Update doorkeeper to 4.4.3 (CVE-2018-1000211)
What does this MR do?
Updates doorkeeper to 4.4.3 to address CVE-2018-1000211.
Update guide from the upstream provider
Post-install message from doorkeeper:
WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211)
There is no breaking change in this release, however to take advantage of the security fix you must:
1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration
2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit)
3. Update their `confidential` column to `false` for those public apps
This is a backported security release.
For more information:
* https://github.com/doorkeeper-gem/doorkeeper/pull/1119
* https://github.com/doorkeeper-gem/doorkeeper/issues/891
-
rails generate doorkeeper:add_client_confidentiality
for the migration- with it, we obtained
db/migrate/20180906221234_add_confidential_to_doorkeeper_application.rb
- with it, we obtained
-
Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) - I guess no OAuth apps are public, but could you double-check this?
-
Update their confidential
column tofalse
for those public apps
What are the relevant issue numbers?
Closes #49940 (moved)
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary - [n/a] Documentation created/updated
-
Tests added for this feature/bug -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the database guides
Database checklist
-
Conforms to the database guides
When adding migrations:
-
Updated db/schema.rb
-
Added a down
method so the migration can be reverted -
Added the output of the migration(s) to the MR body -
Added tests for the migration in spec/migrations
if necessary (e.g. when migrating data)
n/a When adding or modifying queries to improve performance:
- [n/a] Included data that shows the performance improvement, preferably in the form of a benchmark
- [n/a] Included the output of
EXPLAIN (ANALYZE, BUFFERS)
of the relevant queries
n/a When adding foreign keys to existing tables:
- [n/a] Included a migration to remove orphaned rows in the source table before adding the foreign key
- [n/a] Removed any instances of
dependent: ...
that may no longer be necessary
n/a When adding tables:
- [n/a] Ordered columns based on the Ordering Table Columns guidelines
- [n/a] Added foreign keys to any columns pointing to data in other tables
- [n/a] Added indexes for fields that are used in statements such as WHERE, ORDER BY, GROUP BY, and JOINs
n/a When removing columns, tables, indexes or other structures:
- [n/a] Removed these in a post-deployment migration
- [n/a] Made sure the application no longer uses (or ignores) these structures
General checklist
-
Changelog entry added, if necessary -
Documentation created/updated -
Tests added for this feature/bug -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides
the output of the DB migration (log)
$ bundle exec rake db:migrate
== 20180906221234 AddConfidentialToDoorkeeperApplication: migrating ===========
-- transaction_open?()
-> 0.0002s
-- execute("SET statement_timeout TO 0")
-> 0.0023s
-- transaction()
-- add_column(:oauth_applications, :confidential, :boolean, {:default=>nil})
-> 0.0045s
-- change_column_default(:oauth_applications, :confidential, true)
-> 0.0138s
-> 0.0240s
-- transaction_open?()
-> 0.0000s
-- exec_query("SELECT COUNT(*) AS count FROM \"oauth_applications\"")
-> 0.0051s
-- change_column_null(:oauth_applications, :confidential, false)
-> 0.0034s
-- execute("RESET ALL")
-> 0.0020s
== 20180906221234 AddConfidentialToDoorkeeperApplication: migrated (0.0393s) ==
the output of the DB migration revert (log)
$ bundle exec rake db:migrate:down VERSION=20180906221234
== 20180906221234 AddConfidentialToDoorkeeperApplication: reverting ===========
-- remove_column(:oauth_applications, :confidential)
-> 0.0087s
== 20180906221234 AddConfidentialToDoorkeeperApplication: reverted (0.0090s) ==
Edited by Takuya Noguchi