Disable session in ActiveStorage blobs and representations proxy controllers #48869
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…roller This allows CDNs such as CloudFlare to cache files delivered by proxy by default Fix #44136
|
Beyond CDN compatibility, this will also prevent a footgun for developers who are starting to handle on their own infra and want to use something like nginx object cache, where they cache the file but forget to remove the This is a problem because rails uses said header to store its session, which might contain sensitive data. Worst case scenario, it might contain the ID of the logged user, which means that when the file is served, the user will be automatically switched to a different account. |
rafaelfranca
reviewed
Aug 3, 2023
activestorage/app/controllers/concerns/active_storage/disable_session.rb
Outdated
Show resolved
Hide resolved
brunoprietog
deleted the
disable-session-active-storage-proxy-controllers
branch
tenderlove
pushed a commit
that referenced
this pull request
Feb 21, 2024
…orage-proxy-controllers Disable session in ActiveStorage blobs and representations proxy controllers [CVE-2024-26144]
tenderlove
pushed a commit
that referenced
this pull request
Feb 21, 2024
…orage-proxy-controllers Disable session in ActiveStorage blobs and representations proxy controllers [CVE-2024-26144]
tenderlove
added a commit
that referenced
this pull request
Feb 21, 2024
* 6-1-sec: Preparing for 6.1.7.7 release update changelog Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers
tenderlove
added a commit
that referenced
this pull request
Feb 21, 2024
* 7-0-sec: Preparing for 7.0.8.1 release update changelog fix XSS vulnerability when using translation Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation / Background
When configuring ActiveStorage with resolve_model_to_route in rails_storage_proxy, you would expect a CDN such as CloudFlare to cache the files. However, in the case of CloudFlare, by default, anything that has session cookies will not cache them. To work around this you can use custom rules or patch these ActiveStorage proxy controllers.
Detail
Session now is disabled in
ActiveStorage::Blobs::ProxyControllerandActiveStorage::Representations::ProxyController, including the new concernActiveStorage::DisableSessionin both controllers that does the work.This way it will not be necessary to create custom rules and works by default.
Thanks to @fleck for the idea in this comment.
Fixes #44136
Additional information
I'm not sure if or how to test this, because there is no way to access the session in
ActionDispatch::IntegrationTest.Checklist
Before submitting the PR make sure the following are checked:
[Fix #issue-number]