Fixed vulnerabilities (#1569)

* Fixed vulnerabilities * Missing plural.
lynndylanhurley · Dec 27, 2022 · 30b6d30 · 30b6d30
1 parent 2264071
commit 30b6d30
Show file tree

Hide file tree

Showing 7 changed files with 19 additions and 18 deletions.
diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb
@@ -89,7 +89,7 @@ def success_message(name, email)
     # query params (to then send in the initial validate_token request).
     # TODO: We should be able to stop exposing the token in query params when this method is used
     def set_token_in_cookie(resource, token)
-      auth_header = resource.build_auth_header(token.token, token.client)
+      auth_header = resource.build_auth_headers(token.token, token.client)
       cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
     end
   end

diff --git a/app/controllers/devise_token_auth/concerns/resource_finder.rb b/app/controllers/devise_token_auth/concerns/resource_finder.rb
@@ -22,7 +22,8 @@ def get_case_insensitive_field_from_resource_params(field)
   def find_resource(field, value)
     @resource = if database_adapter&.include?('mysql')
                   # fix for mysql default case insensitivity
-                  resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
+                  field_sanitized = resource_class.connection.quote_column_name(field)
+                  resource_class.where("BINARY #{field_sanitized} = ? AND provider= ?", value, provider).first
                 else
                   resource_class.dta_find_by(field => value, 'provider' => provider)
                 end

diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb
@@ -111,7 +111,7 @@ def update_auth_header
       # cleared by sign out in the meantime
       return if @resource.reload.tokens[@token.client].nil?
 
-      auth_header = @resource.build_auth_header(@token.token, @token.client)
+      auth_header = @resource.build_auth_headers(@token.token, @token.client)
 
       # update the response header
       response.headers.merge!(auth_header)

diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb
@@ -133,13 +133,13 @@ def whitelisted_params
     end
 
     def resource_class(mapping = nil)
-      if omniauth_params['resource_class']
-        omniauth_params['resource_class'].constantize
-      elsif params['resource_class']
-        params['resource_class'].constantize
-      else
-        raise 'No resource_class found'
-      end
+      return @resource_class if defined?(@resource_class)
+
+      constant_name = omniauth_params['resource_class'] || params['resource_class']
+      @resource_class = ObjectSpace.each_object(Class).detect { |cls| cls.name == constant_name }
+      raise 'No resource_class found' if @resource_class.nil?
+
+      @resource_class
     end
 
     def resource_name

diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb
@@ -176,10 +176,10 @@ def create_new_auth_token(client = nil)
       updated_at: now
     )
 
-    update_auth_header(token.token, token.client)
+    update_auth_headers(token.token, token.client)
   end
 
-  def build_auth_header(token, client = 'default')
+  def build_auth_headers(token, client = 'default')
     # client may use expiry to prevent validation request if expired
     # must be cast as string or headers will break
     expiry = tokens[client]['expiry'] || tokens[client][:expiry]
@@ -190,7 +190,7 @@ def build_auth_header(token, client = 'default')
       DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
       DeviseTokenAuth.headers_names[:"uid"]          => uid
     }
-    headers.merge!(build_bearer_token(headers))
+    headers.merge(build_bearer_token(headers))
   end
 
   def build_bearer_token(auth)
@@ -199,8 +199,8 @@ def build_bearer_token(auth)
     {DeviseTokenAuth.headers_names[:"authorization"] => bearer_token}
   end
 
-  def update_auth_header(token, client = 'default')
-    headers = build_auth_header(token, client)
+  def update_auth_headers(token, client = 'default')
+    headers = build_auth_headers(token, client)
     clean_old_tokens
     save!
 
@@ -216,7 +216,7 @@ def build_auth_url(base_url, args)
 
   def extend_batch_buffer(token, client)
     tokens[client]['updated_at'] = Time.zone.now
-    update_auth_header(token, client)
+    update_auth_headers(token, client)
   end
 
   def confirmed?

diff --git a/docs/usage/model_concerns.md b/docs/usage/model_concerns.md
@@ -45,7 +45,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce
   }
 
   # generate auth headers for response
-  new_auth_header = @resource.build_auth_header(token.token, token.client)
+  new_auth_header = @resource.build_auth_headers(token.token, token.client)
 
   # update response with the header that will be required by the next request
   response.headers.merge!(new_auth_header)

diff --git a/docs/usage/testing.md b/docs/usage/testing.md
@@ -148,7 +148,7 @@ def create_auth_header_from_scratch
   # The following assumes that the user has received those headers
   # and that they are then using those headers to make a request
 
-  new_auth_header = @current_user.build_auth_header(token.token, token.client)
+  new_auth_header = @current_user.build_auth_headers(token.token, token.client)
 
   puts 'This is the new auth header'
   puts new_auth_header.to_s