From 9a6fbfc245358ae1a449db0635e5a5c108ab94ad Mon Sep 17 00:00:00 2001 From: Alexandr Korsak Date: Wed, 26 Feb 2020 22:13:47 +0100 Subject: [PATCH 01/12] update nokogiri --- Gemfile | 2 ++ Gemfile.lock | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 5531f67..5911df8 100644 --- a/Gemfile +++ b/Gemfile @@ -36,4 +36,6 @@ group :test do gem 'selenium-webdriver' gem 'chromedriver-helper' gem 'launchy' + + gem "nokogiri", ">= 1.10.8" end diff --git a/Gemfile.lock b/Gemfile.lock index 0f77546..7066ee9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -205,7 +205,7 @@ GEM multi_json (1.14.1) multi_test (0.1.2) nenv (0.3.0) - nokogiri (1.10.5) + nokogiri (1.10.8) mini_portile2 (~> 2.4.0) notiffany (0.1.3) nenv (~> 0.1) @@ -285,6 +285,7 @@ DEPENDENCIES guard-cucumber guard-rspec (~> 4.7) launchy + nokogiri (>= 1.10.8) pry pry-byebug rb-fsevent From 5c8c11a82f1956eac2f4386f5211bf0f81c437a4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Jun 2020 08:17:49 +0000 Subject: [PATCH 02/12] Bump rack from 2.0.8 to 2.2.3 Bumps [rack](https://github.com/rack/rack) from 2.0.8 to 2.2.3. - [Release notes](https://github.com/rack/rack/releases) - [Changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md) - [Commits](https://github.com/rack/rack/compare/2.0.8...2.2.3) Signed-off-by: dependabot[bot] --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 7066ee9..e4b487c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -219,7 +219,7 @@ GEM byebug (~> 11.0) pry (~> 0.10) public_suffix (4.0.1) - rack (2.0.8) + rack (2.2.3) rack-test (1.1.0) rack (>= 1.0, < 3) rails-dom-testing (2.0.3) From 4eda4e4c2ef341c6c1537f8a94da7c2dc777bf44 Mon Sep 17 00:00:00 2001 From: Alexandr Korsak Date: Wed, 14 Oct 2020 17:52:11 +0200 Subject: [PATCH 03/12] Create brakeman-analysis.yml --- .github/workflows/brakeman-analysis.yml | 44 +++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/brakeman-analysis.yml diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml new file mode 100644 index 0000000..4b8f33e --- /dev/null +++ b/.github/workflows/brakeman-analysis.yml @@ -0,0 +1,44 @@ +# This workflow integrates Brakeman with GitHub's Code Scanning feature +# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications + +name: Brakeman Scan + +# This section configures the trigger for the workflow. Feel free to customize depending on your convention +on: + push: + branches: [ "master", "main" ] + pull_request: + branches: [ "master", "main" ] + +jobs: + brakeman-scan: + name: Brakeman Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Customize the ruby version depending on your needs + - name: Setup Ruby + uses: actions/setup-ruby@v1 + with: + ruby-version: '2.7' + + - name: Setup Brakeman + env: + BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ + run: | + gem install brakeman --version $BRAKEMAN_VERSION + + # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis + - name: Scan + continue-on-error: true + run: | + brakeman -f sarif -o output.sarif.json . + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: output.sarif.json From 1c65b41debf327e675c099fa2b5eec756e88ac7b Mon Sep 17 00:00:00 2001 From: Alexandr Korsak Date: Wed, 14 Oct 2020 17:52:36 +0200 Subject: [PATCH 04/12] Create rubocop-analysis.yml --- .github/workflows/rubocop-analysis.yml | 39 ++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/rubocop-analysis.yml diff --git a/.github/workflows/rubocop-analysis.yml b/.github/workflows/rubocop-analysis.yml new file mode 100644 index 0000000..81aa2cf --- /dev/null +++ b/.github/workflows/rubocop-analysis.yml @@ -0,0 +1,39 @@ +name: "Rubocop" + +on: push + +jobs: + rubocop: + runs-on: ubuntu-latest + strategy: + fail-fast: false + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # If running on a self-hosted runner, check it meets the requirements + # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners + - name: Set up Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: 2.6 + + # This step is not necessary if you add the gem to your Gemfile + - name: Install Code Scanning integration + run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install + + - name: Install dependencies + run: bundle install + + - name: Rubocop run + run: | + bash -c " + bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif + [[ $? -ne 2 ]] + " + + - name: Upload Sarif output + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rubocop.sarif From e5aec8fa7a198100a0f17118ddd169b6924d069b Mon Sep 17 00:00:00 2001 From: Alexandr Korsak Date: Wed, 3 Feb 2021 12:54:22 +0100 Subject: [PATCH 05/12] update .ruby-version --- .ruby-version | 2 +- Gemfile.lock | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.ruby-version b/.ruby-version index 57cf282..37c2961 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.6.5 +2.7.2 diff --git a/Gemfile.lock b/Gemfile.lock index e4b487c..db56faf 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -54,6 +54,7 @@ PATH specs: devise_masquerade (1.2.0) devise (>= 4.7.0) + globalid (>= 0.3.6) railties (>= 5.2.0) GEM @@ -301,4 +302,4 @@ DEPENDENCIES test-unit BUNDLED WITH - 2.0.2 + 2.1.4 From cf0e1529757f2eea1f56559a94f4f860ed69f916 Mon Sep 17 00:00:00 2001 From: Alexandr Korsak Date: Wed, 3 Feb 2021 13:31:59 +0100 Subject: [PATCH 06/12] use Rails.cache to store owner id, use GlobalID for masquerading --- .../devise/masquerades_controller.rb | 23 +++++++++++-------- lib/devise_masquerade/controllers/helpers.rb | 4 ++-- .../devise/masquerades_controller_spec.rb | 14 +++++++---- .../masquerades_tests_controller_spec.rb | 4 ++-- 4 files changed, 27 insertions(+), 18 deletions(-) diff --git a/app/controllers/devise/masquerades_controller.rb b/app/controllers/devise/masquerades_controller.rb index c171de3..da092fd 100644 --- a/app/controllers/devise/masquerades_controller.rb +++ b/app/controllers/devise/masquerades_controller.rb @@ -28,15 +28,9 @@ def show end def back - user_id = session[session_key] + self.resource = find_owner_resource - resource = if user_id.present? - masquerading_resource_class.to_adapter.find_first(:id => user_id) - else - send(:"current_#{masquerading_resource_name}") - end - - if masquerading_resource_class != masqueraded_resource_class + if resource.class != masqueraded_resource_class sign_out(send("current_#{masqueraded_resource_name}")) end @@ -60,6 +54,10 @@ def find_resource GlobalID::Locator.locate_signed params[Devise.masquerade_param], for: 'masquerade' end + def find_owner_resource + GlobalID::Locator.locate_signed(Rails.cache.read(session_key), for: 'masquerade') + end + def go_back(user, path:) if Devise.masquerade_routes_back redirect_back(fallback_location: path) @@ -123,15 +121,20 @@ def after_back_masquerade_path_for(resource) end def save_masquerade_owner_session + resource_gid = send("current_#{masquerading_resource_name}").to_sgid( + expires_in: Devise.masquerade_expires_in, for: 'masquerade') + # skip sharing owner id via session + Rails.cache.write(session_key, resource_gid, expires_in: Devise.masquerade_expires_in) + unless session.key?(session_key) - session[session_key] = send("current_#{masquerading_resource_name}").id session[session_key_masquerading_resource_class] = masquerading_resource_class.name session[session_key_masqueraded_resource_class] = masqueraded_resource_class.name end end def cleanup_masquerade_owner_session - session.delete(session_key) + Rails.cache.delete(session_key) + session.delete(session_key_masqueraded_resource_class) session.delete(session_key_masquerading_resource_class) end diff --git a/lib/devise_masquerade/controllers/helpers.rb b/lib/devise_masquerade/controllers/helpers.rb index 4eaea20..1ee7b23 100644 --- a/lib/devise_masquerade/controllers/helpers.rb +++ b/lib/devise_masquerade/controllers/helpers.rb @@ -38,12 +38,12 @@ def masquerade_#{name}! end def #{name}_masquerade? - session[:"devise_masquerade_#{name}"].present? + ::Rails.cache.exist?(:"devise_masquerade_#{name}").present? end def #{name}_masquerade_owner return nil unless send(:#{name}_masquerade?) - ::#{class_name}.to_adapter.find_first(id: session[:"devise_masquerade_#{name}"]) + GlobalID::Locator.locate_signed(Rails.cache.read(:"devise_masquerade_#{name}"), for: 'masquerade') end private diff --git a/spec/controllers/devise/masquerades_controller_spec.rb b/spec/controllers/devise/masquerades_controller_spec.rb index 65a4208..a539d0f 100644 --- a/spec/controllers/devise/masquerades_controller_spec.rb +++ b/spec/controllers/devise/masquerades_controller_spec.rb @@ -14,7 +14,7 @@ get :show, params: { id: mask.to_param, masqueraded_resource_class: mask.class.name, masquerade: mask.masquerade_key } end - it { expect(session.keys).to include('devise_masquerade_student') } + it { expect(Rails.cache.read('devise_masquerade_student')).to be } it 'should have warden keys defined' do expect(session["warden.user.student.key"].first.first).to eq(mask.id) @@ -30,7 +30,7 @@ get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key } end - it { expect(session.keys).to include('devise_masquerade_user') } + it { expect(Rails.cache.read('devise_masquerade_user')).to be } it { expect(session["warden.user.user.key"].first.first).to eq(mask.id) } it { should redirect_to('/') } @@ -39,7 +39,7 @@ it { should redirect_to(masquerade_page) } it { expect(current_user.reload).to eq(@user) } - it { expect(session.keys).not_to include('devise_masquerade_user') } + it { expect(Rails.cache.read('devise_masquerade_user')).not_to be } end end @@ -74,13 +74,19 @@ end # context context 'and back' do - before { get :back } + before do + get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key } + + get :back + end it { should redirect_to(masquerade_page) } end # context context 'and back fallback if http_referer not present' do before do + get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key } + @request.env['HTTP_REFERER'] = 'previous_location' get :back end diff --git a/spec/controllers/masquerades_tests_controller_spec.rb b/spec/controllers/masquerades_tests_controller_spec.rb index 439cf03..42336a8 100644 --- a/spec/controllers/masquerades_tests_controller_spec.rb +++ b/spec/controllers/masquerades_tests_controller_spec.rb @@ -16,7 +16,7 @@ before { get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key } } it { expect(response.status).to eq(403) } - it { expect(session.keys).not_to include('devise_masquerade_user') } + it { expect(Rails.cache.read('devise_masquerade_user')).not_to be } it { expect(session['warden.user.user.key'].first.first).not_to eq(mask.id) } end @@ -35,7 +35,7 @@ end it { expect(response.status).to eq(302) } - it { expect(session.keys).to include('devise_masquerade_user') } + it { expect(Rails.cache.read('devise_masquerade_user')).to be } it { expect(session['warden.user.user.key'].first.first).to eq(mask.id) } end end From bc0d09d3c04062aeeaaed60d7607df4aa3492002 Mon Sep 17 00:00:00 2001 From: Alexandr Korsak Date: Wed, 3 Feb 2021 13:32:45 +0100 Subject: [PATCH 07/12] bump new version 1.3.0 --- lib/devise_masquerade/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/devise_masquerade/version.rb b/lib/devise_masquerade/version.rb index 0a27365..9c974f6 100644 --- a/lib/devise_masquerade/version.rb +++ b/lib/devise_masquerade/version.rb @@ -1,3 +1,3 @@ module DeviseMasquerade - VERSION = '1.2.0'.freeze + VERSION = '1.3.0'.freeze end From fa1fe62d6657ba4aa6a7d69cb0cd26fd819c6c92 Mon Sep 17 00:00:00 2001 From: Alexandr Korsak Date: Wed, 3 Feb 2021 13:50:13 +0100 Subject: [PATCH 08/12] Update Gemfile.lock --- Gemfile.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index db56faf..53db77d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -52,7 +52,7 @@ GIT PATH remote: . specs: - devise_masquerade (1.2.0) + devise_masquerade (1.3.0) devise (>= 4.7.0) globalid (>= 0.3.6) railties (>= 5.2.0) @@ -98,7 +98,7 @@ GEM archive-zip (0.12.0) io-like (~> 0.3.0) backports (3.15.0) - bcrypt (3.1.13) + bcrypt (3.1.16) bson (1.12.5) bson_ext (1.12.5) bson (~> 1.12.5) @@ -142,7 +142,7 @@ GEM cucumber-tag_expressions (1.1.1) cucumber-wire (0.0.1) database_cleaner (1.0.1) - devise (4.7.1) + devise (4.7.3) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 4.1.0) @@ -239,7 +239,7 @@ GEM rb-inotify (0.10.0) ffi (~> 1.0) regexp_parser (1.6.0) - responders (3.0.0) + responders (3.0.1) actionpack (>= 5.0) railties (>= 5.0) rubyzip (2.0.0) @@ -260,8 +260,8 @@ GEM thread_safe (0.3.6) tzinfo (1.2.5) thread_safe (~> 0.1) - warden (1.2.8) - rack (>= 2.0.6) + warden (1.2.9) + rack (>= 2.0.9) xpath (3.2.0) nokogiri (~> 1.8) zeitwerk (2.2.0) From 6bca0aa45ed32f1b3f97b6b3ba98c1b918f7e88f Mon Sep 17 00:00:00 2001 From: Alexandr Korsak Date: Wed, 3 Feb 2021 13:51:34 +0100 Subject: [PATCH 09/12] add 2.7.2 version for travis --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 3ec7155..314eed1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,6 +2,7 @@ language: ruby rvm: - 2.5.1 - 2.6.0 + - 2.7.2 gemfile: - Gemfile script: time ./script/travis.sh From 1426258dc79f1c49257654f2fc5373708cad569f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Feb 2021 12:51:58 +0000 Subject: [PATCH 10/12] Bump nokogiri from 1.10.8 to 1.11.1 Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.8 to 1.11.1. - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md) - [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.8...v1.11.1) Signed-off-by: dependabot[bot] --- Gemfile.lock | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 53db77d..cb1ae36 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -201,13 +201,14 @@ GEM mime-types-data (~> 3.2015) mime-types-data (3.2019.1009) mini_mime (1.0.2) - mini_portile2 (2.4.0) + mini_portile2 (2.5.0) minitest (5.12.2) multi_json (1.14.1) multi_test (0.1.2) nenv (0.3.0) - nokogiri (1.10.8) - mini_portile2 (~> 2.4.0) + nokogiri (1.11.1) + mini_portile2 (~> 2.5.0) + racc (~> 1.4) notiffany (0.1.3) nenv (~> 0.1) shellany (~> 0.0) @@ -220,6 +221,7 @@ GEM byebug (~> 11.0) pry (~> 0.10) public_suffix (4.0.1) + racc (1.5.2) rack (2.2.3) rack-test (1.1.0) rack (>= 1.0, < 3) From 511afa21f0553d6a80e100c7f1f45437b3f48beb Mon Sep 17 00:00:00 2001 From: Alexandr Korsak Date: Wed, 3 Feb 2021 21:51:19 +0100 Subject: [PATCH 11/12] fix extra params issue --- features/step_definitions/url_helpers_steps.rb | 11 +++++++++++ features/url_helpers.feature | 14 ++++++++++++++ lib/devise_masquerade/controllers/url_helpers.rb | 4 ++-- lib/devise_masquerade/routes.rb | 5 +++-- spec/dummy/app/controllers/dashboard_controller.rb | 4 ++++ .../app/views/dashboard/extra_params.html.erb | 7 +++++++ spec/dummy/config/routes.rb | 4 +++- 7 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 features/step_definitions/url_helpers_steps.rb create mode 100644 features/url_helpers.feature create mode 100644 spec/dummy/app/views/dashboard/extra_params.html.erb diff --git a/features/step_definitions/url_helpers_steps.rb b/features/step_definitions/url_helpers_steps.rb new file mode 100644 index 0000000..4c91929 --- /dev/null +++ b/features/step_definitions/url_helpers_steps.rb @@ -0,0 +1,11 @@ +Then("I should see maquerade url") do + page.html.should include('href="/users/masquerade?masquerade=') +end + +When("I am on the users page with extra params") do + visit '/extra_params' +end + +Then("I should see maquerade url with extra params") do + page.html.should include('href="/users/masquerade?key1=value1&masquerade=') +end diff --git a/features/url_helpers.feature b/features/url_helpers.feature new file mode 100644 index 0000000..0b19f2f --- /dev/null +++ b/features/url_helpers.feature @@ -0,0 +1,14 @@ +Feature: Use masquerade path to generate routes on page + In order to have the way to render masquerade path + As an user + I want to be able to see the url and use it + + Scenario: Use masquerade path helper + Given I logged in + And I have a user for masquerade + + When I am on the users page + Then I should see maquerade url + + When I am on the users page with extra params + Then I should see maquerade url with extra params diff --git a/lib/devise_masquerade/controllers/url_helpers.rb b/lib/devise_masquerade/controllers/url_helpers.rb index 90f45a0..8e8ba07 100644 --- a/lib/devise_masquerade/controllers/url_helpers.rb +++ b/lib/devise_masquerade/controllers/url_helpers.rb @@ -7,12 +7,12 @@ module UrlHelpers def masquerade_path(resource, *args) scope = Devise::Mapping.find_scope!(resource) - opts = args.first || {} + opts = args.shift || {} opts.merge!(masqueraded_resource_class: resource.class.name) opts.merge!(Devise.masquerade_param => resource.masquerade_key) - send("#{scope}_masquerade_path", resource, opts, *args) + send("#{scope}_masquerade_index_path", opts, *args) end def back_masquerade_path(resource, *args) diff --git a/lib/devise_masquerade/routes.rb b/lib/devise_masquerade/routes.rb index 9e22d65..d69515f 100644 --- a/lib/devise_masquerade/routes.rb +++ b/lib/devise_masquerade/routes.rb @@ -3,11 +3,12 @@ module Routes def devise_masquerade(mapping, controllers) resources :masquerade, - only: :show, path: mapping.path_names[:masquerade], - controller: controllers[:masquerades] do + controller: controllers[:masquerades], + only: [] do collection do + get :show get :back end end diff --git a/spec/dummy/app/controllers/dashboard_controller.rb b/spec/dummy/app/controllers/dashboard_controller.rb index cd3c666..fa01b2c 100644 --- a/spec/dummy/app/controllers/dashboard_controller.rb +++ b/spec/dummy/app/controllers/dashboard_controller.rb @@ -4,5 +4,9 @@ class DashboardController < ApplicationController def index @users = User.where("users.id != ?", current_user.id).all end + + def extra_params + @users = User.where("users.id != ?", current_user.id).all + end end diff --git a/spec/dummy/app/views/dashboard/extra_params.html.erb b/spec/dummy/app/views/dashboard/extra_params.html.erb new file mode 100644 index 0000000..f50b6c1 --- /dev/null +++ b/spec/dummy/app/views/dashboard/extra_params.html.erb @@ -0,0 +1,7 @@ +<% @users.each do |user| %> +

+ <%= user.email %> + + <%= link_to "Login as", masquerade_path(user, key1: 'value1'), class: 'login_as' %> +

+<% end %> diff --git a/spec/dummy/config/routes.rb b/spec/dummy/config/routes.rb index 0112c5a..c876e28 100644 --- a/spec/dummy/config/routes.rb +++ b/spec/dummy/config/routes.rb @@ -1,10 +1,12 @@ Dummy::Application.routes.draw do - devise_for :users, controllers: { masquerades: "users/masquerades" } + devise_for :users, controllers: { masquerades: 'users/masquerades' } devise_for :admin_users, class_name: Admin::User.name devise_for :students, class_name: Student.name root to: 'dashboard#index' + get '/extra_params', to: 'dashboard#extra_params' + resources :masquerades_tests resources :students, only: :index From 95dff4f7781028c2ddaafb72d35bfadc37e9beef Mon Sep 17 00:00:00 2001 From: Alexandr Korsak Date: Wed, 3 Feb 2021 21:53:20 +0100 Subject: [PATCH 12/12] bump new version 1.3.1 --- Gemfile.lock | 2 +- lib/devise_masquerade/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index cb1ae36..a380d51 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -52,7 +52,7 @@ GIT PATH remote: . specs: - devise_masquerade (1.3.0) + devise_masquerade (1.3.1) devise (>= 4.7.0) globalid (>= 0.3.6) railties (>= 5.2.0) diff --git a/lib/devise_masquerade/version.rb b/lib/devise_masquerade/version.rb index 9c974f6..338e1e8 100644 --- a/lib/devise_masquerade/version.rb +++ b/lib/devise_masquerade/version.rb @@ -1,3 +1,3 @@ module DeviseMasquerade - VERSION = '1.3.0'.freeze + VERSION = '1.3.1'.freeze end