search

archivesunleashed / auk

Rails application for the Archives Unleashed Cloud.
https://cloud.archivesunleashed.org/
Other
11 stars 4 forks source link

🚨 [security] [ruby] Update all of rails: 5.2.5 → 5.2.6 (patch) #485

Closed depfu[bot] closed 3 years ago

depfu[bot] commented 3 years ago

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (5.2.5 → 5.2.6) · Repo

Release Notes

5.2.6

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Accept base64_urlsafe CSRF tokens to make forward compatible.

    Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
    them difficult to deal with. For example, the common practice of sending
    the CSRF token to a browser in a client-readable cookie does not work properly
    out of the box: the value has to be url-encoded and decoded to survive transport.

    In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
    safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
    tokens for backwards compatibility.

    How the tokes are encoded is controllr by the action_controller.urlsafe_csrf_tokens
    config.

    In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.

    Atention: If you already upgraded your application to 5.2.5, set the config
    urlsafe_csrf_tokens to true, otherwise your form submission will start to fail
    during the deploy of this new version.

    Rails.application.config.action_controller.urlsafe_csrf_tokens = true

    If you are upgrading from 5.2.4.x, you don't need to change this configuration.

    Scott Blum, Étienne Barrié

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Railties

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ actioncable (indirect, 5.2.5 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ actionmailer (indirect, 5.2.5 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ actionpack (indirect, 5.2.5 → 5.2.6) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Information Disclosure / Unintended Method Execution in Action Pack

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack which has been assigned the CVE identifier
CVE-2021-22885.

Versions Affected: >= 2.0.0.
Not affected: < 2.0.0.
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack when using the redirect_to or polymorphic_url
helper with untrusted user input.

Vulnerable code will look like this:

redirect_to(params[:some_param])

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

To work around this problem, it is recommended to use an allow list for valid
parameters passed from the user. For example:

private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end

def index
  redirect_to(check(params[:some_param]))
end

Or force the user input to be cast to a string like this:

def index
  redirect_to(params[:some_param].to_s)
end

🚨 Possible DoS Vulnerability in Action Controller Token Authentication

There is a possible DoS vulnerability in the Token Authentication logic in
Action Controller. This vulnerability has been assigned the CVE identifier
CVE-2021-22904.

Versions Affected: >= 4.0.0
Not affected: < 4.0.0
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

Impacted code uses authenticate_or_request_with_http_token or
authenticate_with_http_token for request authentication. Impacted code will
look something like this:

class PostsController < ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around
the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end
Release Notes

5.2.6 (from changelog)

  • Accept base64_urlsafe CSRF tokens to make forward compatible.

    Base64 strict-encoded CSRF tokens are not inherently websafe, which makes them difficult to deal with. For example, the common practice of sending the CSRF token to a browser in a client-readable cookie does not work properly out of the box: the value has to be url-encoded and decoded to survive transport.

    In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens for backwards compatibility.

    How the tokes are encoded is controllr by the action_controller.urlsafe_csrf_tokens config.

    In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.

    Atention: If you already upgraded your application to 5.2.5, set the config urlsafe_csrf_tokens to true, otherwise your form submission will start to fail during the deploy of this new version.

    Rails.application.config.action_controller.urlsafe_csrf_tokens = true

    If you are upgrading from 5.2.4.x, you don't need to change this configuration.

    Scott Blum, Étienne Barrié

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ actionview (indirect, 5.2.5 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ activejob (indirect, 5.2.5 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ activemodel (indirect, 5.2.5 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ activerecord (indirect, 5.2.5 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ activestorage (indirect, 5.2.5 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ activesupport (indirect, 5.2.5 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ i18n (indirect, 1.8.9 → 1.8.10) · Repo · Changelog

Release Notes

1.8.10

  • Fix string locale will trigger on_fallback hook - #562

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

↗️ marcel (indirect, 1.0.0 → 1.0.1) · Repo

Release Notes

1.0.1

  • Fixes identifying OpenDocument files by magic. 1.0.0 imprecisely identified them as application/zip. (#38)
  • Fixes identifying .docx, .pptx, and .xlsx files exported from Google Sheets by magic. (#36)
  • Identifies vCard files as text/vcard rather than text/x-vcard. (27fac74bd69663495410339bfd40ea8581ba669b)
  • Identifies .otf, .woff, and .woff2 files aș font/otf, font/woff, and font/woff2, respectively. (#37)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ mini_mime (indirect, 1.0.3 → 1.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 3 commits:

↗️ mini_portile2 (indirect, 2.5.0 → 2.5.1) · Repo · Changelog

Release Notes

2.5.1

2.5.1 / 2021-04-28

Dependencies

This release ends support for ruby < 2.3.0. If you're on 2.2.x or earlier, we strongly suggest that you find the time to upgrade, because official support for Ruby 2.2 ended on 2018-03-31.

Enhancements

  • MiniPortile.execute now takes an optional :env hash, which is merged into the environment variables for the subprocess. Likely this is only useful for specialized use cases. [#99]
  • Experimental support for cmake-based projects extended to Windows. (Thanks, @larskanis!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

↗️ railties (indirect, 5.2.5 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
codecov[bot] commented 3 years ago

Codecov Report

Merging #485 (0968a43) into main (c5cde0f) will not change coverage. The diff coverage is n/a.

:exclamation: Current head 0968a43 differs from pull request most recent head 61c8112. Consider uploading reports for the commit 61c8112 to get more accurate results Impacted file tree graph

@@           Coverage Diff           @@
##             main     #485   +/-   ##
=======================================
  Coverage   88.38%   88.38%           
=======================================
  Files          35       35           
  Lines         637      637           
=======================================
  Hits          563      563           
  Misses         74       74

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update c5cde0f...61c8112. Read the comment docs.