From c85cc667ebfd3c270df37c7575d580ea6462e12f Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 22 Aug 2023 09:58:43 -0700
Subject: [PATCH] Use a temporary file for storing unencrypted files while
 editing

Origin: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f

When we're editing the contents of encrypted files, we should use the
`Tempfile` class because it creates temporary files with restrictive
permissions.  This prevents other users on the same system from reading
the contents of those files while the user is editing them.

[CVE-2023-38037]
---
 .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
 activesupport/test/encrypted_file_test.rb      |  8 ++++++++
 railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
 3 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/activesupport/test/encrypted_file_test.rb b/activesupport/test/encrypted_file_test.rb
index 0050685065a9e..49f7437764fe8 100644
--- a/activesupport/test/encrypted_file_test.rb
+++ b/activesupport/test/encrypted_file_test.rb
@@ -49,6 +49,14 @@ class EncryptedFileTest < ActiveSupport::TestCase
     assert_equal "#{@content} and went by the lake", @encrypted_file.read
   end
 
+  test "change sets restricted permissions" do
+    @encrypted_file.write(@content)
+    @encrypted_file.change do |file|
+      assert_predicate file, :owned?
+      assert_equal "100600", file.stat.mode.to_s(8), "Incorrect mode for #{file}"
+    end
+  end
+
   test "raise MissingKeyError when key is missing" do
     assert_raise ActiveSupport::EncryptedFile::MissingKeyError do
       encrypted_file(@content_path, key_path: "", env_key: "").read