Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

generate a confirmation_token over an empty string #5072

Closed

Conversation

ajsharp
Copy link

@ajsharp ajsharp commented May 4, 2019

Fixes #5071

@ajsharp
Copy link
Author

ajsharp commented May 7, 2019

@mracos Any thoughts here? This should probably be considered a security issue, as it allows anyone to access the system with an empty token.

@mracos
Copy link
Contributor

mracos commented May 9, 2019

Sorry @ajsharp, I've been really busy with work lately, so I didn't have much time to take a deeper look at this but will try to give you some feedback in the next days.
Thanks!

@amangano-privy
Copy link

Would it be possible to add a validation to prevent the model from being saved when confirmation_token is an empty string?

@tegon
Copy link
Member

tegon commented Aug 12, 2019

@ajsharp Thanks for your contribution!

I was digging into this, and a better approach for us is to ensure it's not possible to confirm a user with a blank confirmation_token parameter - i.e. to return a validation error inside the ConfirmationsController#show action.
That should be enough to ensure no "invalid" records will be confirmed by mistake.

As for the confirmation_token being set to blank, that doesn't seem to be possible with the current code we have. I'm assuming something else could've happened in the system to let the records in that state. Unless we find a real case where Devise is setting the token to a blank string, I think it's not worth it to include more code to handle this.

@amangano-privy I thought about adding the validation, but we can't always require this field, so we would need a context validation. That would only protect the model against the known use cases. Another thing to take into account is that a bunch of places inside Devise uses validate: false.
So I think the validation wouldn't add that much value. The current code is already generating the token in a before_create callback, so I'm guessing it would require some external action to leave the field with a blank string - instead of nil.

WDYT you think? Thoughts?

@tegon
Copy link
Member

tegon commented Sep 2, 2019

Closed in favor of #5132

@tegon tegon closed this Sep 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

Confirmable should generate a token if confirmation_token is currently an empty string
4 participants