🚨 [security] Update all of rails: 6.1.4.7 → 6.1.5.1 (patch)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (6.1.4.7 → 6.1.5.1) · Repo

Release Notes

6.1.5

Active Support

Fix ActiveSupport::Duration.build to support negative values.

The algorithm to collect the parts of the ActiveSupport::Duration
ignored the sign of the value and accumulated incorrect part values. This
impacted ActiveSupport::Duration#sum (which is dependent on parts) but
not ActiveSupport::Duration#eql? (which is dependent on value).

Caleb Buxton, Braden Staudacher

Time#change and methods that call it (eg. Time#advance) will now
return a Time with the timezone argument provided, if the caller was
initialized with a timezone argument.

Fixes #42467.

Alex Ghiculescu

Clone to keep extended Logger methods for tagged logger.

Orhan Toy

assert_changes works on including ActiveSupport::Assertions module.

Pedro Medeiros

Active Model

Clear secure password cache if password is set to nil

Before:

user.password = 'something'
user.password = nil

user.password # => 'something'

Now:

user.password = 'something'
user.password = nil

user.password # => nil

Markus Doits

Fix delegation in ActiveModel::Type::Registry#lookup and ActiveModel::Type.lookup

Passing a last positional argument {} would be incorrectly considered as keyword argument.

Benoit Daloze

Fix to_json after changes_applied for ActiveModel::Dirty object.

Ryuta Kamizono

Active Record
Fix ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate for Ruby 2.6.

Ruby 2.6 and 2.7 have slightly different implementations of the String#@- method.
In Ruby 2.6, the receiver of the String#@- method is modified under certain circumstances.
This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
fixed in Ruby 2.7.

Before the changes in this commit, the
ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate method, which internally
calls the String#@- method, could also modify an input string argument in Ruby 2.6 --
changing a tainted, unfrozen string into a tainted, frozen string.

Fixes #43056

Eric O'Hanlon

Fix migration compatibility to create SQLite references/belongs_to column as integer when
migration version is 6.0.

reference/belongs_to in migrations with version 6.0 were creating columns as
bigint instead of integer for the SQLite Adapter.

Marcelo Lauxen

Fix dbconsole for 3-tier config.

Eileen M. Uchitelle
Better handle SQL queries with invalid encoding.
Post.create(name: "broken \xC8 UTF-8")
Would cause all adapters to fail in a non controlled way in the code
responsible to detect write queries.

The query is now properly passed to the database connection, which might or might
not be able to handle it, but will either succeed or failed in a more correct way.

Jean Boussier
Ignore persisted in-memory records when merging target lists.

Kevin Sjöberg

Fix regression bug that caused ignoring additional conditions for preloading
has_many through relations.

Fixes #43132

Alexander Pauly

Fix ActiveRecord::InternalMetadata to not be broken by
config.active_record.record_timestamps = false

Since the model always create the timestamp columns, it has to set them, otherwise it breaks
various DB management tasks.

Fixes #42983

Jean Boussier

Fix duplicate active record objects on inverse_of.

Justin Carvalho

Fix duplicate objects stored in has many association after save.

Fixes #42549.

Alex Ghiculescu

Fix performance regression in CollectionAssocation#build.

Alex Ghiculescu

Fix retrieving default value for text column for MariaDB.

fatkodima
Action View

preload_link_tag properly inserts as attributes for files with image MIME
types, such as JPG or SVG.

Nate Berkopec

Add autocomplete="off" to all generated hidden fields.

Fixes #42610.

Ryan Baumann

Fix current_page? when URL has trailing slash.

This fixes the current_page? helper when the given URL has a trailing slash,
and is an absolute URL or also has query params.

Fixes #33956.

Jonathan Hefner

Action Pack
Fix content_security_policy returning invalid directives.

Directives such as self, unsafe-eval and few others were not
single quoted when the directive was the result of calling a lambda
returning an array.
content_security_policy do |policy|
  policy.frame_ancestors lambda { [:self, "https://example.com"] }
end
With this fix the policy generated from above will now be valid.

Edouard Chin
Update HostAuthorization middleware to render debug info only
when config.consider_all_requests_local is set to true.

Also, blocked host info is always logged with level error.

Fixes #42813.

Nikita Vyrko

Dup arrays that get "converted".

Fixes #43681.

Aaron Patterson

Don't show deprecation warning for equal paths.

Anton Rieder

Fix crash in ActionController::Instrumentation with invalid HTTP formats.

Fixes #43094.

Alex Ghiculescu

Add fallback host for SystemTestCase driven by RackTest.

Fixes #42780.

Petrik de Heus

Add more detail about what hosts are allowed.

Alex Ghiculescu
Active Job

No changes.

Action Mailer

No changes.

Action Cable

The Action Cable client now ensures successful channel subscriptions:

The client maintains a set of pending subscriptions until either
the server confirms the subscription or the channel is torn down.

Rectifies the race condition where an unsubscribe is rapidly followed
by a subscribe (on the same channel identifier) and the requests are
handled out of order by the ActionCable server, thereby ignoring the
subscribe command.

Daniel Spinosa

Truncate broadcast logging messages.

J Smith

Active Storage

Attachments can be deleted after their association is no longer defined.

Fixes #42514

Don Sisco

Action Mailbox
Add attachments to the list of permitted parameters for inbound emails conductor.

When using the conductor to test inbound emails with attachments, this prevents an
unpermitted parameter warning in default configurations, and prevents errors for
applications that set:
config.action_controller.action_on_unpermitted_parameters = :raise
David Jones, Dana Henke
Action Text

Fix Action Text extra trix content wrapper.

Alexandre Ruban

Railties

In zeitwerk mode, setup the once autoloader first, and the main autoloader after it.
This order plays better with shared namespaces.

Xavier Noria

Handle paths with spaces when editing credentials.

Alex Ghiculescu

Support Psych 4 when loading secrets.

Nat Morcos

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Release Notes

6.1.5 (from changelog)

The Action Cable client now ensures successful channel subscriptions:

The client maintains a set of pending subscriptions until either the server confirms the subscription or the channel is torn down.

Rectifies the race condition where an unsubscribe is rapidly followed by a subscribe (on the same channel identifier) and the requests are handled out of order by the ActionCable server, thereby ignoring the subscribe command.

Daniel Spinosa

Truncate broadcast logging messages.

J Smith

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailbox (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

↗️ actionmailer (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Release Notes

6.1.5 (from changelog)

No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

CSP headers were only sent along with responses that Rails considered as
"HTML" responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Set a CSP for your API responses manually.

Release Notes

6.1.5 (from changelog)

Fix content_security_policy returning invalid directives.

Directives such as self, unsafe-eval and few others were not single quoted when the directive was the result of calling a lambda returning an array.
content_security_policy do |policy|
  policy.frame_ancestors lambda { [:self, "https://example.com"] }
end
With this fix the policy generated from above will now be valid.

Edouard Chin
Update HostAuthorization middleware to render debug info only when config.consider_all_requests_local is set to true.

Also, blocked host info is always logged with level error.

Fixes #42813.

Nikita Vyrko

Dup arrays that get "converted".

Fixes #43681.

Aaron Patterson

Don't show deprecation warning for equal paths.

Anton Rieder

Fix crash in ActionController::Instrumentation with invalid HTTP formats.

Fixes #43094.

Alex Ghiculescu

Add fallback host for SystemTestCase driven by RackTest.

Fixes #42780.

Petrik de Heus

Add more detail about what hosts are allowed.

Alex Ghiculescu

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actiontext (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Release Notes

6.1.5 (from changelog)

Fix Action Text extra trix content wrapper.

Alexandre Ruban

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing
untrusted input as hash keys can lead to a possible XSS vulnerability. This
vulnerability has been assigned the CVE identifier CVE-2022-27777.

Versions Affected: ALL
Not affected: NONE
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

If untrusted data is passed as the hash key for tag attributes, there is a
possibility that the untrusted data may not be properly escaped which can
lead to an XSS vulnerability.

Impacted code will look something like this:
check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })
Where the "malicious_input" variable contains untrusted data.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Escape the untrusted data before using it as a key for tag helper methods.

Release Notes

6.1.5 (from changelog)

preload_link_tag properly inserts as attributes for files with image MIME types, such as JPG or SVG.

Nate Berkopec

Add autocomplete="off" to all generated hidden fields.

Fixes #42610.

Ryan Baumann

Fix current_page? when URL has trailing slash.

This fixes the current_page? helper when the given URL has a trailing slash, and is an absolute URL or also has query params.

Fixes #33956.

Jonathan Hefner

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Release Notes

6.1.5 (from changelog)

No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Release Notes

6.1.5 (from changelog)

Clear secure password cache if password is set to nil

Before:

user.password = 'something' user.password = nil

user.password # => 'something'

Now:

user.password = 'something' user.password = nil

user.password # => nil

Markus Doits

Fix delegation in ActiveModel::Type::Registry#lookup and ActiveModel::Type.lookup

Passing a last positional argument {} would be incorrectly considered as keyword argument.

Benoit Daloze

Fix to_json after changes_applied for ActiveModel::Dirty object.

Ryuta Kamizono

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Release Notes

6.1.5 (from changelog)

Fix ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate for Ruby 2.6.

Ruby 2.6 and 2.7 have slightly different implementations of the String#@- method. In Ruby 2.6, the receiver of the String#@- method is modified under certain circumstances. This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only fixed in Ruby 2.7.

Before the changes in this commit, the ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate method, which internally calls the String#@- method, could also modify an input string argument in Ruby 2.6 -- changing a tainted, unfrozen string into a tainted, frozen string.

Fixes #43056

Eric O'Hanlon

Fix migration compatibility to create SQLite references/belongs_to column as integer when migration version is 6.0.

reference/belongs_to in migrations with version 6.0 were creating columns as bigint instead of integer for the SQLite Adapter.

Marcelo Lauxen

Fix dbconsole for 3-tier config.

Eileen M. Uchitelle
Better handle SQL queries with invalid encoding.
Post.create(name: "broken \xC8 UTF-8")
Would cause all adapters to fail in a non controlled way in the code responsible to detect write queries.

The query is now properly passed to the database connection, which might or might not be able to handle it, but will either succeed or failed in a more correct way.

Jean Boussier
Ignore persisted in-memory records when merging target lists.

Kevin Sjöberg

Fix regression bug that caused ignoring additional conditions for preloading has_many through relations.

Fixes #43132

Alexander Pauly

Fix ActiveRecord::InternalMetadata to not be broken by config.active_record.record_timestamps = false

Since the model always create the timestamp columns, it has to set them, otherwise it breaks various DB management tasks.

Fixes #42983

Jean Boussier

Fix duplicate active record objects on inverse_of.

Justin Carvalho

Fix duplicate objects stored in has many association after save.

Fixes #42549.

Alex Ghiculescu

Fix performance regression in CollectionAssocation#build.

Alex Ghiculescu

Fix retrieving default value for text column for MariaDB.

fatkodima

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Release Notes

6.1.5 (from changelog)

Attachments can be deleted after their association is no longer defined.

Fixes #42514

Don Sisco

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Release Notes

6.1.5 (from changelog)

Fix ActiveSupport::Duration.build to support negative values.

The algorithm to collect the parts of the ActiveSupport::Duration ignored the sign of the value and accumulated incorrect part values. This impacted ActiveSupport::Duration#sum (which is dependent on parts) but not ActiveSupport::Duration#eql? (which is dependent on value).

Caleb Buxton, Braden Staudacher

Time#change and methods that call it (eg. Time#advance) will now return a Time with the timezone argument provided, if the caller was initialized with a timezone argument.

Fixes #42467.

Alex Ghiculescu

Clone to keep extended Logger methods for tagged logger.

Orhan Toy

assert_changes works on including ActiveSupport::Assertions module.

Pedro Medeiros

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.9 → 1.1.10) · Repo · Changelog

Release Notes

1.1.10

concurrent-ruby:

(#951) Set the Ruby compatibility version at 2.2

(#939, #933) The caller_runs fallback policy no longer blocks reads from the job queue by worker threads

(#938, #761, #652) You can now explicitly prune_pool a thread pool (Sylvain Joyeux)

(#937, #757, #670) We switched the Yahoo stock API for demos to Alpha Vantage (Gustavo Caso)

(#932, #931) We changed how SafeTaskExecutor handles local jump errors (Aaron Jensen)

(#927) You can use keyword arguments in your initialize when using Async (Matt Larraz)

(#926, #639) We removed timeout from TimerTask because it wasn't sound, and now it's a no-op with a warning (Jacob Atzen)

(#919) If you double-lock a re-entrant read-write lock, we promote to locked for writing (zp yuan)

(#915) monotonic_time now accepts an optional unit parameter, as Ruby's clock_gettime (Jean Boussier)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.14.0 → 2.16.0) · Repo · Changelog

Release Notes

2.16.0

2.16.0 / 2022-04-01

Features

Allow MathML elements menclose and ms, and MathML attributes dir, href, lquote, mathsize, notation, and rquote. [#231] (Thanks, @nick-desteffen!)

2.15.0

2.15.0 / 2022-03-14

Features

Expand set of allowed protocols to include sms:. [#228] (Thanks, @brendon!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.13.3 → 1.13.4) · Repo · Changelog

Security Advisories 🚨

🚨 Inefficient Regular Expression Complexity in Nokogiri

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is
susceptible to excessive backtracking when attempting to detect encoding
in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

🚨 Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to
1.9.22.noko2 which addresses CVE-2022-24839.
That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv
for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

Severity: High 7.5

Type: CWE-400 Uncontrolled Resource Consumption

Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a
java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.

See also: GHSA-9849-p7jc-9rmv

🚨 Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11
to 1.2.12, which addresses CVE-2018-25032.
That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.4, and only if the packaged version of zlib is being used.
Please see this document
for a complete description of which platform gems vendor zlib. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's zlib
release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

Severity: High

Type: CWE-787
Out of bounds write

Description: zlib before 1.2.12 allows memory corruption when
deflating (i.e., when compressing) if the input has many distant matches.

🚨 XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to
2.12.2, which addresses CVE-2022-23437.
That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation
of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

Severity: Medium

Type: CWE-91 XML Injection (aka Blind XPath Injection)

Description: There's a vulnerability within the Apache Xerces Java
(XercesJ) XML parser when handling specially crafted XML document payloads.
This causes, the XercesJ XML parser to wait in an infinite loop, which may
sometimes consume system resources for prolonged duration. This vulnerability
is present within XercesJ version 2.12.1 and the previous versions.

See also: GHSA-h65f-jvqw-m9fj

Release Notes

1.13.4

1.13.4 / 2022-04-11

Security

Address CVE-2022-24836, a regular expression denial-of-service vulnerability. See GHSA-crjr-9rc5-ghw8 for more information.

[CRuby] Vendored zlib is updated to address CVE-2018-25032. See GHSA-v6gp-9mmm-c6p5 for more information.

[JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated to address CVE-2022-23437. See GHSA-xxx9-3xcr-gjj3 for more information.

[JRuby] Vendored nekohtml (org.cyberneko.html) is updated to address CVE-2022-24839. See GHSA-gx8x-g87m-h5q6 for more information.

Dependencies

[CRuby] Vendored zlib is updated from 1.2.11 to 1.2.12. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)

[JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated from 2.12.0 to 2.12.2.

[JRuby] Vendored nekohtml (org.cyberneko.html) is updated from a fork of 1.9.21 to 1.9.22.noko2. This fork is now publicly developed at https://github.com/sparklemotion/nekohtml

sha256sum:
095ff1995ed3dda3ea98a5f08bdc54bef02be1ce4e7c81034c4812e5e7c6e7e3  nokogiri-1.13.4-aarch64-linux.gem
7ebfc7415c819bcd4e849627e879cef2fb328bec90e802e50d74ccd13a60ec75  nokogiri-1.13.4-arm64-darwin.gem
41efd87c121991de26ef0393ac713d687e539813c3b79e454a2e3ffeecd107ea  nokogiri-1.13.4-java.gem
ab547504692ada0cec9d2e4e15afab659677c3f4c1ac3ea639bf5212b65246a1  nokogiri-1.13.4-x64-mingw-ucrt.gem
fa5c64cfdb71642ed647428e4d0d75ee0f4d189cfb63560c66fd8bdf99eb146b  nokogiri-1.13.4-x64-mingw32.gem
d6f07cbcbc28b75e8ac5d6e729ffba3602dffa0ad16ffac2322c9b4eb9b971fc  nokogiri-1.13.4-x86-linux.gem
0f7a4fd13e25abe3f98663fef0d115d58fdeff62cf23fef12d368e42adad2ce6  nokogiri-1.13.4-x86-mingw32.gem
3eef282f00ad360304fbcd5d72eb1710ff41138efda9513bb49eec832db5fa3e  nokogiri-1.13.4-x86_64-darwin.gem
3978610354ec67b59c128d23259c87b18374ee1f61cb9ed99de7143a88e70204  nokogiri-1.13.4-x86_64-linux.gem
0d46044eb39271e3360dae95ed6061ce17bc0028d475651dc48db393488c83bc  nokogiri-1.13.4.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 6.1.4.7 → 6.1.5.1) · Repo · Changelog

Release Notes

6.1.5 (from changelog)

In zeitwerk mode, setup the once autoloader first, and the main autoloader after it. This order plays better with shared namespaces.

Xavier Noria

Handle paths with spaces when editing credentials.

Alex Ghiculescu

Support Psych 4 when loading secrets.

Nat Morcos

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase
Rebases against your default branch and redoes this update

@depfu recreate
Recreates this PR, overwriting any edits that you've made to it

@depfu merge
Merges this PR once your tests are passing and conflicts are resolved

@depfu close
Closes this PR and deletes the branch

@depfu reopen
Restores the branch and reopens this PR (if it's closed)

@depfu pause
Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

csvalpha / amber-api