Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚨 [security] Update railties 7.0.7.2 → 7.0.8.1 (patch) #55

Merged
merged 1 commit into from
Feb 25, 2024

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Feb 25, 2024


🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ railties (7.0.7.2 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

  • No changes.

7.0.8 (from changelog)

  • Omit webdrivers gem dependency from Gemfile template

    Sean Doyle

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ actionpack (7.0.7.2 → 7.0.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(translate, t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected: All. Not affected: None Fixed Versions: 7.1.3.1, 7.0.8.1

Impact

Applications using translation methods like translate, or t on a
controller, with a key ending in “_html”, a :default key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

class ArticlesController < ApplicationController
  def show
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end

To reiterate the pre-conditions, applications must:

  • Use a translation function from a controller (i.e. not I18n.t, or
    t from a view)
  • Use a key that ends in _html
  • Use a default value where the default value is untrusted and unescaped input
  • Send the text to the victim (whether that’s part of a template, or a
    render call)

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

🚨 Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage.
By default, Active Storage sends a Set-Cookie header along with the user’s
session cookie when serving blobs. It also sets Cache-Control to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7

Impact

A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker’s session or vice
versa.

This was patched in 7.1.0 but not previously identified as a security
vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.

Release Notes

7.0.8.1 (from changelog)

  • Fix possible XSS vulnerability with the translate method in controllers

    CVE-2024-26143

7.0.8 (from changelog)

  • Fix HostAuthorization potentially displaying the value of the X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.

    Hartley McGuire, Daniel Schlosser

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ actionview (7.0.7.2 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

  • No changes.

7.0.8 (from changelog)

  • Fix form_for missing the hidden _method input for models with a namespaced route.

    Hartley McGuire

  • Fix render collection: @records, cache: true inside jbuilder templates

    The previous fix that shipped in 7.0.7 assumed template fragments are always strings, this isn't true with jbuilder.

    Jean Boussier

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ activemodel (7.0.7.2 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

  • No changes.

7.0.8 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ activerecord (7.0.7.2 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

  • No changes.

7.0.8 (from changelog)

  • Fix change_column not setting precision: 6 on datetime columns when using 7.0+ Migrations and SQLite.

    Hartley McGuire

  • Fix unscope is not working in specific case

    Before:

    Post.where(id: 1...3).unscope(where: :id).to_sql # "SELECT `posts`.* FROM `posts` WHERE `posts`.`id` >= 1 AND `posts`.`id` < 3"

    After:

    Post.where(id: 1...3).unscope(where: :id).to_sql # "SELECT `posts`.* FROM `posts`"

    Fixes #48094.

    Kazuya Hatanaka

  • Fix associations to a STI model including a class_name parameter

    class Product < ApplicationRecord
    has_many :requests, as: :requestable, class_name: "ProductRequest", dependent: :destroy
    end

    # STI tables
    class Request < ApplicationRecord
    belongs_to :requestable, polymorphic: true

    validate :request_type, presence: true
    end

    class ProductRequest < Request
    belongs_to :user
    end

    Accessing such association would lead to:

    table_metadata.rb:22:in `has_column?': undefined method `key?' for nil:NilClass (NoMethodError)
    

    Romain Filinto

  • Fix change_table setting datetime precision for 6.1 Migrations

    Hartley McGuire

  • Fix change_column setting datetime precision for 6.1 Migrations

    Hartley McGuire

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ activesupport (7.0.7.2 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

  • No changes.

7.0.8 (from changelog)

  • Fix TimeWithZone still using deprecated #to_s when ENV or config to disable it are set.

    Hartley McGuire

  • Fix CacheStore#write_multi when using a distributed Redis cache with a connection pool.

    Fixes #48938.

    Jonathan del Strother

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.2.2 → 1.2.3) · Repo · Changelog

Release Notes

1.2.3

What's Changed

New Contributors

Full Changelog: v1.2.2...v1.2.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.21.3 → 2.22.0) · Repo · Changelog

Release Notes

2.22.0

2.22.0 / 2023-11-13

Added

  • A :targetblank HTML scrubber which ensures all hyperlinks have target="_blank". [#275] @stefannibrasil and @thdaraujo
  • A :noreferrer HTML scrubber which ensures all hyperlinks have rel=noreferrer, similar to the :nofollow and :noopener scrubbers. [#277] @wynksaiddestroy

2.21.4

2.21.4 / 2023-10-10

Fixed

  • Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.19.0 → 5.22.2) · Repo · Changelog

Release Notes

5.22.2 (from changelog)

  • 1 bug fix:

    • Third time’s a charm? Remember: ‘ensure’ is almost always the wrong way to go (for results… it’s great for cleaning up).

5.22.1 (from changelog)

  • 1 bug fix:

    • Don’t exit non-zero if no tests ran and no filter (aka, the test file is empty). (I’m starting to think the exit 1 thing for @tenderlove was a mistake…)

5.22.0 (from changelog)

  • 1 minor enhancement:

    • Added “did you mean” output if your –name filter matches nothing. (tenderlove)

  • 2 bug fixes:

    • Big cleanup of test filtering. Much prettier / more functional.

    • Fix situation where Assertion#location can’t find the location. (pftg)

5.21.2 (from changelog)

  • 1 bug fix:

    • Fixed bug in Minitest::Compress#compress formatting w/ nested patterns. Now recurses properly.

5.21.1 (from changelog)

  • 1 bug fix:

    • Rails’ default backtrace filter can’t currently work with caller_locations, so reverting back to caller.

5.21.0 (from changelog)

  • 10 minor enhancements:

    • Add include_all kw arg to assert_respond_to and refute_respond_to.

    • Added –quiet flag to skip ProgressReporter (prints the dots). Minor speedup.

    • Added Minitest::Compress#compress and added it to UnexpectedError.

    • Added ability to initialize BacktraceFilter w/ custom regexp.

    • Filter failure backtraces using backtrace_filter before calculating location. (thomasmarshall)

    • Make BacktraceFilter#filter compatible with locations (still compares strings).

    • Optimized Assertion#location ~30%.

    • Output relative paths for all failures/errors/backtraces.

    • Refactored location information in assertions, now using locations.

    • Removed thread and mutex_m dependencies. (hsbt, eregon)

  • 2 bug fixes:

    • Drop undocumented bt arg in #skip. Dunno why that ever happened, prolly for testing?

    • Fix mock to work with ruby debugger enabled. (keithlayne)

5.20.0 (from changelog)

  • 1 minor enhancement:

    • Optionally allow autorun exit hook to remain active in forked child. (casperisfine)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 13.0.6 → 13.1.0) · Repo · Changelog

Release Notes

13.1.0

What's Changed

New Contributors

Full Changelog: v13.0.6...v13.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 1.2.2 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0

What's Changed

  • use the correct class for shared namespaces by @Gerst20051 in #754
  • Allow to Override Order of Commands in Help by @alessio-signorini in #642
  • Add support for providing http headers to get by @dnlgrv in #801
  • Don't document negative boolean option named no_* by @BrentWheeldon in #797
  • CreateFile#identical? fixed for files containing multi-byte UTF-8 codepoints by @tomclose in #786
  • Drop support to Ruby 2.6 by @rafaelfranca in #821
  • Fix dashless option usage info by @sambostock in #800
  • Support Range in enum option by @phene in #775
  • Check if type: array values are in enum by @movermeyer in #784
  • Fix inject into file warning by @nicolas-brousse in #709
  • Support Thor::CoreExt::HashWithIndifferentAccess#slice method by @shuuuuun in #812
  • 🌧️ long_desc: new option to disable wrapping by @igneus in #739
  • Print default in help when option type is :boolean and default is false by @nevesenin in #849
  • Silence encoding warnings in specs by @p8 in #857
  • Validate arguments for method_option and class_option by @p8 in #856
  • Fix help for file_collision method without block by @shuuuuun in #858
  • Extract print methods to seperate classes by @p8 in #854
  • Add support for printing tables with borders by @p8 in #855
  • Fix printing tables with borders and indentation by @p8 in #861

New Contributors

Full Changelog: v1.2.2...v1.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.6.11 → 2.6.13) · Repo · Changelog

Release Notes

2.6.13 (from changelog)

  • There is a new experimental null inflector that simply returns its input unchanged:

    loader.inflector = Zeitwerk::NullInflector.new

    Projects using this inflector are expected to define their constants in files and directories with names exactly matching them:

    User.rb       -> User
    HTMLParser.rb -> HTMLParser
    Admin/Role.rb -> Admin::Role
    

    Please see its documentation for further details.

  • Documentation improvements.

2.6.12 (from changelog)

  • Maintenance release with some internal polishing.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Feb 25, 2024
@depfu depfu bot merged commit 05e2f85 into main Feb 25, 2024
2 checks passed
@depfu depfu bot deleted the depfu/update/group/rails-7.0.8.1 branch February 25, 2024 00:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

0 participants