Skip to content

Commit

Permalink
Merge pull request #5043 from maestrano/increment-failed-attempts-con…
Browse files Browse the repository at this point in the history
…curency

Backport CVE-2019-5421 fix to 3.x
  • Loading branch information
tegon authored Mar 26, 2019
2 parents bddf051 + 36690f3 commit fb48336
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
4 changes: 2 additions & 2 deletions lib/devise/models/lockable.rb
Original file line number Diff line number Diff line change
Expand Up @@ -99,8 +99,8 @@ def valid_for_authentication?
if super && !access_locked?
true
else
self.failed_attempts ||= 0
self.failed_attempts += 1
self.class.increment_counter(:failed_attempts, id)
reload
if attempts_exceeded?
lock_access! unless access_locked?
else
Expand Down
11 changes: 11 additions & 0 deletions test/models/lockable_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,17 @@ def setup
end
end

test "should read failed_attempts from database when incrementing" do
user = create_user
initial_failed_attempts = user.failed_attempts
same_user = User.find(user.id)

user.valid_for_authentication?{ false }
same_user.valid_for_authentication?{ false }

assert_equal initial_failed_attempts + 2, user.reload.failed_attempts
end

test 'should be valid for authentication with a unlocked user' do
user = create_user
user.lock_access!
Expand Down

0 comments on commit fb48336

Please sign in to comment.