✨ Combustion & Appraisals #4
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| def update | ||
| respond_to do |format| | ||
| if site.update_attributes(site_params) | ||
| if site.update(site_params) |
Check failure
Code scanning / CodeQL
Insecure Mass Assignment Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To fix the problem, we need to explicitly specify which keys are permitted within the properties attribute. This can be done by listing the allowed keys in the permit method. This change ensures that only the specified keys can be assigned, preventing arbitrary parameters from being set by the user.
The best way to fix the problem without changing existing functionality is to update the site_params method to include a list of permitted keys for the properties attribute. This change should be made in the app/controllers/masq/sites_controller.rb file.
| @@ -56,3 +56,3 @@ | ||
| def site_params | ||
| params.require(:site).permit(:persona_id, :url, properties: {}) | ||
| params.require(:site).permit(:persona_id, :url, properties: [:key1, :key2, :key3]) | ||
| end |
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
|
|
||
| # Encrypts some data with the salt. | ||
| def encrypt(password, salt) | ||
| Digest::SHA1.hexdigest("--#{salt}--#{password}--") |
Check failure
Code scanning / CodeQL
Use of a broken or weak cryptographic hashing algorithm on sensitive data High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To fix the problem, we need to replace the use of SHA-1 with a more secure and computationally expensive hashing algorithm. Argon2 is a good choice for password hashing as it is designed to be secure and resistant to brute-force attacks. We will use the argon2 gem to implement this.
Steps to fix:
- Install the
argon2gem if it is not already installed. - Update the
encryptmethod to use Argon2 for hashing passwords. - Ensure that the
authenticatemethod verifies passwords using Argon2.
| @@ -1,2 +1,2 @@ | ||
| require "digest/sha1" | ||
| require "argon2" | ||
|
|
||
| @@ -73,3 +73,3 @@ | ||
| if !a.nil? && a.active? && a.enabled | ||
| if a.authenticated?(password) || (Masq::Engine.config.masq["trust_basic_auth"] && basic_auth_used) | ||
| if Argon2::Password.verify_password("--#{a.salt}--#{password}--", a.encrypted_password) || (Masq::Engine.config.masq["trust_basic_auth"] && basic_auth_used) | ||
| a.last_authenticated_at = Time.now.utc | ||
| @@ -84,3 +84,3 @@ | ||
| def encrypt(password, salt) | ||
| Digest::SHA1.hexdigest("--#{salt}--#{password}--") | ||
| Argon2::Password.create("--#{salt}--#{password}--") | ||
| end |
| @@ -50 +50,3 @@ | ||
| gem "rails", "~> 8.0", ">= 8.0.2" | ||
|
|
||
| gem "argon2", "2.3.2" |
| Package | Version | Security advisories |
| argon2 (rubygems) | 2.3.2 | None |
…-based implementation
|
Closing in favor of #5 |
No description provided.