diff --git a/Gemfile b/Gemfile
index 98a594be1c7613e46c8e18d48fb32b72948e1d6c..268cba1d6d42bec64c523a48affe3c8920efaeda 100644
--- a/Gemfile
+++ b/Gemfile
@@ -44,7 +44,7 @@ gem 'akismet', '~> 2.0'
# Two-factor authentication
gem 'devise-two-factor', '~> 3.0.0'
gem 'rqrcode-rails3', '~> 0.1.7'
-gem 'attr_encrypted', '~> 1.3.4'
+gem 'attr_encrypted', '~> 3.0.0'
# Browser detection
gem "browser", '~> 1.0.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 30a0a2fd183158d9d1603157e04ab2b065c4fe91..7c873845cc33bd7fb4509d5b4a09fc97d274c217 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -60,8 +60,8 @@ GEM
oauth2 (~> 1.0)
asciidoctor (1.5.3)
ast (2.2.0)
- attr_encrypted (1.3.4)
- encryptor (>= 1.3.0)
+ attr_encrypted (3.0.1)
+ encryptor (~> 3.0.0)
attr_required (1.0.0)
autoprefixer-rails (6.2.3)
execjs
@@ -178,7 +178,7 @@ GEM
email_spec (1.6.0)
launchy (~> 2.1)
mail (~> 2.2)
- encryptor (1.3.0)
+ encryptor (3.0.0)
equalizer (0.0.11)
erubis (2.7.0)
escape_utils (1.1.1)
@@ -891,7 +891,7 @@ DEPENDENCIES
allocations (~> 1.0)
asana (~> 0.4.0)
asciidoctor (~> 1.5.2)
- attr_encrypted (~> 1.3.4)
+ attr_encrypted (~> 3.0.0)
awesome_print (~> 1.2.0)
babosa (~> 1.0.2)
base32 (~> 0.3.0)
diff --git a/app/models/ci/variable.rb b/app/models/ci/variable.rb
index 10802f64813efcb9e89292a5d9cabdfadf863967..f8d5d4486fd43f93c20dea83e76cb8854d2f1099 100644
--- a/app/models/ci/variable.rb
+++ b/app/models/ci/variable.rb
@@ -11,6 +11,9 @@ class Variable < ActiveRecord::Base
format: { with: /\A[a-zA-Z0-9_]+\z/,
message: "can contain only letters, digits and '_'." }
- attr_encrypted :value, mode: :per_attribute_iv_and_salt, key: Gitlab::Application.secrets.db_key_base
+ attr_encrypted :value,
+ mode: :per_attribute_iv_and_salt,
+ key: Gitlab::Application.secrets.db_key_base,
+ algorithm: 'aes-256-cbc'
end
end
diff --git a/app/models/project_import_data.rb b/app/models/project_import_data.rb
index e2f9ffb69acb98db7becc0adff22018c12e69293..ca8a9b4217b6e5334cf52d8f0bec6fd9047a5190 100644
--- a/app/models/project_import_data.rb
+++ b/app/models/project_import_data.rb
@@ -6,7 +6,8 @@ class ProjectImportData < ActiveRecord::Base
key: Gitlab::Application.secrets.db_key_base,
marshal: true,
encode: true,
- mode: :per_attribute_iv_and_salt
+ mode: :per_attribute_iv_and_salt,
+ algorithm: 'aes-256-cbc'
serialize :data, JSON
diff --git a/app/models/user.rb b/app/models/user.rb
index b5f478b3865d7dc7b637a4afcd3280fd3980beac..15b6cbc2255d6b5393f2fd21b74128ebba63cc7f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -20,6 +20,11 @@ class User < ActiveRecord::Base
default_value_for :hide_no_password, false
default_value_for :theme_id, gitlab_config.default_theme
+ attr_encrypted :otp_secret,
+ key: Gitlab::Application.config.secret_key_base,
+ mode: :per_attribute_iv_and_salt,
+ algorithm: 'aes-256-cbc'
+
devise :two_factor_authenticatable,
otp_secret_encryption_key: Gitlab::Application.config.secret_key_base
alias_attribute :two_factor_enabled, :otp_required_for_login
diff --git a/spec/features/login_spec.rb b/spec/features/login_spec.rb
index 8c38dd5b122eec74a169314be9577e278e3e0d15..54dcc50f4a2d0c3d62ad3bbe0d7b7c37df4d6597 100644
--- a/spec/features/login_spec.rb
+++ b/spec/features/login_spec.rb
@@ -121,7 +121,7 @@ def enter_code(code)
user = create(:user, password: 'not-the-default')
login_with(user)
- expect(page).to have_content('Invalid login or password.')
+ expect(page).to have_content('Invalid Login or password.')
end
end
diff --git a/spec/models/ci/variable_spec.rb b/spec/models/ci/variable_spec.rb
index c712d211b0fd69879bdb0bb1d96b03d6bc6031c8..98f60087cf5e957db2c795a7117255b01bf6f2a4 100644
--- a/spec/models/ci/variable_spec.rb
+++ b/spec/models/ci/variable_spec.rb
@@ -23,7 +23,7 @@
end
it 'fails to decrypt if iv is incorrect' do
- subject.encrypted_value_iv = nil
+ subject.encrypted_value_iv = SecureRandom.hex
subject.instance_variable_set(:@value, nil)
expect { subject.value }.
to raise_error(OpenSSL::Cipher::CipherError, 'bad decrypt')