CVE-2019-5x2x

The Code Review Patch challenges are designed to enhance your skills in identifying and understanding security vulnerabilities. These challenges provide you with both the vulnerable code and its corresponding patch. Initially, you are encouraged to find the issue on your own without looking at the patch. If you cannot identify the issue or want to verify your findings, you can then examine the patch (the diff file).

For example, in the CVE-2019-5x2x challenge, we analyze a method called secret_key_base used in Rails applications. This method is critical for selecting the key that signs sessions in Rails, making the strength of this key paramount. The original code uses an MD5 hash of the application's name as the key in test and development environments if no key is set, which is trivial to brute force. The patch introduces a new method, generate_development_secret, that securely generates a secret key, addressing the lack of randomness in the original implementation.