From 78d78ad1991f0a27b8ff79614d09f85909d20ed1 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Fri, 1 Jun 2018 13:44:16 -0700
Subject: [PATCH] Add comment about the need for truncating keys in Ruby 2.4

[ci skip]
---
 config/settings.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/config/settings.rb b/config/settings.rb
index 4aa903109ea41..58f38d103eacb 100644
--- a/config/settings.rb
+++ b/config/settings.rb
@@ -85,7 +85,14 @@ def absolute(path)
       File.expand_path(path, Rails.root)
     end
 
+    # Returns a 256-bit key for attr_encrypted
     def attr_encrypted_db_key_base
+      # Ruby 2.4+ requires passing in the exact required length for OpenSSL keys
+      # (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1).
+      # Previous versions quietly truncated the input.
+      #
+      # The default mode for the attr_encrypted gem is to use a 256-bit key.
+      # We truncate the 128-byte string to 32 bytes.
       Gitlab::Application.secrets.db_key_base[0..31]
     end
 
-- 
GitLab