Bump devise to fix CVE in lockable logic

CVE-2019-5421 More information moderate severity Vulnerable versions: < 4.6.0 Patched version: 4.6.0 Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe. heartcombo/devise#4981
dsander · Apr 14, 2019 · 6176d85 · 6176d85
1 parent f40d55a
commit 6176d85
Show file tree

Hide file tree

Showing 10 changed files with 32 additions and 17 deletions.
diff --git a/Gemfile b/Gemfile
@@ -95,7 +95,7 @@ gem 'coffee-rails', '~> 4.2'
 gem 'daemons', '~> 1.1.9'
 gem 'delayed_job', '~> 4.1.5'
 gem 'delayed_job_active_record', github: 'dsander/delayed_job_active_record', branch: 'rails52'
-gem 'devise', '~> 4.4.3'
+gem 'devise', '~> 4.6.2'
 gem 'em-http-request', '~> 1.1.2'
 gem 'faraday', '~> 0.9'
 gem 'faraday_middleware', '~> 0.12.2'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -150,7 +150,7 @@ GEM
     arel (9.0.0)
     aws-sdk-core (2.2.15)
       jmespath (~> 1.0)
-    bcrypt (3.1.11)
+    bcrypt (3.1.12)
     better_errors (1.1.0)
       coderay (>= 1.0.0)
       erubis (>= 2.6.6)
@@ -211,7 +211,7 @@ GEM
     declarative-option (0.1.0)
     delayed_job (4.1.5)
       activesupport (>= 3.0, < 5.3)
-    devise (4.4.3)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -519,9 +519,9 @@ GEM
       declarative (< 0.1.0)
       declarative-option (< 0.2.0)
       uber (< 0.2.0)
-    responders (2.4.0)
-      actionpack (>= 4.2.0, < 5.3)
-      railties (>= 4.2.0, < 5.3)
+    responders (2.4.1)
+      actionpack (>= 4.2.0, < 6.0)
+      railties (>= 4.2.0, < 6.0)
     rest-client (2.0.2)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
@@ -641,8 +641,8 @@ GEM
     uuid (2.3.7)
       macaddr (~> 1.0)
     vcr (3.0.3)
-    warden (1.2.7)
-      rack (>= 1.0)
+    warden (1.2.8)
+      rack (>= 2.0.6)
     web-console (3.3.1)
       actionview (>= 5.0)
       activemodel (>= 5.0)
@@ -685,7 +685,7 @@ DEPENDENCIES
   daemons (~> 1.1.9)
   delayed_job (~> 4.1.5)
   delayed_job_active_record!
-  devise (~> 4.4.3)
+  devise (~> 4.6.2)
   dotenv!
   dotenv-rails!
   dropbox-api!

diff --git a/app/views/admin/users/_form.html.erb b/app/views/admin/users/_form.html.erb
@@ -1,5 +1,5 @@
 <%= form_for([:admin, @user], html: { class: 'form-horizontal' }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
   <%= render partial: '/devise/registrations/common_registration_fields', locals: { f: f } %>
 
   <div class="form-group">

diff --git a/app/views/devise/confirmations/new.html.erb b/app/views/devise/confirmations/new.html.erb
@@ -6,7 +6,7 @@
       <h2>Resend confirmation instructions</h2>
 
       <%= form_for(resource, as: resource_name, url: confirmation_path(resource_name), html: { method: :post, class: 'form-horizontal' }) do |f| %>
-        <%= devise_error_messages! %>
+        <%= render "devise/shared/error_messages", resource: resource %>
 
         <div class="form-group">
           <%= f.label :login, class: 'col-md-2 col-md-offset-2 control-label' %>

diff --git a/app/views/devise/passwords/edit.html.erb b/app/views/devise/passwords/edit.html.erb
@@ -7,7 +7,7 @@
         <h2>Change your password</h2>
 
         <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put, class: 'form-horizontal' }) do |f| %>
-          <%= devise_error_messages! %>
+          <%= render "devise/shared/error_messages", resource: resource %>
           <%= f.hidden_field :reset_password_token %>
 
           <div class="control-group">

diff --git a/app/views/devise/passwords/new.html.erb b/app/views/devise/passwords/new.html.erb
@@ -6,7 +6,7 @@
       <h2>Forgot your password?</h2>
 
       <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post, class: 'form-horizontal' }) do |f| %>
-        <%= devise_error_messages! %>
+        <%= render "devise/shared/error_messages", resource: resource %>
 
         <div class="form-group">
           <%= f.label :login, :class => 'col-md-2 col-md-offset-2 control-label' %>

diff --git a/app/views/devise/registrations/edit.html.erb b/app/views/devise/registrations/edit.html.erb
@@ -8,7 +8,7 @@
         <h2>Edit <%= resource_name.to_s.humanize %></h2>
 
         <%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put, class: 'form-horizontal' }) do |f| %>
-          <%= devise_error_messages! %>
+          <%= render "devise/shared/error_messages", resource: resource %>
 
           <div class="form-group">
             <%= f.label :email, class: 'col-md-4 control-label' %>
@@ -45,7 +45,7 @@
 
         <h3>Change password</h3>
         <%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put, class: 'form-horizontal' }) do |f| %>
-          <%= devise_error_messages! %>
+          <%= render "devise/shared/error_messages", resource: resource %>
           <div class="form-group">
             <%= f.label :current_password, class: 'col-md-4 control-label' %>
             <div class="col-md-6">

diff --git a/app/views/devise/registrations/new.html.erb b/app/views/devise/registrations/new.html.erb
@@ -8,7 +8,7 @@
         <h2>Sign up</h2>
 
         <%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: { class: 'form-horizontal' }) do |f| %>
-          <%= devise_error_messages! %>
+          <%= render "devise/shared/error_messages", resource: resource %>
           <% if ENV['ON_HEROKU'] && User.count.zero? %>
           <div class="heroku-instructions">
             <% app_name = request.host[/\A[^.]+/] %>

diff --git a/app/views/devise/shared/_error_messages.html.erb b/app/views/devise/shared/_error_messages.html.erb
@@ -0,0 +1,15 @@
+<% if resource.errors.any? %>
+  <div id="error_explanation">
+    <h2>
+      <%= I18n.t("errors.messages.not_saved",
+                 count: resource.errors.count,
+                 resource: resource.class.model_name.human.downcase)
+       %>
+    </h2>
+    <ul>
+      <% resource.errors.full_messages.each do |message| %>
+        <li><%= message %></li>
+      <% end %>
+    </ul>
+  </div>
+<% end %>
diff --git a/app/views/devise/unlocks/new.html.erb b/app/views/devise/unlocks/new.html.erb
@@ -6,7 +6,7 @@
       <h2>Resend unlock instructions</h2>
 
       <%= form_for(resource, as: resource_name, url: unlock_path(resource_name), html: { method: :post, class: 'form-horizontal' }) do |f| %>
-        <%= devise_error_messages! %>
+        <%= render "devise/shared/error_messages", resource: resource %>
 
         <div class="form-group">
          <%= f.label :login, class: 'col-md-2 col-md-offset-2 control-label' %>