From 219e91b4c620ce2b13e61086d5d0cee1706d7222 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 21 Mar 2017 12:52:39 +0100 Subject: [PATCH] gitlab: add rake task to delete tokens The information disclosure was caued by CVE-2017-0882. --- .../version-management/gitlab/default.nix | 4 ++ .../gitlab/reset_token.rake | 43 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 pkgs/applications/version-management/gitlab/reset_token.rake diff --git a/pkgs/applications/version-management/gitlab/default.nix b/pkgs/applications/version-management/gitlab/default.nix index 0e078950e66..f04d0c89da3 100644 --- a/pkgs/applications/version-management/gitlab/default.nix +++ b/pkgs/applications/version-management/gitlab/default.nix @@ -91,6 +91,10 @@ stdenv.mkDerivation rec { cp -r . $out/share/gitlab ln -sf /run/gitlab/uploads $out/share/gitlab/public/uploads ln -sf /run/gitlab/config $out/share/gitlab/config + + # rake tasks to mitigate CVE-2017-0882 + # see https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/ + cp ${./reset_token.rake} $out/share/gitlab/lib/tasks/reset_token.rake ''; passthru = { diff --git a/pkgs/applications/version-management/gitlab/reset_token.rake b/pkgs/applications/version-management/gitlab/reset_token.rake new file mode 100644 index 00000000000..705b5830edf --- /dev/null +++ b/pkgs/applications/version-management/gitlab/reset_token.rake @@ -0,0 +1,43 @@ +# Taken from: +# https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/ + +# lib/tasks/reset_token.rake +require_relative '../../app/models/concerns/token_authenticatable.rb' + +STDOUT.sync = true + +namespace :tokens do + desc "Reset all GitLab user auth tokens" + task reset_all: :environment do + reset_all_users_token(:reset_authentication_token!) + end + + desc "Reset all GitLab email tokens" + task reset_all_email: :environment do + reset_all_users_token(:reset_incoming_email_token!) + end + + def reset_all_users_token(token) + TmpUser.find_in_batches do |batch| + puts "Processing batch starting with user ID: #{batch.first.id}" + + batch.each(&token) + end + end +end + +class TmpUser < ActiveRecord::Base + include TokenAuthenticatable + + self.table_name = 'users' + + def reset_authentication_token! + write_new_token(:authentication_token) + save!(validate: false) + end + + def reset_incoming_email_token! + write_new_token(:incoming_email_token) + save!(validate: false) + end +end