[Security] Bump rails from 4.2.7 to 6.0.2

Bumps rails from 4.2.7 to 6.0.2. This update includes security fixes.

Vulnerabilities fixed

*Sourced from The GitHub Security Advisory Database.* > **Critical severity vulnerability that affects actionview** > # Denial of Service Vulnerability in Action View > > Impact > ------ > Specially crafted accept headers can cause the Action View template location > code to consume 100% CPU, causing the server unable to process requests. This > impacts all Rails applications that render views. > > All users running an affected release should either upgrade or use one of the > workarounds immediately. > > Releases > -------- > The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are > available at the normal locations. > > Workarounds > ----------- > This vulnerability can be mitigated by wrapping `render` calls with > `respond_to` blocks. For example, the following example is vulnerable: > ... (truncated) > > Affected versions: >= 4.0.0, <= 4.2.11 *Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects actionview** > # File Content Disclosure in Action View > > Impact > ------ > There is a possible file content disclosure vulnerability in Action View. > Specially crafted accept headers in combination with calls to `render file:` > can cause arbitrary files on the target server to be rendered, disclosing the > file contents. > > The impact is limited to calls to `render` which render file contents without > a specified accept format. Impacted code in a controller looks something like > this: > > ``` > class UserController < ApplicationController > def index > render file: "#{Rails.root}/some/file" > end > end > ``` > ... (truncated) > > Affected versions: >= 4.0.0, <= 4.2.11 *Sourced from The Ruby Advisory Database.* > **Broken Access Control vulnerability in Active Job** > There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476. > > Impact > ------ > Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have. > > Vulnerable code will look something like this: > > ``` > MyJob.perform_later(user_input) > ``` > > All users running an affected release should either upgrade or use one of the workarounds immediately. > > Patched versions: >= 4.2.11, < 5.0.0; >= 5.0.7.1, < 5.1.0; >= 5.1.6.1, < 5.2.0; >= 5.2.1.1 > Unaffected versions: < 4.2.0

Release notes

*Sourced from [rails's releases](https://github.com/rails/rails/releases).* > ## 6.0.2 > ## Active Support > > * Eager load translations during initialization. > > *Diego Plentz* > > * Use per-thread CPU time clock on `ActiveSupport::Notifications`. > > *George Claghorn* > > > > ## Active Model > > * No changes. > > > > ## Active Record > > * Share the same connection pool for primary and replica databases in the > transactional tests for the same database. > > *Edouard Chin* > > * Fix the preloader when one record is fetched using `after_initialize` > but not the entire collection. > > *Bradley Price* > > * Fix collection callbacks not terminating when `:abort` is thrown. > > *Edouard Chin*, *Ryuta Kamizono* > > * Correctly deprecate `where.not` working as NOR for relations. > > 12a9664 deprecated where.not working as NOR, however > doing a relation query like `where.not(relation: { ... })` > wouldn't be properly deprecated and `where.not` would work as > NAND instead. > > *Edouard Chin* > > * Fix `db:migrate` task with multiple databases to restore the connection > to the previous database. > > The migrate task iterates and establish a connection over each db > resulting in the last one to be used by subsequent rake tasks. > We should reestablish a connection to the connection that was > ... (truncated)

Commits

- [`f675cb3`](https://github.com/rails/rails/commit/f675cb30ce813a99b52b139a93e048330922fd9a) Preparing for 6.0.2 release - [`688e523`](https://github.com/rails/rails/commit/688e5230e6566a4aa2602204fc93014947fe2b3e) Fix release task again - [`63107e9`](https://github.com/rails/rails/commit/63107e9914c893336f7612c2cd17a24474b6a6d6) Preparing for 6.0.2.rc2 release - [`ec7721c`](https://github.com/rails/rails/commit/ec7721c0d95fc4da1bda9f50feb2efae4ab2a55a) Revert "Merge pull request [#37504](https://github-redirect.dependabot.com/rails/rails/issues/37504) from utilum/no_implicit_conversion_of_nil" - [`296cb7f`](https://github.com/rails/rails/commit/296cb7f2f447f05c92a9f2abddd2b949cde88a9b) unlinks Ruby on Rails Tutorial [skip ci] - [`6629ed7`](https://github.com/rails/rails/commit/6629ed7a5e2aaeb21a5a25ceeeb1e98aa77f1598) Controller can be symbols as well - [`c3135a4`](https://github.com/rails/rails/commit/c3135a4d4050496355d489b0deb84db54b8f0553) Revert "Merge pull request [#37849](https://github-redirect.dependabot.com/rails/rails/issues/37849) from kamipo/fix_since_and_ago" - [`fcfe693`](https://github.com/rails/rails/commit/fcfe6931d3f14dfd8a635cb1c5448ba1348853bb) Revert "Merge pull request [#37839](https://github-redirect.dependabot.com/rails/rails/issues/37839) from ttanimichi/modify-inspect-of-activesup... - [`ef874b5`](https://github.com/rails/rails/commit/ef874b5a7b7b926fbb22ed55f17cf02807e9c79d) Merge pull request [#37863](https://github-redirect.dependabot.com/rails/rails/issues/37863) from abhaynikam/fix-active-record-changelog-typo - [`bb0d9c0`](https://github.com/rails/rails/commit/bb0d9c0aeb18735d54632bfec1453158c89d12f5) Fix typo colection -> collection - Additional commits viewable in [compare view](https://github.com/rails/rails/compare/v4.2.7...v6.0.2)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

artsy / watt

[Security] Bump rails from 4.2.7 to 6.0.2 #310