🚨 [security] Upgrade all of rails: 5.1.6.1 → 5.2.2.1 (minor)

🚨 Your version of railties has known security vulnerabilities 🚨

Advisory: CVE-2019-5420 Disclosed: March 13, 2019 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw

Possible Remote Code Execution Exploit in Rails Development Mode

There is a possible a possible remote code executing exploit in Rails when in
development mode. This vulnerability has been assigned the CVE identifier
CVE-2019-5420.

Versions Affected: 6.0.0.X, 5.2.X.
Not affected: None.
Fixed Versions: 6.0.0.beta3, 5.2.2.1

Impact

With some knowledge of a target application it is possible for an attacker to
guess the automatically generated development mode secret token. This secret
token can be used in combination with other Rails internals to escalate to a
remote code execution exploit.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations.

Workarounds

This issue can be mitigated by specifying a secret key in development mode.
In "config/environments/development.rb" add this:

config.secret_key_base = SecureRandom.hex(64)

Credits

Thanks to ooooooo_q

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (5.1.6.1 → 5.2.2.1) · Repo

Release Notes

5.2.2

Active Support
Fix bug where #to_options for ActiveSupport::HashWithIndifferentAccess
would not act as alias for #symbolize_keys.

Nick Weiland

Improve the logic that detects non-autoloaded constants.

Jan Habermann, Xavier Noria
Fix bug where URI.unescape would fail with mixed Unicode/escaped character input:
URI.unescape("\xe3\x83\x90")  # => "バ"
URI.unescape("%E3%83%90")  # => "バ"
URI.unescape("\xe3\x83\x90%E3%83%90")  # => Encoding::CompatibilityError
Ashe Connor, Aaron Patterson
Active Model

Fix numericality validator to still use value before type cast except Active Record.

Fixes #33651, #33686.

Ryuta Kamizono

Active Record
Do not ignore the scoping with query methods in the scope block.

Ryuta Kamizono

Allow aliased attributes to be used in #update_columns and #update.

Gannon McGibbon

Allow spaces in postgres table names.

Fixes issue where "user post" is misinterpreted as ""user"."post"" when quoting table names with the postgres
adapter.

Gannon McGibbon
Cached columns_hash fields should be excluded from ResultSet#column_types

PR #34528 addresses the inconsistent behaviour when attribute is defined for an ignored column. The following test
was passing for SQLite and MySQL, but failed for PostgreSQL:
class DeveloperName < ActiveRecord::Type::String
  def deserialize(value)
    "Developer: #{value}"
  end
end

class AttributedDeveloper < ActiveRecord::Base
  self.table_name = "developers"

  attribute :name, DeveloperName.new

  self.ignored_columns += ["name"]
end

developer = AttributedDeveloper.create
developer.update_column :name, "name"

loaded_developer = AttributedDeveloper.where(id: developer.id).select("*").first
puts loaded_developer.name # should be "Developer: name" but it's just "name"
Dmitry Tsepelev
Values of enum are frozen, raising an error when attempting to modify them.

Emmanuel Byrd

update_columns now correctly raises ActiveModel::MissingAttributeError
if the attribute does not exist.

Sean Griffin

Do not use prepared statement in queries that have a large number of binds.

Ryuta Kamizono

Fix query cache to load before first request.

Eileen M. Uchitelle

Fix collection cache key with limit and custom select to avoid ambiguous timestamp column error.

Fixes #33056.

Federico Martinez

Fix duplicated record creation when using nested attributes with create_with.

Darwin Wu

Fix regression setting children record in parent before_save callback.

Guo Xiang Tan

Prevent leaking of user's DB credentials on rails db:create failure.

bogdanvlviv

Clear mutation tracker before continuing the around callbacks.

Yuya Tanaka

Prevent deadlocks when waiting for connection from pool.

Brent Wheeldon

Avoid extra scoping when using Relation#update that was causing this method to change the current scope.

Ryuta Kamizono

Fix numericality validator not to be affected by custom getter.

Ryuta Kamizono

Fix bulk change table ignores comment option on PostgreSQL.

Yoshiyuki Kinjo
Action View

No changes.

Action Pack
Reset Capybara sessions if failed system test screenshot raising an exception.

Reset Capybara sessions if take_failed_screenshot raise exception
in system test after_teardown.

Maxim Perepelitsa

Use request object for context if there's no controller

There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.

Fixes #34200.

Andrew White
Apply mapping to symbols returned from dynamic CSP sources

Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:
policy.default_src -> { :self }
would generate the header:
Content-Security-Policy: default-src self
and now it generates:
Content-Security-Policy: default-src 'self'
Andrew White
Fix rails routes -c for controller name consists of multiple word.

Yoshiyuki Kinjo

Call the #redirect_to block in controller context.

Steven Peckins
Active Job

Make sure assert_enqueued_with() & assert_performed_with() work reliably with hash arguments.

Sharang Dashputre

Restore ActionController::Parameters support to ActiveJob::Arguments.serialize.

Bernie Chiu

Restore HashWithIndifferentAccess support to ActiveJob::Arguments.deserialize.

Gannon McGibbon

Include deserialized arguments in job instances returned from
assert_enqueued_with and assert_performed_with

Alan Wu

Increment execution count before deserialize arguments.

Currently, the execution count increments after deserializes arguments.
Therefore, if an error occurs with deserialize, it retries indefinitely.

Yuji Yaginuma

Action Mailer

No changes.

Action Cable

No changes.

Active Storage

Support multiple submit buttons in Active Storage forms.

Chrıs Seelus

Fix ArgumentError when uploading to amazon s3

Hiroki Sanpei

Add a foreign-key constraint to the active_storage_attachments table for blobs.

George Claghorn

Discard ActiveStorage::PurgeJobs for missing blobs.

George Claghorn

Fix uploading Tempfiles to Azure Storage.

George Claghorn

Railties

Disable content security policy for mailer previews.

Dylan Reile

Log the remote IP address of clients behind a proxy.

Atul Bhosale

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 5.1.6.1 → 5.2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailer (indirect, 5.1.6.1 → 5.2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 5.1.6.1 → 5.2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 5.1.6.1 → 5.2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 5.1.6.1 → 5.2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 5.1.6.1 → 5.2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 5.1.6.1 → 5.2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 5.1.6.1 → 5.2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ arel (indirect, 8.0.0 → 9.0.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 52 commits:

↗️ concurrent-ruby (indirect, 1.1.4 → 1.1.5) · Repo · Changelog

Release Notes

1.1.5 (from changelog)

concurrent-ruby:

fix potential leak of context on JRuby and Java 7

concurrent-ruby-edge:

Add finalized Concurrent::Cancellation

Add finalized Concurrent::Throttle

Add finalized Concurrent::Promises::Channel

Add new Concurrent::ErlangActor

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.5.2 → 1.6.0) · Repo · Changelog

↗️ mini_mime (indirect, 1.0.0 → 1.0.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 12 commits:

↗️ railties (indirect, 5.1.6.1 → 5.2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ websocket-driver (indirect, 0.6.5 → 0.7.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 17 commits:

🆕 activestorage (added, 5.2.2.1)

🆕 marcel (added, 0.3.3)

🆕 mimemagic (added, 0.3.3)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase
Rebases against your default branch and redoes this update

@depfu merge
Merges this PR once your tests are passing and conflicts are resolved

@depfu reopen
Restores the branch and reopens this PR (if it's closed)

@depfu pause
Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

depfu / example-ruby