Skip to content

Update doorkeeper to 4.4.3 (CVE-2018-1000211)

Takuya Noguchi requested to merge tnir/gitlab-foss:49940-update-doorkeeper-to-4.4.2 into master

What does this MR do?

Updates doorkeeper to 4.4.3 to address CVE-2018-1000211.

Update guide from the upstream provider

Post-install message from doorkeeper:


  WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211)

  There is no breaking change in this release, however to take advantage of the security fix you must:

    1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration
    2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit)
    3. Update their `confidential` column to `false` for those public apps

  This is a backported security release.

  For more information:

    * https://github.com/doorkeeper-gem/doorkeeper/pull/1119
    * https://github.com/doorkeeper-gem/doorkeeper/issues/891
  • rails generate doorkeeper:add_client_confidentiality for the migration
    • with it, we obtained db/migrate/20180906221234_add_confidential_to_doorkeeper_application.rb
  • Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit)
    • I guess no OAuth apps are public, but could you double-check this?
  • Update their confidential column to false for those public apps

What are the relevant issue numbers?

Closes #49940 (moved)

Does this MR meet the acceptance criteria?

Database checklist

When adding migrations:

  • Updated db/schema.rb
  • Added a down method so the migration can be reverted
  • Added the output of the migration(s) to the MR body
  • Added tests for the migration in spec/migrations if necessary (e.g. when migrating data)

n/a When adding or modifying queries to improve performance:

  • [n/a] Included data that shows the performance improvement, preferably in the form of a benchmark
  • [n/a] Included the output of EXPLAIN (ANALYZE, BUFFERS) of the relevant queries

n/a When adding foreign keys to existing tables:

  • [n/a] Included a migration to remove orphaned rows in the source table before adding the foreign key
  • [n/a] Removed any instances of dependent: ... that may no longer be necessary

n/a When adding tables:

  • [n/a] Ordered columns based on the Ordering Table Columns guidelines
  • [n/a] Added foreign keys to any columns pointing to data in other tables
  • [n/a] Added indexes for fields that are used in statements such as WHERE, ORDER BY, GROUP BY, and JOINs

n/a When removing columns, tables, indexes or other structures:

  • [n/a] Removed these in a post-deployment migration
  • [n/a] Made sure the application no longer uses (or ignores) these structures

General checklist

the output of the DB migration (log)

$ bundle exec rake db:migrate
== 20180906221234 AddConfidentialToDoorkeeperApplication: migrating ===========
-- transaction_open?()
   -> 0.0002s
-- execute("SET statement_timeout TO 0")
   -> 0.0023s
-- transaction()
-- add_column(:oauth_applications, :confidential, :boolean, {:default=>nil})
   -> 0.0045s
-- change_column_default(:oauth_applications, :confidential, true)
   -> 0.0138s
   -> 0.0240s
-- transaction_open?()
   -> 0.0000s
-- exec_query("SELECT COUNT(*) AS count FROM \"oauth_applications\"")
   -> 0.0051s
-- change_column_null(:oauth_applications, :confidential, false)
   -> 0.0034s
-- execute("RESET ALL")
   -> 0.0020s
== 20180906221234 AddConfidentialToDoorkeeperApplication: migrated (0.0393s) ==

the output of the DB migration revert (log)

$ bundle exec rake db:migrate:down VERSION=20180906221234
== 20180906221234 AddConfidentialToDoorkeeperApplication: reverting ===========
-- remove_column(:oauth_applications, :confidential)
   -> 0.0087s
== 20180906221234 AddConfidentialToDoorkeeperApplication: reverted (0.0090s) ==
Edited by Takuya Noguchi

Merge request reports