🚨 [security] Upgrade rails to version 5.2.4.4

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (5.1.4 → 5.2.4.4) · Repo

Security Advisories 🚨

🚨 ActiveJob/ActiveStorage vulnerabilities

There is a vulnerability in Active Job. This vulnerability has been
assigned the CVE identifier CVE-2018-16476.

Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId
and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

---

There is a vulnerability in Active Storage. This vulnerability has been
assigned the CVE identifier CVE-2018-16477.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 5.2.1.1

Impact

Signed download URLs generated by ActiveStorage for Google Cloud Storage
service and Disk service include content-disposition and content-type
parameters that an attacker can modify. This can be used to upload specially
crafted HTML files and have them served and executed inline. Combined with
other techniques such as cookie bombing and specially crafted AppCache manifests,
an attacker can gain access to private signed URLs within a specific storage path.

Vulnerable apps are those using either GCS or the Disk service in production.
Other storage services such as S3 or Azure aren't affected.

All users running an affected release should either upgrade or use one of the
workarounds immediately. For those using GCS, it's also recommended to run the
following to update existing blobs:

ActiveStorage::Blob.find_each do |blob|
  blob.send :update_service_metadata
end

🚨 ActiveJob/ActiveStorage vulnerabilities

There is a vulnerability in Active Job. This vulnerability has been
assigned the CVE identifier CVE-2018-16476.

Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId
and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

---

There is a vulnerability in Active Storage. This vulnerability has been
assigned the CVE identifier CVE-2018-16477.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 5.2.1.1

Impact

Signed download URLs generated by ActiveStorage for Google Cloud Storage
service and Disk service include content-disposition and content-type
parameters that an attacker can modify. This can be used to upload specially
crafted HTML files and have them served and executed inline. Combined with
other techniques such as cookie bombing and specially crafted AppCache manifests,
an attacker can gain access to private signed URLs within a specific storage path.

Vulnerable apps are those using either GCS or the Disk service in production.
Other storage services such as S3 or Azure aren't affected.

All users running an affected release should either upgrade or use one of the
workarounds immediately. For those using GCS, it's also recommended to run the
following to update existing blobs:

ActiveStorage::Blob.find_each do |blob|
  blob.send :update_service_metadata
end

Release Notes

5.2.4.4

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• [CVE-2020-15169] Fix potential XSS vulnerability in the translate/t helper

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

5.2.4.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible information leak / session hijacking vulnerability.

  The ActionDispatch::Session::MemcacheStore is still vulnerable given it requires the
  gem dalli to be updated as well.

  CVE-2019-16782.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

5.2.4

Active Support

• Make ActiveSupport::Logger Fiber-safe. Fixes #36752.

  Use Fiber.current.__id__ in ActiveSupport::Logger#local_level= in order
  to make log level local to Ruby Fibers in addition to Threads.

  Example:

  logger = ActiveSupport::Logger.new(STDOUT)
  logger.level = 1
  p "Main is debug? #{logger.debug?}"
  Fiber.new {
  
  logger.local_level = 0
  
  p "Thread is debug? #{logger.debug?}"
  
  }.resume
  p "Main is debug? #{logger.debug?}"
  
  

  Before:

  Main is debug? false
  Thread is debug? true
  Main is debug? true
  

  After:

  Main is debug? false
  Thread is debug? true
  Main is debug? false
  

  Alexander Varnin

Active Model

• Type cast falsy boolean symbols on boolean attribute as false.

  Fixes #35676.

  Ryuta Kamizono

Active Record

• Fix circular autosave: true causes invalid records to be saved.

  Prior to the fix, when there was a circular series of autosave: true
  associations, the callback for a has_many association was run while
  another instance of the same callback on the same association hadn't
  finished running. When control returned to the first instance of the
  callback, the instance variable had changed, and subsequent associated
  records weren't saved correctly. Specifically, the ID field for the
  belongs_to corresponding to the has_many was nil.

  Fixes #28080.

  Larry Reid

• PostgreSQL: Fix GROUP BY with ORDER BY virtual count attribute.

  Fixes #36022.

  Ryuta Kamizono

• Fix sqlite3 collation parsing when using decimal columns.

  Martin R. Schuster

• Make ActiveRecord ConnectionPool.connections method thread-safe.

  Fixes #36465.

  Jeff Doering

• Assign all attributes before calling build to ensure the child record is visible in
  before_add and after_add callbacks for has_many :through associations.

  Fixes #33249.

  Ryan H. Kerr

Action View

• Allow programmatic click events to trigger Rails UJS click handlers.
  Programmatic click events (eg. ones generated by Rails.fire(link, "click")) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.

  Sudara Williams

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• Use original bundler environment variables during the process of generating a new rails project.

  Marco Costa

• Allow loading seeds without ActiveJob.

  Fixes #35782

  Jeremy Weathers

• Only force :async ActiveJob adapter to :inline during seeding.

  BatedUrGonnaDie

5.2.3

Active Support

• Add ActiveSupport::HashWithIndifferentAccess#assoc.

  assoc can now be called with either a string or a symbol.

  Stefan Schüßler

• Fix String#safe_constantize throwing a LoadError for incorrectly cased constant references.

  Keenan Brock

• Allow Range#=== and Range#cover? on Range

  Range#cover? can now accept a range argument like Range#include? and
  Range#===. Range#=== works correctly on Ruby 2.6. Range#include? is moved
  into a new file, with these two methods.

  utilum

• If the same block is included multiple times for a Concern, an exception is no longer raised.

  Mark J. Titorenko, Vlad Bokov

Active Model

• Fix date value when casting a multiparameter date hash to not convert
  from Gregorian date to Julian date.

  Before:

  Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
  => #<Day id: nil, day: "0001-01-03", created_at: nil, updated_at: nil>
  

  After:

  Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
  => #<Day id: nil, day: "0001-01-01", created_at: nil, updated_at: nil>
  

  Fixes #28521.

  Sayan Chakraborty

• Fix numericality equality validation of BigDecimal and Float
  by casting to BigDecimal on both ends of the validation.

  Gannon McGibbon

Active Record

• Fix different count calculation when using size with manual select with DISTINCT.

  Fixes #35214.

  Juani Villarejo

• Fix prepared statements caching to be enabled even when query caching is enabled.

  Ryuta Kamizono

• Don't allow where with invalid value matches to nil values.

  Fixes #33624.

  Ryuta Kamizono

• Restore an ability that class level update without giving ids.

  Fixes #34743.

  Ryuta Kamizono

• Fix join table column quoting with SQLite.

  Gannon McGibbon

• Ensure that delete_all on collection proxy returns affected count.

  Ryuta Kamizono

• Reset scope after delete on collection association to clear stale offsets of removed records.

  Gannon McGibbon

Action View

• Prevent non-primary mouse keys from triggering Rails UJS click handlers.
  Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
  For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.

  <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
  

  Fixes #34541

  Wolfgang Hobmaier

Action Pack

• Allow using combine the Cache Control public and no-cache headers.

  Before this change, even if public was specified for Cache Control header,
  it was excluded when no-cache was included. This fixed to keep public
  header as is.

  Fixes #34780.

  Yuji Yaginuma

• Allow nil params for ActionController::TestCase.

  Ryo Nakamura

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• Seed database with inline ActiveJob job adapter.

  Gannon McGibbon

• Fix boolean interaction in scaffold system tests.

  Gannon McGibbon

5.2.2

Active Support

• Fix bug where #to_options for ActiveSupport::HashWithIndifferentAccess
  would not act as alias for #symbolize_keys.

  Nick Weiland

• Improve the logic that detects non-autoloaded constants.

  Jan Habermann, Xavier Noria

• Fix bug where URI.unescape would fail with mixed Unicode/escaped character input:

  URI.unescape("\xe3\x83\x90")  # => "バ"
  URI.unescape("%E3%83%90")  # => "バ"
  URI.unescape("\xe3\x83\x90%E3%83%90")  # => Encoding::CompatibilityError
  

  Ashe Connor, Aaron Patterson

Active Model

• Fix numericality validator to still use value before type cast except Active Record.

  Fixes #33651, #33686.

  Ryuta Kamizono

Active Record

• Do not ignore the scoping with query methods in the scope block.

  Ryuta Kamizono

• Allow aliased attributes to be used in #update_columns and #update.

  Gannon McGibbon

• Allow spaces in postgres table names.

  Fixes issue where "user post" is misinterpreted as ""user"."post"" when quoting table names with the postgres
  adapter.

  Gannon McGibbon

• Cached columns_hash fields should be excluded from ResultSet#column_types

  PR #34528 addresses the inconsistent behaviour when attribute is defined for an ignored column. The following test
  was passing for SQLite and MySQL, but failed for PostgreSQL:

  class DeveloperName < ActiveRecord::Type::String
    def deserialize(value)
      "Developer: #{value}"
    end
  end
  class AttributedDeveloper < ActiveRecord::Base
  
  self.table_name = "developers"
  attribute :name, DeveloperName.new
  self.ignored_columns += ["name"]
  
  end
  developer = AttributedDeveloper.create
  
  developer.update_column :name, "name"
  loaded_developer = AttributedDeveloper.where(id: developer.id).select("*").first
  
  puts loaded_developer.name # should be "Developer: name" but it's just "name"

  Dmitry Tsepelev

• Values of enum are frozen, raising an error when attempting to modify them.

  Emmanuel Byrd

• update_columns now correctly raises ActiveModel::MissingAttributeError
  if the attribute does not exist.

  Sean Griffin

• Do not use prepared statement in queries that have a large number of binds.

  Ryuta Kamizono

• Fix query cache to load before first request.

  Eileen M. Uchitelle

• Fix collection cache key with limit and custom select to avoid ambiguous timestamp column error.

  Fixes #33056.

  Federico Martinez

• Fix duplicated record creation when using nested attributes with create_with.

  Darwin Wu

• Fix regression setting children record in parent before_save callback.

  Guo Xiang Tan

• Prevent leaking of user's DB credentials on rails db:create failure.

  bogdanvlviv

• Clear mutation tracker before continuing the around callbacks.

  Yuya Tanaka

• Prevent deadlocks when waiting for connection from pool.

  Brent Wheeldon

• Avoid extra scoping when using Relation#update that was causing this method to change the current scope.

  Ryuta Kamizono

• Fix numericality validator not to be affected by custom getter.

  Ryuta Kamizono

• Fix bulk change table ignores comment option on PostgreSQL.

  Yoshiyuki Kinjo

Action View

• No changes.

Action Pack

• Reset Capybara sessions if failed system test screenshot raising an exception.

  Reset Capybara sessions if take_failed_screenshot raise exception
  in system test after_teardown.

  Maxim Perepelitsa

• Use request object for context if there's no controller

  There is no controller instance when using a redirect route or a
  mounted rack application so pass the request object as the context
  when resolving dynamic CSP sources in this scenario.

  Fixes #34200.

  Andrew White

• Apply mapping to symbols returned from dynamic CSP sources

  Previously if a dynamic source returned a symbol such as :self it
  would be converted to a string implicity, e.g:

  policy.default_src -> { :self }
  

  would generate the header:

  Content-Security-Policy: default-src self
  

  and now it generates:

  Content-Security-Policy: default-src 'self'
  

  Andrew White

• Fix rails routes -c for controller name consists of multiple word.

  Yoshiyuki Kinjo

• Call the #redirect_to block in controller context.

  Steven Peckins

Active Job

• Make sure assert_enqueued_with() & assert_performed_with() work reliably with hash arguments.

  Sharang Dashputre

• Restore ActionController::Parameters support to ActiveJob::Arguments.serialize.

  Bernie Chiu

• Restore HashWithIndifferentAccess support to ActiveJob::Arguments.deserialize.

  Gannon McGibbon

• Include deserialized arguments in job instances returned from
  assert_enqueued_with and assert_performed_with

  Alan Wu

• Increment execution count before deserialize arguments.

  Currently, the execution count increments after deserializes arguments.
  Therefore, if an error occurs with deserialize, it retries indefinitely.

  Yuji Yaginuma

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Support multiple submit buttons in Active Storage forms.

  Chrıs Seelus

• Fix ArgumentError when uploading to amazon s3

  Hiroki Sanpei

• Add a foreign-key constraint to the active_storage_attachments table for blobs.

  George Claghorn

• Discard ActiveStorage::PurgeJobs for missing blobs.

  George Claghorn

• Fix uploading Tempfiles to Azure Storage.

  George Claghorn

Railties

• Disable content security policy for mailer previews.

  Dylan Reile

• Log the remote IP address of clients behind a proxy.

  Atul Bhosale

5.1.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Fix touch option to behave consistently with Persistence#touch method.

  Ryuta Kamizono

• Back port Rails 5.2 reverse_order Arel SQL literal fix.

  Matt Jones, Brooke Kuhlmann

• becomes should clear the mutation tracker which is created in after_initialize.

  Fixes #32867.

  Ryuta Kamizono

Action View

• Fix issue with button_to's to_form_params

  button_to was throwing exception when invoked with params hash that
  contains symbol and string keys. The reason for the exception was that
  to_form_params was comparing the given symbol and string keys.

  The issue is fixed by turning all keys to strings inside
  to_form_params before comparing them.

  Georgi Georgiev

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Railties

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codeclimate]

Code Climate has analyzed commit c9174ac and detected 0 issues on this pull request.

View more on Code Climate.

[codecov-io]

Codecov Report

Merging #713 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #713   +/-   ##
=======================================
  Coverage   95.30%   95.30%           
=======================================
  Files          35       35           
  Lines        1236     1236           
=======================================
  Hits         1178     1178           
  Misses         58       58           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ccdb217...c9174ac. Read the comment docs.