Update dependency rails to '~> 5.2.0' #12

renovate · 2022-09-25T21:41:15Z

This PR contains the following updates:

Package	Update	Change
rails (source, changelog)	minor	`'~> 5.0.0'` -> `'~> 5.2.0'`

Release Notes

rails/rails (rails)

`v5.2.8.1`: 5.2.8.1

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

Change ActiveRecord::Coders::YAMLColumn default to safe_load

This adds two new configuration options The configuration options are as
follows:
- config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.
- config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:
```
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
```
[CVE-2022-32224]

Action View

No changes.

Action Pack

No changes.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.8`: 5.2.8

Compare Source

Active Support

Fix tag helper regression.

Eileen Uchitelle

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

No changes.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.7.1`: 5.2.7.1

Compare Source

Active Support

Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of XML.

Álvaro Martín Fraguas

Active Model

No changes.

Active Record

No changes.

Action View

Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributes to :escape, to simplify by applying the option to the
whole tag.

Álvaro Martín Fraguas

Action Pack

Allow Content Security Policy DSL to generate for API responses.

Tim Wade

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.7`: 5.2.7

Compare Source

Active Support

Restore support to Ruby 2.2.

ojab

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

No changes.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

Fix ActiveStorage.supported_image_processing_methods and
ActiveStorage.unsupported_image_processing_arguments that were not being applied.

Rafael Mendonça França

Railties

No changes.

`v5.2.6.3`: 5.2.6.3

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

No changes.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

Added image transformation validation via configurable allow-list.

Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.

[CVE-2022-21831]

Railties

No changes.

`v5.2.6.2`: 5.2.6.2

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

Fix Reloader method signature to work with the new Executor signature

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.6.1`: 5.2.6.1

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request

[CVE-2022-23633]

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.6`: 5.2.6

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

Accept base64_urlsafe CSRF tokens to make forward compatible.

Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
them difficult to deal with. For example, the common practice of sending
the CSRF token to a browser in a client-readable cookie does not work properly
out of the box: the value has to be url-encoded and decoded to survive transport.

In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
tokens for backwards compatibility.

How the tokes are encoded is controllr by the action_controller.urlsafe_csrf_tokens
config.

In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.

Atention: If you already upgraded your application to 5.2.5, set the config
urlsafe_csrf_tokens to true, otherwise your form submission will start to fail
during the deploy of this new version.
```
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
```
If you are upgrading from 5.2.4.x, you don't need to change this configuration.

Scott Blum, Étienne Barrié

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.5`: 5.2.5

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

No changes.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.

George Claghorn

Railties

No changes.

`v5.2.4.6`: 5.2.4.6

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

Prevent regex DoS in HTTP token authentication
CVE-2021-22904
Prevent string polymorphic route arguments.

url_for supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.

CVE-2021-22885

Gannon McGibbon

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.4.5`: 5.2.4.5

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

Fix possible DoS vector in PostgreSQL money type

Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.

Thanks to @dee-see from Hackerone for this patch!

[CVE-2021-22880]

Aaron Patterson

Action View

No changes.

Action Pack

No changes.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.4.4`: 5.2.4.4

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

[CVE-2020-15169] Fix potential XSS vulnerability in the translate/t helper

Action Pack

No changes.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.4.3`: 5.2.4.3

Compare Source

Active Support

[CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore
[CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore

Active Model

No changes.

Active Record

No changes.

Action View

[CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs

Action Pack

[CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
[CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

[CVE-2020-8162] Include Content-Length in signature for ActiveStorage direct upload

Railties

No changes.

`v5.2.4.2`: 5.2.4.2

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

Fix possible XSS vector in escape_javascript helper

CVE-2020-5267

Aaron Patterson

Action Pack

No changes.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.4.1`: 5.2.4.1

Compare Source

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

Fix possible information leak / session hijacking vulnerability.

The ActionDispatch::Session::MemcacheStore is still vulnerable given it requires the
gem dalli to be updated as well.

CVE-2019-16782.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

No changes.

`v5.2.4`: 5.2.4

Compare Source

Active Support

Make ActiveSupport::Logger Fiber-safe. Fixes #36752.

Use Fiber.current.__id__ in ActiveSupport::Logger#local_level= in order
to make log level local to Ruby Fibers in addition to Threads.

Example:

logger = ActiveSupport::Logger.new(STDOUT)
logger.level = 1
p "Main is debug? #{logger.debug?}"

Fiber.new {
  logger.local_level = 0
  p "Thread is debug? #{logger.debug?}"
}.resume

p "Main is debug? #{logger.debug?}"

Before:

Main is debug? false
Thread is debug? true
Main is debug? true

After:

Main is debug? false
Thread is debug? true
Main is debug? false

Alexander Varnin

Active Model

Type cast falsy boolean symbols on boolean attribute as false.

Fixes #35676.

Ryuta Kamizono

Active Record

Fix circular autosave: true causes invalid records to be saved.

Prior to the fix, when there was a circular series of autosave: true
associations, the callback for a has_many association was run while
another instance of the same callback on the same association hadn't
finished running. When control returned to the first instance of the
callback, the instance variable had changed, and subsequent associated
records weren't saved correctly. Specifically, the ID field for the
belongs_to corresponding to the has_many was nil.

Fixes #28080.

Larry Reid
PostgreSQL: Fix GROUP BY with ORDER BY virtual count attribute.

Fixes #36022.

Ryuta Kamizono
Fix sqlite3 collation parsing when using decimal columns.

Martin R. Schuster
Make ActiveRecord ConnectionPool.connections method thread-safe.

Fixes #36465.

Jeff Doering
Assign all attributes before calling build to ensure the child record is visible in
before_add and after_add callbacks for has_many :through associations.

Fixes #33249.

Ryan H. Kerr

Action View

Allow programmatic click events to trigger Rails UJS click handlers.
Programmatic click events (eg. ones generated by Rails.fire(link, "click")) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.

Sudara Williams

Action Pack

No changes.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

Use original bundler environment variables during the process of generating a new rails project.

Marco Costa
Allow loading seeds without ActiveJob.

Fixes #35782

Jeremy Weathers
Only force :async ActiveJob adapter to :inline during seeding.

BatedUrGonnaDie

`v5.2.3`: 5.2.3

Compare Source

Active Support

Add ActiveSupport::HashWithIndifferentAccess#assoc.

assoc can now be called with either a string or a symbol.

Stefan Schüßler
Fix String#safe_constantize throwing a LoadError for incorrectly cased constant references.

Keenan Brock
Allow Range#=== and Range#cover? on Range

Range#cover? can now accept a range argument like Range#include? and
Range#===. Range#=== works correctly on Ruby 2.6. Range#include? is moved
into a new file, with these two methods.

utilum
If the same block is included multiple times for a Concern, an exception is no longer raised.

Mark J. Titorenko, Vlad Bokov

Active Model

Fix date value when casting a multiparameter date hash to not convert
from Gregorian date to Julian date.

Before:

Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
=> #<Day id: nil, day: "0001-01-03", created_at: nil, updated_at: nil>

After:

Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
=> #<Day id: nil, day: "0001-01-01", created_at: nil, updated_at: nil>

Fixes #28521.

Sayan Chakraborty

Fix numericality equality validation of BigDecimal and Float
by casting to BigDecimal on both ends of the validation.

Gannon McGibbon

Active Record

Fix different count calculation when using size with manual select with DISTINCT.

Fixes #35214.

Juani Villarejo
Fix prepared statements caching to be enabled even when query caching is enabled.

Ryuta Kamizono
Don't allow where with invalid value matches to nil values.

Fixes #33624.

Ryuta Kamizono
Restore an ability that class level update without giving ids.

Fixes #34743.

Ryuta Kamizono
Fix join table column quoting with SQLite.

Gannon McGibbon
Ensure that delete_all on collection proxy returns affected count.

Ryuta Kamizono
Reset scope after delete on collection association to clear stale offsets of removed records.

Gannon McGibbon

Action View

Prevent non-primary mouse keys from triggering Rails UJS click handlers.
Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
```
<%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
```
Fixes #34541

Wolfgang Hobmaier

Action Pack

Allow using combine the Cache Control public and no-cache headers.

Before this change, even if public was specified for Cache Control header,
it was excluded when no-cache was included. This fixed to keep public
header as is.

Fixes #34780.

Yuji Yaginuma
Allow nil params for ActionController::TestCase.

Ryo Nakamura

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

No changes.

Railties

Seed database with inline ActiveJob job adapter.

Gannon McGibbon
Fix boolean interaction in scaffold system tests.

Gannon McGibbon

`v5.2.2.1`

Compare Source

`v5.2.2`: 5.2.2

Compare Source

Active Support

Fix bug where #to_options for ActiveSupport::HashWithIndifferentAccess
would not act as alias for #symbolize_keys.

Nick Weiland
Improve the logic that detects non-autoloaded constants.

Jan Habermann, Xavier Noria

Fix bug where URI.unescape would fail with mixed Unicode/escaped character input:

URI.unescape("\xe3\x83\x90")  # => "バ"
URI.unescape("%E3%83%90")  # => "バ"
URI.unescape("\xe3\x83\x90%E3%83%90")  # => Encoding::CompatibilityError

Ashe Connor, Aaron Patterson

Active Model

Fix numericality validator to still use value before type cast except Active Record.

Fixes #33651, #33686.

Ryuta Kamizono

Active Record

Do not ignore the scoping with query methods in the scope block.

Ryuta Kamizono
Allow aliased attributes to be used in #update_columns and #update.

Gannon McGibbon
Allow spaces in postgres table names.

Fixes issue where "user post" is misinterpreted as ""user"."post"" when quoting table names with the postgres
adapter.

Gannon McGibbon

Cached columns_hash fields should be excluded from ResultSet#column_types

PR #34528 addresses the inconsistent behaviour when attribute is defined for an ignored column. The following test
was passing for SQLite and MySQL, but failed for PostgreSQL:

class DeveloperName < ActiveRecord::Type::String
  def deserialize(value)
    "Developer: #{value}"
  end
end

class AttributedDeveloper < ActiveRecord::Base
  self.table_name = "developers"

  attribute :name, DeveloperName.new

  self.ignored_columns += ["name"]
end

developer = AttributedDeveloper.create
developer.update_column :name, "name"

loaded_developer = AttributedDeveloper.where(id: developer.id).select("*").first
puts loaded_developer.name # should be "Developer: name" but it's just "name"

Dmitry Tsepelev

Values of enum are frozen, raising an error when attempting to modify them.

Emmanuel Byrd
update_columns now correctly raises ActiveModel::MissingAttributeError
if the attribute does not exist.

Sean Griffin
Do not use prepared statement in queries that have a large number of binds.

Ryuta Kamizono
Fix query cache to load before first request.

Eileen M. Uchitelle
Fix collection cache key with limit and custom select to avoid ambiguous timestamp column error.

Fixes #33056.

Federico Martinez
Fix duplicated record creation when using nested attributes with create_with.

Darwin Wu
Fix regression setting children record in parent before_save callback.

Guo Xiang Tan
Prevent leaking of user's DB credentials on rails db:create failure.

bogdanvlviv
Clear mutation tracker before continuing the around callbacks.

Yuya Tanaka
Prevent deadlocks when waiting for connection from pool.

Brent Wheeldon
Avoid extra scoping when using Relation#update that was causing this method to change the current scope.

Ryuta Kamizono
Fix numericality validator not to be affected by custom getter.

Ryuta Kamizono
Fix bulk change table ignores comment option on PostgreSQL.

Yoshiyuki Kinjo

Action View

No changes.

Action Pack

Reset Capybara sessions if failed system test screenshot raising an exception.

Reset Capybara sessions if take_failed_screenshot raise exception
in system test after_teardown.

Maxim Perepelitsa
Use request object for context if there's no controller

There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.

Fixes #34200.

Andrew White
Apply mapping to symbols returned from dynamic CSP sources

Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:
```
policy.default_src -> { :self }
```
would generate the header:
```
Content-Security-Policy: default-src self
```
and now it generates:
```
Content-Security-Policy: default-src 'self'
```
Andrew White
Fix rails routes -c for controller name consists of multiple word.

Yoshiyuki Kinjo
Call the #redirect_to block in controller context.

Steven Peckins

Active Job

Make sure assert_enqueued_with() & assert_performed_with() work reliably with hash arguments.

Sharang Dashputre
Restore ActionController::Parameters support to ActiveJob::Arguments.serialize.

Bernie Chiu
Restore HashWithIndifferentAccess support to ActiveJob::Arguments.deserialize.

Gannon McGibbon
Include deserialized arguments in job instances returned from
assert_enqueued_with and assert_performed_with

Alan Wu
Increment execution count before deserialize arguments.

Currently, the execution count increments after deserializes arguments.
Therefore, if an error occurs with deserialize, it retries indefinitely.

Yuji Yaginuma

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

Support multiple submit buttons in Active Storage forms.

Chrıs Seelus
Fix ArgumentError when uploading to amazon s3

Hiroki Sanpei
Add a foreign-key constraint to the active_storage_attachments table for blobs.

George Claghorn
Discard ActiveStorage::PurgeJobs for missing blobs.

George Claghorn
Fix uploading Tempfiles to Azure Storage.

George Claghorn

Railties

Disable content security policy for mailer previews.

Dylan Reile
Log the remote IP address of clients behind a proxy.

Atul Bhosale

Active Support

No changes.

Active Model

No changes.

Active Record

Fix touch option to behave consistently with Persistence#touch method.

Ryuta Kamizono
Back port Rails 5.2 reverse_order Arel SQL literal fix.

Matt Jones, Brooke Kuhlmann
becomes should clear the mutation tracker which is created in after_initialize.

Fixes #32867.

Ryuta Kamizono

Action View

Fix issue with button_to's to_form_params

button_to was throwing exception when invoked with params hash that
contains symbol and string keys. The reason for the exception was that
to_form_params was comparing the given symbol and string keys.

The issue is fixed by turning all keys to strings inside
to_form_params before comparing them.

Georgi Georgiev