diff --git a/.ruby-version b/.ruby-version index 9c25013dbb..47b322c971 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.3.6 +3.4.1 diff --git a/Dockerfile.production b/Dockerfile.production index 2d43946541..aba449ea63 100644 --- a/Dockerfile.production +++ b/Dockerfile.production @@ -1,7 +1,7 @@ # syntax = docker/dockerfile:1 # Make sure RUBY_VERSION matches the Ruby version in .ruby-version and Gemfile -ARG RUBY_VERSION=3.3.6 +ARG RUBY_VERSION=3.4.1 FROM registry.docker.com/library/ruby:$RUBY_VERSION-slim as base # Rails app lives here diff --git a/Gemfile.lock b/Gemfile.lock index 687994b6e8..6df0fe0ea7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -151,7 +151,8 @@ GEM bindex (0.8.1) bootsnap (1.18.3) msgpack (~> 1.2) - brakeman (6.0.1) + brakeman (7.0.0) + racc builder (3.3.0) bullet (7.2.0) activesupport (>= 3.0.0) @@ -177,45 +178,35 @@ GEM rexml crass (1.0.6) csv (3.2.8) - cucumber (7.0.0) - builder (~> 3.2, >= 3.2.4) - cucumber-core (~> 10.0, >= 10.0.1) - cucumber-create-meta (~> 6.0, >= 6.0.1) - cucumber-cucumber-expressions (~> 12.1, >= 12.1.1) - cucumber-gherkin (~> 20.0, >= 20.0.1) - cucumber-html-formatter (~> 16.0, >= 16.0.1) - cucumber-messages (~> 17.0, >= 17.0.1) - cucumber-wire (~> 6.0, >= 6.0.1) - diff-lcs (~> 1.4, >= 1.4.4) - mime-types (~> 3.3, >= 3.3.1) - multi_test (~> 0.1, >= 0.1.2) - sys-uname (~> 1.2, >= 1.2.2) - cucumber-core (10.0.1) - cucumber-gherkin (~> 20.0, >= 20.0.1) - cucumber-messages (~> 17.0, >= 17.0.1) - cucumber-tag-expressions (~> 3.0, >= 3.0.1) - cucumber-create-meta (6.0.1) - cucumber-messages (~> 17.0, >= 17.0.1) - sys-uname (~> 1.2, >= 1.2.2) - cucumber-cucumber-expressions (12.1.3) - cucumber-gherkin (20.0.1) - cucumber-messages (~> 17.0, >= 17.0.1) - cucumber-html-formatter (16.0.1) - cucumber-messages (~> 17.0, >= 17.0.1) - cucumber-messages (17.1.1) - cucumber-rails (2.6.1) - capybara (>= 2.18, < 4) - cucumber (>= 3.2, < 9) - mime-types (~> 3.3) - nokogiri (~> 1.10) - railties (>= 5.0, < 8) - rexml (~> 3.0) - webrick (~> 1.7) - cucumber-tag-expressions (3.0.1) - cucumber-wire (6.1.1) - cucumber-core (~> 10.0, >= 10.0.1) - cucumber-cucumber-expressions (~> 12.1, >= 12.1.2) - cucumber-messages (~> 17.0, >= 17.0.1) + cucumber (9.2.1) + builder (~> 3.2) + cucumber-ci-environment (> 9, < 11) + cucumber-core (> 13, < 14) + cucumber-cucumber-expressions (~> 17.0) + cucumber-gherkin (> 24, < 28) + cucumber-html-formatter (> 20.3, < 22) + cucumber-messages (> 19, < 25) + diff-lcs (~> 1.5) + mini_mime (~> 1.1) + multi_test (~> 1.1) + sys-uname (~> 1.2) + cucumber-ci-environment (10.0.1) + cucumber-core (13.0.3) + cucumber-gherkin (>= 27, < 28) + cucumber-messages (>= 20, < 23) + cucumber-tag-expressions (> 5, < 7) + cucumber-cucumber-expressions (17.1.0) + bigdecimal + cucumber-gherkin (27.0.0) + cucumber-messages (>= 19.1.4, < 23) + cucumber-html-formatter (21.7.0) + cucumber-messages (> 19, < 27) + cucumber-messages (22.0.0) + cucumber-rails (3.1.0) + capybara (>= 3.11, < 4) + cucumber (>= 5, < 10) + railties (>= 5.2, < 9) + cucumber-tag-expressions (6.1.1) daemons (1.4.1) dartsass-rails (0.4.1) railties (>= 6.0.0) @@ -270,7 +261,10 @@ GEM faraday-net_http (>= 2.0, < 3.2) faraday-net_http (3.1.0) net-http - ffi (1.16.3) + ffi (1.17.1) + ffi (1.17.1-arm64-darwin) + ffi (1.17.1-x86_64-darwin) + ffi (1.17.1-x86_64-linux-gnu) foreman (0.87.2) formatador (1.1.0) fugit (1.11.1) @@ -287,7 +281,7 @@ GEM activemodel (>= 6.1) activesupport (>= 6.1) html-attributes-utils (~> 1) - grover (1.2.1) + grover (1.2.2) nokogiri (~> 1) guard (2.18.1) formatador (>= 0.2.4) @@ -380,15 +374,12 @@ GEM marcel (1.0.4) matrix (0.4.2) method_source (1.1.0) - mime-types (3.3.1) - mime-types-data (~> 3.2015) - mime-types-data (3.2021.0901) mini_magick (4.11.0) mini_mime (1.1.5) mini_portile2 (2.8.8) minitest (5.25.4) msgpack (1.7.2) - multi_test (0.1.2) + multi_test (1.1.0) nenv (0.3.0) net-http (0.4.1) uri @@ -402,14 +393,14 @@ GEM net-smtp (0.4.0.1) net-protocol nio4r (2.7.3) - nokogiri (1.17.1) + nokogiri (1.18.1) mini_portile2 (~> 2.8.2) racc (~> 1.4) - nokogiri (1.17.1-arm64-darwin) + nokogiri (1.18.1-arm64-darwin) racc (~> 1.4) - nokogiri (1.17.1-x86_64-darwin) + nokogiri (1.18.1-x86_64-darwin) racc (~> 1.4) - nokogiri (1.17.1-x86_64-linux) + nokogiri (1.18.1-x86_64-linux-gnu) racc (~> 1.4) notiffany (0.1.3) nenv (~> 0.1) @@ -616,7 +607,7 @@ GEM strong_migrations (1.8.0) activerecord (>= 5.2) strong_password (0.0.10) - sys-uname (1.2.2) + sys-uname (1.3.1) ffi (~> 1.1) terminal-table (3.0.2) unicode-display_width (>= 1.1.1, < 3) diff --git a/config/brakeman.ignore b/config/brakeman.ignore index d9f8694e27..47f3d336aa 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -90,8 +90,30 @@ 79 ], "note": "" + }, + { + "warning_type": "Remote Code Execution", + "warning_code": 25, + "fingerprint": "dd51f8ca8b70d1d6b01e9a8e0dc0983c1c3f6a24bb5d6fe418020b086723e60a", + "check_name": "Deserialize", + "message": "Use of `Marshal.load` may be dangerous", + "file": "app/controllers/concerns/active_storage/set_disk_blob.rb", + "line": 27, + "link": "https://brakemanscanner.org/docs/warning_types/unsafe_deserialization", + "code": "Marshal.load(Base64.decode64(json_parsed_hash))", + "render_path": null, + "location": { + "type": "method", + "class": "ActiveStorage::SetDiskBlob", + "method": "decrypted_hash" + }, + "user_input": null, + "confidence": "Weak", + "cwe_id": [ + 502 + ], + "note": "" } ], - "updated": "2024-11-04 13:55:52 +0000", - "brakeman_version": "6.0.1" + "brakeman_version": "7.0.0" } diff --git a/docker/ruby/Dockerfile b/docker/ruby/Dockerfile index a569b6514a..4d0f37eefb 100644 --- a/docker/ruby/Dockerfile +++ b/docker/ruby/Dockerfile @@ -1,4 +1,4 @@ -ARG RUBY_VERSION=3.3.6 +ARG RUBY_VERSION=3.4.1 FROM ruby:$RUBY_VERSION-bullseye