csvalpha / sofia

S.O.F.I.A. - Streepsysteem der C.S.V. Alpha
https://streep.csvalpha.nl
MIT License
5 stars 2 forks source link

chore(deps): update dependency rails to v7.0.8.1 [security] - autoclosed #915

Closed renovate[bot] closed 8 months ago

renovate[bot] commented 9 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
rails (source, changelog) 7.0.4.3 -> 7.0.8.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-26144

Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7

Impact

A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa.

This was patched in 7.1.0 but not previously identified as a security vulnerability.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers.

Credits

Thanks to tyage for reporting this!

CVE-2024-26143

Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers (translate, t, etc) in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2024-26143.

Versions Affected: >= 7.0.0. Not affected: < 7.0.0 Fixed Versions: 7.1.3.1, 7.0.8.1

Impact

Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

class ArticlesController < ApplicationController
  def show  
    @&#8203;message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end

To reiterate the pre-conditions, applications must:

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

Credits

Thanks to ooooooo_q for the patch and fix!


Release Notes

rails/rails (rails) ### [`v7.0.8.1`](https://togithub.com/rails/rails/releases/tag/v7.0.8.1): 7.0.8.1 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.8...v7.0.8.1) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix possible XSS vulnerability with the `translate` method in controllers CVE-2024-26143 #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Disables the session in `ActiveStorage::Blobs::ProxyController` and `ActiveStorage::Representations::ProxyController` in order to allow caching by default in some CDNs as CloudFlare Fixes [#​44136](https://togithub.com/rails/rails/issues/44136) *Bruno Prieto* #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v7.0.8`](https://togithub.com/rails/rails/releases/tag/v7.0.8): 7.0.8 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.7.2...v7.0.8) ##### Active Support - Fix `TimeWithZone` still using deprecated `#to_s` when `ENV` or `config` to disable it are set. *Hartley McGuire* - Fix CacheStore#write_multi when using a distributed Redis cache with a connection pool. Fixes [#​48938](https://togithub.com/rails/rails/issues/48938). *Jonathan del Strother* ##### Active Model - No changes. ##### Active Record - Fix `change_column` not setting `precision: 6` on `datetime` columns when using 7.0+ Migrations and SQLite. *Hartley McGuire* - Fix unscope is not working in specific case Before: ```ruby Post.where(id: 1...3).unscope(where: :id).to_sql # "SELECT `posts`.* FROM `posts` WHERE `posts`.`id` >= 1 AND `posts`.`id` < 3" ``` After: ```ruby Post.where(id: 1...3).unscope(where: :id).to_sql # "SELECT `posts`.* FROM `posts`" ``` Fixes [#​48094](https://togithub.com/rails/rails/issues/48094). *Kazuya Hatanaka* - Fix associations to a STI model including a `class_name` parameter ```ruby class Product < ApplicationRecord has_many :requests, as: :requestable, class_name: "ProductRequest", dependent: :destroy end ``` ##### STI tables class Request < ApplicationRecord belongs_to :requestable, polymorphic: true validate :request_type, presence: true end class ProductRequest < Request belongs_to :user end ``` Accessing such association would lead to: ``` table_metadata.rb:22:in `has_column?': undefined method `key?' for nil:NilClass (NoMethodError) ``` *Romain Filinto* - Fix `change_table` setting datetime precision for 6.1 Migrations *Hartley McGuire* - Fix change_column setting datetime precision for 6.1 Migrations *Hartley McGuire* ##### Action View - Fix `form_for` missing the hidden `_method` input for models with a namespaced route. *Hartley McGuire* - Fix `render collection: @​records, cache: true` inside `jbuilder` templates The previous fix that shipped in `7.0.7` assumed template fragments are always strings, this isn't true with `jbuilder`. *Jean Boussier* ##### Action Pack - Fix `HostAuthorization` potentially displaying the value of the X_FORWARDED_HOST header when the HTTP_HOST header is being blocked. *Hartley McGuire*, *Daniel Schlosser* ##### Active Job - Fix Active Job log message to correctly report a job failed to enqueue when the adapter raises an `ActiveJob::EnqueueError`. *Ben Sheldon* ##### Action Mailer - No changes. ##### Action Cable - No changes. ##### Active Storage - No changes. ##### Action Mailbox - No changes. ##### Action Text - No changes. ##### Railties - Omit `webdrivers` gem dependency from `Gemfile` template *Sean Doyle* ### [`v7.0.7.2`](https://togithub.com/rails/rails/releases/tag/v7.0.7.2): 7.0.7.2 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.7.1...v7.0.7.2) No changes between this and 7.0.7.2. This release was just to fix file permissions in the previous release. ### [`v7.0.7.1`](https://togithub.com/rails/rails/releases/tag/v7.0.7.1): 7.0.7.1 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.7...v7.0.7.1) #### Active Support - Use a temporary file for storing unencrypted files while editing \[CVE-2023-38037] #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v7.0.7`](https://togithub.com/rails/rails/releases/tag/v7.0.7): 7.0.7 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.6...v7.0.7) #### Active Support - Fix `Cache::NullStore` with local caching for repeated reads. *fatkodima* - Fix `to_s` with no arguments not respecting custom `:default` formats *Hartley McGuire* - Fix `ActiveSupport::Inflector.humanize(nil)` raising ``NoMethodError: undefined method `end_with?' for nil:NilClass``. *James Robinson* - Fix `Enumerable#sum` for `Enumerator#lazy`. *fatkodima*, *Matthew Draper*, *Jonathan Hefner* - Improve error message when EventedFileUpdateChecker is used without a compatible version of the Listen gem *Hartley McGuire* #### Active Model - Error.full_message now strips ":base" from the message. *zzak* - Add a load hook for `ActiveModel::Model` (named `active_model`) to match the load hook for `ActiveRecord::Base` and allow for overriding aspects of the `ActiveModel::Model` class. #### Active Record - Restores functionality to the missing method when using enums and fixes. *paulreece* - Fix `StatementCache::Substitute` with serialized type. *ywenc* - Fix `:db_runtime` on notification payload when application have multiple databases. *Eileen M. Uchitelle* - Correctly dump check constraints for MySQL 8.0.16+. *Steve Hill* - Fix `ActiveRecord::QueryMethods#in_order_of` to include `nil`s, to match the behavior of `Enumerable#in_order_of`. For example, `Post.in_order_of(:title, [nil, "foo"])` will now include posts with `nil` titles, the same as `Post.all.to_a.in_order_of(:title, [nil, "foo"])`. *fatkodima* - Revert "Fix autosave associations with validations added on `:base` of the associated objects." This change intended to remove the :base attribute from the message, but broke many assumptions which key these errors were stored. *zzak* - Fix `#previously_new_record?` to return true for destroyed records. Before, if a record was created and then destroyed, `#previously_new_record?` would return true. Now, any UPDATE or DELETE to a record is considered a change, and will result in `#previously_new_record?` returning false. *Adrianna Chang* - Revert breaking changes to `has_one` relationship deleting the old record before the new one is validated. *zzak* - Fix support for Active Record instances being uses in queries. As of `7.0.5`, query arguments were deep duped to avoid mutations impacting the query cache, but this had the adverse effect to clearing the primary key when the query argument contained an `ActiveRecord::Base` instance. This broke the `noticed` gem. *Jean Boussier* #### Action View - Fix `render collection: @​records, cache: true` to cache fragments as bare strings Previously it would incorrectly cache them as Action View buffers. *Jean Boussier* - Don't double-encode nested `field_id` and `field_name` index values Pass `index: @​options` as a default keyword argument to `field_id` and `field_name` view helper methods. *Sean Doyle* #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - Update default scaffold templates to set 303 (See Other) as status code on redirect for the update action for XHR requests other than GET or POST to avoid issues (e.g browsers trying to follow the redirect using the original request method resulting in double PATCH/PUT) *Guillermo Iguaran* ### [`v7.0.6`](https://togithub.com/rails/rails/releases/tag/v7.0.6): 7.0.6 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.5.1...v7.0.6) #### Active Support - Fix `EncryptedConfiguration` returning incorrect values for some `Hash` methods *Hartley McGuire* - Fix arguments being destructed `Enumerable#many?` with block. *Andrew Novoselac* - Fix humanize for strings ending with id. *fatkodima* #### Active Model - No changes. #### Active Record - Fix autosave associations with validations added on `:base` of the associated objects. *fatkodima* - Fix result with anonymous PostgreSQL columns of different type from json. *Oleksandr Avoiants* - Preserve timestamp when setting an `ActiveSupport::TimeWithZone` value to `timestamptz` attribute. *fatkodima* - Fix where on association with has_one/has_many polymorphic relations. Before: ```ruby Treasure.where(price_estimates: PriceEstimate.all) #=> SELECT (...) WHERE "treasures"."id" IN (SELECT "price_estimates"."estimate_of_id" FROM "price_estimates") ``` Later: ```ruby Treasure.where(price_estimates: PriceEstimate.all) #=> SELECT (...) WHERE "treasures"."id" IN (SELECT "price_estimates"."estimate_of_id" FROM "price_estimates" WHERE "price_estimates"."estimate_of_type" = 'Treasure') ``` *Lázaro Nixon* - Fix decrementing counter caches on optimistically locked record deletion *fatkodima* - Ensure binary-destined values have binary encoding during type cast. *Matthew Draper* - Preserve existing column default functions when altering table in SQLite. *fatkodima* - Remove table alias added when using `where.missing` or `where.associated`. *fatkodima* - Fix `Enumerable#in_order_of` to only flatten first level to preserve nesting. *Miha Rekar* #### Action View - No changes. #### Action Pack - No changes. #### Active Job - Fix error Active Job passed class with `permitted?`. *Alex Baldwin* #### Action Mailer - No changes. #### Action Cable - Fix Action Cable Redis configuration with sentinels. *Dmitriy Ivliev* #### Active Storage - Fix retrieving rotation value from FFmpeg on version 5.0+. In FFmpeg version 5.0+ the rotation value has been removed from tags. Instead the value can be found in side_data_list. Along with this update it's possible to have values of -90, -270 to denote the video has been rotated. *Haroon Ahmed* #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - Avoid escaping paths when editing credentials. *Jonathan Hefner* ### [`v7.0.5.1`](https://togithub.com/rails/rails/releases/tag/v7.0.5.1) [Compare Source](https://togithub.com/rails/rails/compare/v7.0.5...v7.0.5.1) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Raise an exception if illegal characters are provide to redirect_to \[CVE-2023-28362] *Zack Deveau* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v7.0.5`](https://togithub.com/rails/rails/releases/tag/v7.0.5) [Compare Source](https://togithub.com/rails/rails/compare/v7.0.4.3...v7.0.5) #### Active Support - Fixes TimeWithZone ArgumentError. *Niklas Häusele* #### Active Model - No changes. #### Active Record - Type cast `#attribute_changed?` `:from` and `:to` options. *Andrew Novoselac* - Fix `index_exists?` when column is an array. *Eileen M. Uchitelle* - Handle `Date` objects for PostgreSQL `timestamptz` columns. *Alex Ghiculescu* - Fix collation for changing column to non-string. *Hartley McGuire* - Map through subtype in `PostgreSQL::OID::Array`. *Jonathan Hefner* - Store correct environment in `internal_metadata` when run rails `db:prepare`. *fatkodima* - Make sure `ActiveRecord::Relation#sum` works with objects that implement `#coerce` without deprecation. *Alex Ghiculescu* - Fix retrieving foreign keys referencing tables named like keywords in PostgreSQL and MySQL. *fatkodima* - Support UUIDs in Disable Joins. *Samuel Cochran* - Fix Active Record's explain for queries starting with comments. *fatkodima* - Fix incorrectly preloading through association records when middle association has been loaded. *Joshua Young* - Fix where.missing and where.associated for parent/child associations. *fatkodima* - Fix Enumerable#in_order_of to preserve duplicates. *fatkodima* - Fix autoincrement on primary key for mysql. *Eileen M. Uchitelle* - Restore ability to redefine column in `create_table` for Rails 5.2 migrations. *fatkodima* - Fix schema cache dumping of virtual columns. *fatkodima* - Fix Active Record grouped calculations on joined tables on column present in both tables. *fatkodima* - Fix mutation detection for serialized attributes backed by binary columns. *Jean Boussier* - Fix a bug where using groups and counts with long table names would return incorrect results. *Shota Toguchi*, *Yusaku Ono* - Fix erroneous nil default precision on virtual datetime columns. Prior to this change, virtual datetime columns did not have the same default precision as regular datetime columns, resulting in the following being erroneously equivalent: t.virtual :name, type: datetime, as: "expression" t.virtual :name, type: datetime, precision: nil, as: "expression" This change fixes the default precision lookup, so virtual and regular datetime column default precisions match. *Sam Bostock* - Fix a case where the query cache can return wrong values. See [#​46044](https://togithub.com/rails/rails/issues/46044) *Aaron Patterson* #### Action View - `FormBuilder#id` finds id set by `form_for` and `form_with`. *Matt Polito* - Allow all available locales for template lookups. *Ben Dilley* - Choices of `select` can optionally contain html attributes as the last element of the child arrays when using grouped/nested collections ```erb <%= form.select :foo, [["North America", [["United States","US"],["Canada","CA"]], { disabled: "disabled" }]] %> ``` ### => ``` *Chris Gunther* #### Action Pack - Do not return CSP headers for 304 Not Modified responses. *Tobias Kraze* - Fix `EtagWithFlash` when there is no `Flash` middleware available. *fatkodima* - Fix content-type header with `send_stream`. *Elliot Crosby-McCullough* - Address Selenium `:capabilities` deprecation warning. *Ron Shinall* - Fix cookie domain for domain: all on two letter single level TLD. *John Hawthorn* - Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog` Previously if you set `config.active_record.query_log_tags` to an array that included `:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice. This bug has been fixed. *Alex Ghiculescu* - Rescue `EOFError` exception from `rack` on a multipart request. *Nikita Vasilevsky* - Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps: Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't clear the cookie and force app users to manually clear it in their browser. (See [#​45127](https://togithub.com/rails/rails/issues/45127) for original bug discussion) *Nathan Bardoux* #### Active Job - Make delayed job `display_name` failsafe. *codez* - Don't double log the `job` when using `ActiveRecord::QueryLog` Previously if you set `config.active_record.query_log_tags` to an array that included `:job`, the job name would get logged twice. This bug has been fixed. *Alex Ghiculescu* #### Action Mailer - No changes. #### Action Cable - Restore Action Cable Redis pub/sub listener on connection failure. *Vladimir Dementyev* #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - Fix `ActionText::Attachable#as_json`. *Alexandre Ruban* #### Railties - Add puma app server to Gemfile in order to start test/dummy. *Donapieppo* - Rails console now disables `IRB`'s autocompletion feature in production by default. Setting `IRB_USE_AUTOCOMPLETE=true` can override this default. *Stan Lo* - Send 303 See Other status code back for the destroy action on newly generated scaffold controllers. *Tony Drake*

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by Mend Renovate. View repository job log here.