Bumps rails from 4.2.7 to 6.0.1. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.*
> **Critical severity vulnerability that affects actionview**
> # Denial of Service Vulnerability in Action View
>
> Impact
> ------
> Specially crafted accept headers can cause the Action View template location
> code to consume 100% CPU, causing the server unable to process requests. This
> impacts all Rails applications that render views.
>
> All users running an affected release should either upgrade or use one of the
> workarounds immediately.
>
> Releases
> --------
> The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are
> available at the normal locations.
>
> Workarounds
> -----------
> This vulnerability can be mitigated by wrapping `render` calls with
> `respond_to` blocks. For example, the following example is vulnerable:
> ... (truncated)
>
> Affected versions: >= 4.0.0, <= 4.2.11
*Sourced from The GitHub Security Advisory Database.*
> **High severity vulnerability that affects actionview**
> # File Content Disclosure in Action View
>
> Impact
> ------
> There is a possible file content disclosure vulnerability in Action View.
> Specially crafted accept headers in combination with calls to `render file:`
> can cause arbitrary files on the target server to be rendered, disclosing the
> file contents.
>
> The impact is limited to calls to `render` which render file contents without
> a specified accept format. Impacted code in a controller looks something like
> this:
>
> ```
> class UserController < ApplicationController
> def index
> render file: "#{Rails.root}/some/file"
> end
> end
> ```
> ... (truncated)
>
> Affected versions: >= 4.0.0, <= 4.2.11
*Sourced from The Ruby Advisory Database.*
> **Broken Access Control vulnerability in Active Job**
> There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.
>
> Impact
> ------
> Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.
>
> Vulnerable code will look something like this:
>
> ```
> MyJob.perform_later(user_input)
> ```
>
> All users running an affected release should either upgrade or use one of the workarounds immediately.
>
> Patched versions: >= 4.2.11, < 5.0.0; >= 5.0.7.1, < 5.1.0; >= 5.1.6.1, < 5.2.0; >= 5.2.1.1
> Unaffected versions: < 4.2.0
Release notes
*Sourced from [rails's releases](https://github.com/rails/rails/releases).*
> ## 6.0.1
> ## Active Support
>
> * `ActiveSupport::SafeBuffer` supports `Enumerator` methods.
>
> *Shugo Maeda*
>
> * The Redis cache store fails gracefully when the server returns a "max number of clients reached" error.
>
> *Brandon Medenwald*
>
> * Fixed that mutating a value returned by a memory cache store would unexpectedly change the cached value.
>
> *Jonathan Hyman*
>
> * The default inflectors in `zeitwerk` mode support overrides:
>
> ```ruby
> # config/initializers/zeitwerk.rb
> Rails.autoloaders.each do |autoloader|
> autoloader.inflector.inflect(
> "html_parser" => "HTMLParser",
> "ssl_error" => "SSLError"
> )
> end
> ```
>
> That way, you can tweak how individual basenames are inflected without touching Active Support inflection rules, which are global. These inflectors fallback to `String#camelize`, so existing inflection rules are still taken into account for non-overridden basenames.
>
> Please, check the [autoloading guide for `zeitwerk` mode](https://guides.rubyonrails.org/v6.0/autoloading_and_reloading_constants.html#customizing-inflections) if you prefer not to depend on `String#camelize` at all.
>
> *Xavier Noria*
>
> * Improve `Range#===`, `Range#include?`, and `Range#cover?` to work with beginless (startless) and endless range targets.
>
> *Allen Hsu*, *Andrew Hodgkinson*
>
> * Don't use `Process#clock_gettime(CLOCK_PROCESS_CPUTIME_ID)` on Solaris
>
> *Iain Beeston*
>
>
>
> ## Active Model
>
> * No changes.
>
>
>
> ## Active Record
> ... (truncated)
Commits
- [`09a2979`](https://github.com/rails/rails/commit/09a2979f75c51afb797dd60261a8930f84144af8) v6.0.1
- [`1f6f2da`](https://github.com/rails/rails/commit/1f6f2daa26278aa0b28d4033775c9450052b1168) i18n.md: Remove Rails versions from Traco link
- [`e83cef4`](https://github.com/rails/rails/commit/e83cef4f83450c9dba3077eeb46fa699588f3d3d) Fix multi-threaded issue for `AcceptanceValidator`
- [`5081817`](https://github.com/rails/rails/commit/508181782ac7f27ffd0af94dd5c409f681b83763) Correct changelog entry [ci skip]
- [`27cf712`](https://github.com/rails/rails/commit/27cf7125b5d036987522103fc02ebe50beddff80) Remove whitespace in environments/test.rb
- [`7982363`](https://github.com/rails/rails/commit/7982363efabc03e4624cd35aa86e2d284dcd35f7) v6.0.1.rc1
- [`81c52b1`](https://github.com/rails/rails/commit/81c52b1338fe46d2985cec05c2510d544eac7e42) Edit AS core extension docs [ci skip]
- [`927da2f`](https://github.com/rails/rails/commit/927da2fd447f7f66fdbc681b5374c057264b2d3e) Clarify that CORS configuration isn't needed for the Disk service [ci skip]
- [`e58c25e`](https://github.com/rails/rails/commit/e58c25e20d545c62a5929f0aa06dbf51cfb7893c) Correct "Unknown action" screenshot in Getting Started guide
- [`9a4ff4d`](https://github.com/rails/rails/commit/9a4ff4d66bbff2c8aaa01ca5b2d7ea13e08f71ff) Add `supports_common_table_expressions?` for CTE testing
- Additional commits viewable in [compare view](https://github.com/rails/rails/compare/v4.2.7...v6.0.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps rails from 4.2.7 to 6.0.1. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.* > **Critical severity vulnerability that affects actionview** > # Denial of Service Vulnerability in Action View > > Impact > ------ > Specially crafted accept headers can cause the Action View template location > code to consume 100% CPU, causing the server unable to process requests. This > impacts all Rails applications that render views. > > All users running an affected release should either upgrade or use one of the > workarounds immediately. > > Releases > -------- > The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are > available at the normal locations. > > Workarounds > ----------- > This vulnerability can be mitigated by wrapping `render` calls with > `respond_to` blocks. For example, the following example is vulnerable: > ... (truncated) > > Affected versions: >= 4.0.0, <= 4.2.11 *Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects actionview** > # File Content Disclosure in Action View > > Impact > ------ > There is a possible file content disclosure vulnerability in Action View. > Specially crafted accept headers in combination with calls to `render file:` > can cause arbitrary files on the target server to be rendered, disclosing the > file contents. > > The impact is limited to calls to `render` which render file contents without > a specified accept format. Impacted code in a controller looks something like > this: > > ``` > class UserController < ApplicationController > def index > render file: "#{Rails.root}/some/file" > end > end > ``` > ... (truncated) > > Affected versions: >= 4.0.0, <= 4.2.11 *Sourced from The Ruby Advisory Database.* > **Broken Access Control vulnerability in Active Job** > There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476. > > Impact > ------ > Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have. > > Vulnerable code will look something like this: > > ``` > MyJob.perform_later(user_input) > ``` > > All users running an affected release should either upgrade or use one of the workarounds immediately. > > Patched versions: >= 4.2.11, < 5.0.0; >= 5.0.7.1, < 5.1.0; >= 5.1.6.1, < 5.2.0; >= 5.2.1.1 > Unaffected versions: < 4.2.0Release notes
*Sourced from [rails's releases](https://github.com/rails/rails/releases).* > ## 6.0.1 > ## Active Support > > * `ActiveSupport::SafeBuffer` supports `Enumerator` methods. > > *Shugo Maeda* > > * The Redis cache store fails gracefully when the server returns a "max number of clients reached" error. > > *Brandon Medenwald* > > * Fixed that mutating a value returned by a memory cache store would unexpectedly change the cached value. > > *Jonathan Hyman* > > * The default inflectors in `zeitwerk` mode support overrides: > > ```ruby > # config/initializers/zeitwerk.rb > Rails.autoloaders.each do |autoloader| > autoloader.inflector.inflect( > "html_parser" => "HTMLParser", > "ssl_error" => "SSLError" > ) > end > ``` > > That way, you can tweak how individual basenames are inflected without touching Active Support inflection rules, which are global. These inflectors fallback to `String#camelize`, so existing inflection rules are still taken into account for non-overridden basenames. > > Please, check the [autoloading guide for `zeitwerk` mode](https://guides.rubyonrails.org/v6.0/autoloading_and_reloading_constants.html#customizing-inflections) if you prefer not to depend on `String#camelize` at all. > > *Xavier Noria* > > * Improve `Range#===`, `Range#include?`, and `Range#cover?` to work with beginless (startless) and endless range targets. > > *Allen Hsu*, *Andrew Hodgkinson* > > * Don't use `Process#clock_gettime(CLOCK_PROCESS_CPUTIME_ID)` on Solaris > > *Iain Beeston* > > > > ## Active Model > > * No changes. > > > > ## Active Record > ... (truncated)Commits
- [`09a2979`](https://github.com/rails/rails/commit/09a2979f75c51afb797dd60261a8930f84144af8) v6.0.1 - [`1f6f2da`](https://github.com/rails/rails/commit/1f6f2daa26278aa0b28d4033775c9450052b1168) i18n.md: Remove Rails versions from Traco link - [`e83cef4`](https://github.com/rails/rails/commit/e83cef4f83450c9dba3077eeb46fa699588f3d3d) Fix multi-threaded issue for `AcceptanceValidator` - [`5081817`](https://github.com/rails/rails/commit/508181782ac7f27ffd0af94dd5c409f681b83763) Correct changelog entry [ci skip] - [`27cf712`](https://github.com/rails/rails/commit/27cf7125b5d036987522103fc02ebe50beddff80) Remove whitespace in environments/test.rb - [`7982363`](https://github.com/rails/rails/commit/7982363efabc03e4624cd35aa86e2d284dcd35f7) v6.0.1.rc1 - [`81c52b1`](https://github.com/rails/rails/commit/81c52b1338fe46d2985cec05c2510d544eac7e42) Edit AS core extension docs [ci skip] - [`927da2f`](https://github.com/rails/rails/commit/927da2fd447f7f66fdbc681b5374c057264b2d3e) Clarify that CORS configuration isn't needed for the Disk service [ci skip] - [`e58c25e`](https://github.com/rails/rails/commit/e58c25e20d545c62a5929f0aa06dbf51cfb7893c) Correct "Unknown action" screenshot in Getting Started guide - [`9a4ff4d`](https://github.com/rails/rails/commit/9a4ff4d66bbff2c8aaa01ca5b2d7ea13e08f71ff) Add `supports_common_table_expressions?` for CTE testing - Additional commits viewable in [compare view](https://github.com/rails/rails/compare/v4.2.7...v6.0.1)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)