chore: sync with master#40
Merged
Merged
Conversation
fix lobby for https://scrims.lol
fix: Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. This vulnerability affects Addressable >= 2.3.0 (note: 2.3.0 and 2.3.1 were yanked; the earliest installable release is 2.3.2). It was partially fixed in version 2.8.10 and fully remediated in 2.9.0. The vulnerability is more exploitable on MRI Ruby < 3.2 and on all versions of JRuby and TruffleRuby. MRI Ruby 3.2 and later ship with Onigmo 6.9, which introduces memoization that prevents catastrophic backtracking for the first class of template. JRuby and TruffleRuby do not implement equivalent memoization and remain vulnerable to all patterns
mudança no gerador de bracket Razões técnicas: 1. Bracket management sequencial, admin libera uma rodada de cada vez, sem paralelo 2. Menos janela para atraso acumular 3. Times sabem exatamente quando vão jogar (sem "você pode jogar sexta E sábado dependendo de resultado") 4. O código suporta os dois, mas Modelo 2 é mais fácil de operar no MVP
Removed duplicate badges for Codacy and FOSSA.
Users without a Customer record in ProPay received a 404 on deposit. Now a find-or-create call registers the customer transparently using the current user's full_name and email before the deposit is proxied.
Replace has_secure_password with a custom PasswordHasher service backed by Argon2id (m=64MiB, t=3, p=2), following the OWASP preferred profile.
Lazy migration: existing bcrypt digests are verified as-is and silently re-hashed on the next successful login. No schema changes, no forced logouts, clean rollback.
- Add gem argon2 ~> 2.3
- Add Authentication::PasswordHasher with bcrypt/argon2id detection,
rescue BCrypt::Errors::InvalidHash and Argon2::Error, test-env fast
params (m=16, t=1, p=1)
- Add UpgradeablePassword concern used by User and Player
- Remove has_secure_password from User and Player; replicate presence validation and virtual attr explicitly
- Hash via before_validation callback, not in the setter
- Add scripts/benchmark_argon2.rb for pre-deploy calibration
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-FARADAY-16755445 - https://snyk.io/vuln/SNYK-RUBY-JWT-16755447
Bump jwt 3.1.2 -> 3.2.0 (inadequate authentication, HIGH) Bump faraday 2.14.1 -> 2.14.2 (SSRF, MEDIUM)
[Snyk] Fix for 2 vulnerabilities
jwt 3.2.0 rejects nil/empty HMAC keys (CVE-2026-45363) if JWT_SECRET_KEY and secret_key_base are both absent, the old code would silently use nil and produce cryptic 401s at request time. Now raises at boot so Coolify catches it in deploy logs, not in prod. - jwt_service.rb: tap guard raises on blank SECRET_KEY at class load - Dockerfile: add libargon2-dev (required native dep for argon2 gem) - codeql.yml: add pull-requests: write (403 when commenting on PRs
In the argon2 Ruby gem, m_cost is an exponent: memory = 2^m_cost KiB (valid range 3..31). Passing 65_536 (intended as KiB) caused ArgonHashFail on every login attempt, breaking authentication in prod. - m_cost: 16 => 2^16 KiB = 64 MiB (OWASP preferred, unchanged intent) - m_cost: 3 => 2^3 KiB = 8 KiB (test env, replaces wrong 16 KiB) - Fix benchmark script output and configs to use exponent values - Add clarifying comment in ARGON2_PARAMS and PRD
…dation
- Add spec/services/authentication/password_hasher_spec.rb (16 examples)
covering hash, verify (argon2id, bcrypt legacy, blank inputs),
needs_upgrade? and bcrypt?
- Add spec/models/concerns/upgradeable_password_spec.rb (10 examples)
covering the bcrypt→argon2id lazy upgrade path for User and Player,
including that wrong passwords do not trigger digest update
- Fix Player#player_password validation: add format check (uppercase +
lowercase + digit) to match User#password strength requirements
- Remove password_confirmation from :user factory — attribute no longer
exists after has_secure_password was removed
- Set DatabaseCleaner.allow_remote_database_url = true: the existing
guard at rails_helper.rb:57 already blocks supabase/prod URLs; this
allows Docker-network hostnames in local test runs
…r URLs The DatabaseCleaner.allow_remote_database_url flag was set to true to support Docker-network Postgres hostnames in local test runs. To compensate, extend the production URL guard to also inspect TEST_DATABASE_URL (the variable database.yml actually uses in test env) and add 'pooler' as a blocked keyword, which catches database pooler endpoints even if 'supabase' is absent from the URL.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -1,5 +1,5 @@ | |||
| # Use Ruby 3.4.5 slim image (better Windows compatibility) | |||
| FROM ruby:3.4.5-slim | |||
| # Use Ruby 3.4.8 slim image (better Windows compatibility) | |||
| @@ -1,5 +1,5 @@ | |||
| # Use Ruby 3.4.5 slim image (better Windows compatibility) | |||
| FROM ruby:3.4.5-slim | |||
| # Use Ruby 3.4.8 slim image (better Windows compatibility) | |||
MichaelPlathanus
merged commit e3724bc
into
ralph/backend-tournaments
12 of 14 checks passed
Not up to standards ⛔
|
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 20763950 | Triggered | JSON Web Token | 915bab3 | .pentest/scripts/27_supabase_direct_bypass.sh | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.