference between SessionHash and SecureSessionHash is the behavior when accessing ["session_id"]. In the case of SecureSessionHash, the public_id of @id is returned.

https://github.com/rack/rack/blob/7fecaee81f59926b6e1913511c90650e76673b38/lib/rack/session/abstract/id.rb#L461-L463

@bquorning

This comment has been minimized.

Copy link
Contributor

bquorning commented Jan 5, 2020

Not relevant before merging, but: Don’t forget to backport this change to 5-2-stable too.

Co-Authored-By: Benjamin Quorning <22333+bquorning@users.noreply.github.com>
bquorning referenced this pull request Jan 7, 2020
The `ActionDispatch::Session::MemcacheStore` is still vulnerable
given it requires the gem dalli to be updated as well.

CVE-2019-16782

def test_session_id
session = ActionController::TestSession.new
assert_instance_of String, session.id.public_id

This comment has been minimized.

Copy link
@rafaelfranca

rafaelfranca Jan 7, 2020

Member

Should we test session["session_id"]?

This comment has been minimized.

Copy link
@abcang

abcang Jan 10, 2020

Author Contributor

I added test for session["session_id"]

@rafaelfranca rafaelfranca merged commit b9fac5c into rails:master Jan 10, 2020
1 of 2 checks passed
1 of 2 checks passed
build
Details
buildkite/rails Build #66266 failed (1 hour, 9 minutes, 51 seconds)
Details
rafaelfranca added a commit that referenced this pull request Jan 10, 2020
…Id instance (#38063)

* Fix ActionController::TestSession#id to return Rack::Session::SessionId instance

* test SessionId#public_id

* test session["session_id"]

Co-authored-by: Benjamin Quorning <22333+bquorning@users.noreply.github.com>
rafaelfranca added a commit that referenced this pull request Jan 10, 2020
…Id instance (#38063)

* Fix ActionController::TestSession#id to return Rack::Session::SessionId instance

* test SessionId#public_id

* test session["session_id"]

Co-authored-by: Benjamin Quorning <22333+bquorning@users.noreply.github.com>
@abcang abcang deleted the abcang:test_session_id_to_session_id_instance branch Jan 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.