gitlab: add rake task to delete tokens

The information disclosure was caued by CVE-2017-0882.
2017-03-21 12:52:39 +01:00 · 2017-03-21 12:52:39 +01:00 · 219e91b4c6
parent 4bd12fa7b2
commit 219e91b4c6
2 changed files with 47 additions and 0 deletions
--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@ -91,6 +91,10 @@ stdenv.mkDerivation rec {
    cp -r . $out/share/gitlab
    ln -sf /run/gitlab/uploads $out/share/gitlab/public/uploads
    ln -sf /run/gitlab/config $out/share/gitlab/config
+
+    # rake tasks to mitigate CVE-2017-0882
+    # see https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/
+    cp ${./reset_token.rake} $out/share/gitlab/lib/tasks/reset_token.rake
  '';

  passthru = {
--- a/pkgs/applications/version-management/gitlab/reset_token.rake
+++ b/pkgs/applications/version-management/gitlab/reset_token.rake
@ -0,0 +1,43 @@
+# Taken from:
+# https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/
+
+# lib/tasks/reset_token.rake
+require_relative '../../app/models/concerns/token_authenticatable.rb'
+
+STDOUT.sync = true
+
+namespace :tokens do
+  desc "Reset all GitLab user auth tokens"
+  task reset_all: :environment do
+    reset_all_users_token(:reset_authentication_token!)
+  end
+
+  desc "Reset all GitLab email tokens"
+  task reset_all_email: :environment do
+    reset_all_users_token(:reset_incoming_email_token!)
+  end
+
+  def reset_all_users_token(token)
+    TmpUser.find_in_batches do |batch|
+      puts "Processing batch starting with user ID: #{batch.first.id}"
+
+      batch.each(&token)
+    end
+  end
+end
+
+class TmpUser < ActiveRecord::Base
+  include TokenAuthenticatable
+
+  self.table_name = 'users'
+
+  def reset_authentication_token!
+    write_new_token(:authentication_token)
+    save!(validate: false)
+  end
+
+  def reset_incoming_email_token!
+    write_new_token(:incoming_email_token)
+    save!(validate: false)
+  end
+end