Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚨 [security] Upgrade rails to version 6.0.3.4 #715

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Oct 12, 2020


🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (5.1.4 → 6.0.3.4) · Repo

Security Advisories 🚨

🚨 ActiveJob/ActiveStorage vulnerabilities

There is a vulnerability in Active Job. This vulnerability has been
assigned the CVE identifier CVE-2018-16476.

Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId
and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the
workarounds immediately.


There is a vulnerability in Active Storage. This vulnerability has been
assigned the CVE identifier CVE-2018-16477.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 5.2.1.1

Impact

Signed download URLs generated by ActiveStorage for Google Cloud Storage
service and Disk service include content-disposition and content-type
parameters that an attacker can modify. This can be used to upload specially
crafted HTML files and have them served and executed inline. Combined with
other techniques such as cookie bombing and specially crafted AppCache manifests,
an attacker can gain access to private signed URLs within a specific storage path.

Vulnerable apps are those using either GCS or the Disk service in production.
Other storage services such as S3 or Azure aren't affected.

All users running an affected release should either upgrade or use one of the
workarounds immediately. For those using GCS, it's also recommended to run the
following to update existing blobs:

ActiveStorage::Blob.find_each do |blob|
  blob.send :update_service_metadata
end

🚨 ActiveJob/ActiveStorage vulnerabilities

There is a vulnerability in Active Job. This vulnerability has been
assigned the CVE identifier CVE-2018-16476.

Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId
and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the
workarounds immediately.


There is a vulnerability in Active Storage. This vulnerability has been
assigned the CVE identifier CVE-2018-16477.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 5.2.1.1

Impact

Signed download URLs generated by ActiveStorage for Google Cloud Storage
service and Disk service include content-disposition and content-type
parameters that an attacker can modify. This can be used to upload specially
crafted HTML files and have them served and executed inline. Combined with
other techniques such as cookie bombing and specially crafted AppCache manifests,
an attacker can gain access to private signed URLs within a specific storage path.

Vulnerable apps are those using either GCS or the Disk service in production.
Other storage services such as S3 or Azure aren't affected.

All users running an affected release should either upgrade or use one of the
workarounds immediately. For those using GCS, it's also recommended to run the
following to update existing blobs:

ActiveStorage::Blob.find_each do |blob|
  blob.send :update_service_metadata
end
Release Notes

6.0.3.3

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • [CVE-2020-8185] Fix potential XSS vulnerability in the translate/t helper.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

6.0.3

In this version, we fixed warnings when used with Ruby 2.7 across the entire framework.

Following are the list of other changes, per-framework.

Active Support

  • Array#to_sentence no longer returns a frozen string.

    Before:

    ['one', 'two'].to_sentence.frozen?
    # => true
    

    After:

    ['one', 'two'].to_sentence.frozen?
    # => false
    

    Nicolas Dular

  • Update ActiveSupport::Messages::Metadata#fresh? to work for cookies with expiry set when
    ActiveSupport.parse_json_times = true.

    Christian Gregg

Active Model

  • No changes.

Active Record

  • Recommend applications don't use the database kwarg in connected_to

    The database kwarg in connected_to was meant to be used for one-off scripts but is often used in requests. This is really dangerous because it re-establishes a connection every time. It's deprecated in 6.1 and will be removed in 6.2 without replacement. This change soft deprecates it in 6.0 by removing documentation.

    Eileen M. Uchitelle

  • Fix support for PostgreSQL 11+ partitioned indexes.

    Sebastián Palma

  • Add support for beginless ranges, introduced in Ruby 2.7.

    Josh Goodall

  • Fix insert_all with enum values

    Fixes #38716.

    Joel Blum

  • Regexp-escape table name for MS SQL

    Add Regexp.escape to one method in ActiveRecord, so that table names with regular expression characters in them work as expected. Since MS SQL Server uses "[" and "]" to quote table and column names, and those characters are regular expression characters, methods like pluck and select fail in certain cases when used with the MS SQL Server adapter.

    Larry Reid

  • Store advisory locks on their own named connection.

    Previously advisory locks were taken out against a connection when a migration started. This works fine in single database applications but doesn't work well when migrations need to open new connections which results in the lock getting dropped.

    In order to fix this we are storing the advisory lock on a new connection with the connection specification name AdisoryLockBase. The caveat is that we need to maintain at least 2 connections to a database while migrations are running in order to do this.

    Eileen M. Uchitelle, John Crepezzi

  • Ensure :reading connections always raise if a write is attempted.

    Now Rails will raise an ActiveRecord::ReadOnlyError if any connection on the reading handler attempts to make a write. If your reading role needs to write you should name the role something other than :reading.

    Eileen M. Uchitelle

  • Enforce fresh ETag header after a collection's contents change by adding
    ActiveRecord::Relation#cache_key_with_version. This method will be used by
    ActionController::ConditionalGet to ensure that when collection cache versioning
    is enabled, requests using ConditionalGet don't return the same ETag header
    after a collection is modified. Fixes #38078.

    Aaron Lipman

  • A database URL can now contain a querystring value that contains an equal sign. This is needed to support passing PostgresSQL options.

    Joshua Flanagan

  • Retain explicit selections on the base model after applying includes and joins.

    Resolves #34889.

    Patrick Rebsch

Action View

  • annotated_source_code returns an empty array so TemplateErrors without a
    template in the backtrace are surfaced properly by DebugExceptions.

    Guilherme Mansur, Kasper Timm Hansen

  • Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.

    Guilherme Mansur, Gannon McGibbon

Action Pack

  • Include child session assertion count in ActionDispatch::IntegrationTest

    IntegrationTest#open_session uses dup to create the new session, which
    meant it had its own copy of @assertions. This prevented the assertions
    from being correctly counted and reported.

    Child sessions now have their attr_accessor overriden to delegate to the
    root session.

    Fixes #32142

    Sam Bostock

Active Job

  • While using perform_enqueued_jobs test helper enqueued jobs must be stored for the later check with
    assert_enqueued_with.

    Dmitry Polushkin

  • Add queue name support to Que adapter

    Brad Nauta, Wojciech Wnętrzak

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • Update Mandrill inbound email route to respond appropriately to HEAD requests for URL health checks from Mandrill.

    Bill Cromie

Action Text

  • No changes.

Railties

  • Cache compiled view templates when running tests by default

    When generating a new app without --skip-spring, caching classes is
    disabled in environments/test.rb. This implicitly disables caching
    view templates too. This change will enable view template caching by
    adding this to the generated environments/test.rb:

    config.action_view.cache_template_loading = true

    Jorge Manrubia

  • Rails::Application#eager_load! is available again to load application code
    manually as it was possible in previous versions.

    Please, note this is not integrated with the whole eager loading logic that
    runs when Rails boots with eager loading enabled, you can think of this
    method as a vanilla recursive code loader.

    This ability has been restored because there are some use cases for it, such
    as indexers that need to have all application classes and modules in memory.

    Xavier Noria

  • Generators that inherit from NamedBase respect --force option

    Josh Brody

  • Regression fix: The Rake task zeitwerk:check supports eager loaded
    namespaces which do not have eager load paths, like the recently added
    i18n. These namespaces are only required to respond to eager_load!.

    Xavier Noria

6.0.2.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix possible information leak / session hijacking vulnerability.

    The ActionDispatch::Session::MemcacheStore is still vulnerable given it requires the
    gem dalli to be updated as well.

    CVE-2019-16782.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

6.0.2

Active Support

  • Eager load translations during initialization.

    Diego Plentz

  • Use per-thread CPU time clock on ActiveSupport::Notifications.

    George Claghorn

Active Model

  • No changes.

Active Record

  • Share the same connection pool for primary and replica databases in the
    transactional tests for the same database.

    Edouard Chin

  • Fix the preloader when one record is fetched using after_initialize
    but not the entire collection.

    Bradley Price

  • Fix collection callbacks not terminating when :abort is thrown.

    Edouard Chin, Ryuta Kamizono

  • Correctly deprecate where.not working as NOR for relations.

    12a9664 deprecated where.not working as NOR, however
    doing a relation query like where.not(relation: { ... })
    wouldn't be properly deprecated and where.not would work as
    NAND instead.

    Edouard Chin

  • Fix db:migrate task with multiple databases to restore the connection
    to the previous database.

    The migrate task iterates and establish a connection over each db
    resulting in the last one to be used by subsequent rake tasks.
    We should reestablish a connection to the connection that was
    established before the migrate tasks was run

    Edouard Chin

  • Fix multi-threaded issue for AcceptanceValidator.

    Ryuta Kamizono

Action View

  • No changes.

Action Pack

  • Allow using mountable engine route helpers in System Tests.

    Chalo Fernandez

Active Job

Action Mailer

  • Fix ActionMailer assertions don't work for parameterized mail with legacy delivery job.

    bogdanvlviv

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • Fix the collision check for the scaffold generator.

    Ryan Robeson

6.0.1

Active Support

  • ActiveSupport::SafeBuffer supports Enumerator methods.

    Shugo Maeda

  • The Redis cache store fails gracefully when the server returns a "max number of clients reached" error.

    Brandon Medenwald

  • Fixed that mutating a value returned by a memory cache store would unexpectedly change the cached value.

    Jonathan Hyman

  • The default inflectors in zeitwerk mode support overrides:

    # config/initializers/zeitwerk.rb
    Rails.autoloaders.each do |autoloader|
      autoloader.inflector.inflect(
        "html_parser" => "HTMLParser",
        "ssl_error"   => "SSLError"
      )
    end

    That way, you can tweak how individual basenames are inflected without touching Active Support inflection rules, which are global. These inflectors fallback to String#camelize, so existing inflection rules are still taken into account for non-overridden basenames.

    Please, check the autoloading guide for zeitwerk mode if you prefer not to depend on String#camelize at all.

    Xavier Noria

  • Improve Range#===, Range#include?, and Range#cover? to work with beginless (startless) and endless range targets.

    Allen Hsu, Andrew Hodgkinson

  • Don't use Process#clock_gettime(CLOCK_PROCESS_CPUTIME_ID) on Solaris

    Iain Beeston

Active Model

  • No changes.

Active Record

  • Common Table Expressions are allowed on read-only connections.

    Chris Morris

  • New record instantiation respects unscope.

    Ryuta Kamizono

  • Fixed a case where find_in_batches could halt too early.

    Takayuki Nakata

  • Autosaved associations always perform validations when a custom validation context is used.

    Tekin Suleyman

  • sql.active_record notifications now include the :connection in their payloads.

    Eugene Kenny

  • A rollback encountered in an after_commit callback does not reset previously-committed record state.

    Ryuta Kamizono

  • Fixed that join order was lost when eager-loading.

    Ryuta Kamizono

  • DESCRIBE queries are allowed on read-only connections.

    Dylan Thacker-Smith

  • Fixed that records that had been inspected could not be marshaled.

    Eugene Kenny

  • The connection pool reaper thread is respawned in forked processes. This fixes that idle connections in forked processes wouldn't be reaped.

    John Hawthorn

  • The memoized result of ActiveRecord::Relation#take is properly cleared when ActiveRecord::Relation#reset or ActiveRecord::Relation#reload is called.

    Anmol Arora

  • Fixed the performance regression for primary_keys introduced MySQL 8.0.

    Hiroyuki Ishii

  • insert, insert_all, upsert, and upsert_all now clear the query cache.

    Eugene Kenny

  • Call while_preventing_writes directly from connected_to.

    In some cases application authors want to use the database switching middleware and make explicit calls with connected_to. It's possible for an app to turn off writes and not turn them back on by the time we call connected_to(role: :writing).

    This change allows apps to fix this by assuming if a role is writing we want to allow writes, except in the case it's explicitly turned off.

    Eileen M. Uchitelle

  • Improve detection of ActiveRecord::StatementTimeout with mysql2 adapter in the edge case when the query is terminated during filesort.

    Kir Shatrov

Action View

  • UJS avoids Element.closest() for IE 9 compatibility.

    George Claghorn

Action Pack

  • ActionDispatch::SystemTestCase now inherits from ActiveSupport::TestCase rather than ActionDispatch::IntegrationTest. This permits running jobs in system tests.

    George Claghorn, Edouard Chin

  • Registered MIME types may contain extra flags:

    Mime::Type.register "text/html; fragment", :html_fragment

    Aaron Patterson

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • ActiveStorage::AnalyzeJobs are discarded on ActiveRecord::RecordNotFound errors.

    George Claghorn

  • Blobs are recorded in the database before being uploaded to the service. This fixes that generated blob keys could silently collide, leading to data loss.

    Julik Tarkhanov

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • The zeitwerk:check Rake task reports files outside the app's root directory, as in engines loaded from gems.

    Xavier Noria

  • Fixed a possible error when using the evented file update checker.

    Yuji Yaginuma

  • The sqlite3 database files created by the parallel testing feature are included in the default .gitignore file for newly-generated apps.

    Yasuo Honda

  • rails new generates a .keep file in tmp/pids. This fixes starting a server via rackup instead of rails server.

    Rafael Mendonça França

5.2.4.4

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • [CVE-2020-15169] Fix potential XSS vulnerability in the translate/t helper

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Railties

  • No changes.

5.2.4.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix possible information leak / session hijacking vulnerability.

    The ActionDispatch::Session::MemcacheStore is still vulnerable given it requires the
    gem dalli to be updated as well.

    CVE-2019-16782.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Railties

  • No changes.

5.2.4

Active Support

  • Make ActiveSupport::Logger Fiber-safe. Fixes #36752.

    Use Fiber.current.__id__ in ActiveSupport::Logger#local_level= in order
    to make log level local to Ruby Fibers in addition to Threads.

    Example:

    logger = ActiveSupport::Logger.new(STDOUT)
    logger.level = 1
    p "Main is debug? #{logger.debug?}"
    

    Fiber.new {
    logger.local_level = 0
    p "Thread is debug? #{logger.debug?}"
    }.resume

    p "Main is debug? #{logger.debug?}"

    Before:

    Main is debug? false
    Thread is debug? true
    Main is debug? true
    

    After:

    Main is debug? false
    Thread is debug? true
    Main is debug? false
    

    Alexander Varnin

Active Model

  • Type cast falsy boolean symbols on boolean attribute as false.

    Fixes #35676.

    Ryuta Kamizono

Active Record

  • Fix circular autosave: true causes invalid records to be saved.

    Prior to the fix, when there was a circular series of autosave: true
    associations, the callback for a has_many association was run while
    another instance of the same callback on the same association hadn't
    finished running. When control returned to the first instance of the
    callback, the instance variable had changed, and subsequent associated
    records weren't saved correctly. Specifically, the ID field for the
    belongs_to corresponding to the has_many was nil.

    Fixes #28080.

    Larry Reid

  • PostgreSQL: Fix GROUP BY with ORDER BY virtual count attribute.

    Fixes #36022.

    Ryuta Kamizono

  • Fix sqlite3 collation parsing when using decimal columns.

    Martin R. Schuster

  • Make ActiveRecord ConnectionPool.connections method thread-safe.

    Fixes #36465.

    Jeff Doering

  • Assign all attributes before calling build to ensure the child record is visible in
    before_add and after_add callbacks for has_many :through associations.

    Fixes #33249.

    Ryan H. Kerr

Action View

  • Allow programmatic click events to trigger Rails UJS click handlers.
    Programmatic click events (eg. ones generated by Rails.fire(link, "click")) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.

    Sudara Williams

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Railties

  • Use original bundler environment variables during the process of generating a new rails project.

    Marco Costa

  • Allow loading seeds without ActiveJob.

    Fixes #35782

    Jeremy Weathers

  • Only force :async ActiveJob adapter to :inline during seeding.

    BatedUrGonnaDie

5.2.3

Active Support

  • Add ActiveSupport::HashWithIndifferentAccess#assoc.

    assoc can now be called with either a string or a symbol.

    Stefan Schüßler

  • Fix String#safe_constantize throwing a LoadError for incorrectly cased constant references.

    Keenan Brock

  • Allow Range#=== and Range#cover? on Range

    Range#cover? can now accept a range argument like Range#include? and
    Range#===. Range#=== works correctly on Ruby 2.6. Range#include? is moved
    into a new file, with these two methods.

    utilum

  • If the same block is included multiple times for a Concern, an exception is no longer raised.

    Mark J. Titorenko, Vlad Bokov

Active Model

  • Fix date value when casting a multiparameter date hash to not convert
    from Gregorian date to Julian date.

    Before:

    Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
    => #<Day id: nil, day: "0001-01-03", created_at: nil, updated_at: nil>
    

    After:

    Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
    => #<Day id: nil, day: "0001-01-01", created_at: nil, updated_at: nil>
    

    Fixes #28521.

    Sayan Chakraborty

  • Fix numericality equality validation of BigDecimal and Float
    by casting to BigDecimal on both ends of the validation.

    Gannon McGibbon

Active Record

  • Fix different count calculation when using size with manual select with DISTINCT.

    Fixes #35214.

    Juani Villarejo

  • Fix prepared statements caching to be enabled even when query caching is enabled.

    Ryuta Kamizono

  • Don't allow where with invalid value matches to nil values.

    Fixes #33624.

    Ryuta Kamizono

  • Restore an ability that class level update without giving ids.

    Fixes #34743.

    Ryuta Kamizono

  • Fix join table column quoting with SQLite.

    Gannon McGibbon

  • Ensure that delete_all on collection proxy returns affected count.

    Ryuta Kamizono

  • Reset scope after delete on collection association to clear stale offsets of removed records.

    Gannon McGibbon

Action View

  • Prevent non-primary mouse keys from triggering Rails UJS click handlers.
    Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
    For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.

    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
    

    Fixes #34541

    Wolfgang Hobmaier

Action Pack

  • Allow using combine the Cache Control public and no-cache headers.

    Before this change, even if public was specified for Cache Control header,
    it was excluded when no-cache was included. This fixed to keep public
    header as is.

    Fixes #34780.

    Yuji Yaginuma

  • Allow nil params for ActionController::TestCase.

    Ryo Nakamura

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Railties

  • Seed database with inline ActiveJob job adapter.

    Gannon McGibbon

  • Fix boolean interaction in scaffold system tests.

    Gannon McGibbon

5.2.2

Active Support

  • Fix bug where #to_options for ActiveSupport::HashWithIndifferentAccess
    would not act as alias for #symbolize_keys.

    Nick Weiland

  • Improve the logic that detects non-autoloaded constants.

    Jan Habermann, Xavier Noria

  • Fix bug where URI.unescape would fail with mixed Unicode/escaped character input:

    URI.unescape("\xe3\x83\x90")  # => "バ"
    URI.unescape("%E3%83%90")  # => "バ"
    URI.unescape("\xe3\x83\x90%E3%83%90")  # => Encoding::CompatibilityError
    

    Ashe Connor, Aaron Patterson

Active Model

  • Fix numericality validator to still use value before type cast except Active Record.

    Fixes #33651, #33686.

    Ryuta Kamizono

Active Record

  • Do not ignore the scoping with query methods in the scope block.

    Ryuta Kamizono

  • Allow aliased attributes to be used in #update_columns and #update.

    Gannon McGibbon

  • Allow spaces in postgres table names.

    Fixes issue where "user post" is misinterpreted as ""user"."post"" when quoting table names with the postgres
    adapter.

    Gannon McGibbon

  • Cached columns_hash fields should be excluded from ResultSet#column_types

    PR #34528 addresses the inconsistent behaviour when attribute is defined for an ignored column. The following test
    was passing for SQLite and MySQL, but failed for PostgreSQL:

    class DeveloperName < ActiveRecord::Type::String
      def deserialize(value)
        "Developer: #{value}"
      end
    end
    

    class AttributedDeveloper < ActiveRecord::Base
    self.table_name = "developers"

    attribute :name, DeveloperName.new

    self.ignored_columns += ["name"]
    end

    developer = AttributedDeveloper.create
    developer.update_column :name, "name"

    loaded_developer = AttributedDeveloper.where(id: developer.id).select("*").first
    puts loaded_developer.name # should be "Developer: name" but it's just "name"

    Dmitry Tsepelev

  • Values of enum are frozen, raising an error when attempting to modify them.

    Emmanuel Byrd

  • update_columns now correctly raises ActiveModel::MissingAttributeError
    if the attribute does not exist.

    Sean Griffin

  • Do not use prepared statement in queries that have a large number of binds.

    Ryuta Kamizono

  • Fix query cache to load before first request.

    Eileen M. Uchitelle

  • Fix collection cache key with limit and custom select to avoid ambiguous timestamp column error.

    Fixes #33056.

    Federico Martinez

  • Fix duplicated record creation when using nested attributes with create_with.

    Darwin Wu

  • Fix regression setting children record in parent before_save callback.

    Guo Xiang Tan

  • Prevent leaking of user's DB credentials on rails db:create failure.

    bogdanvlviv

  • Clear mutation tracker before continuing the around callbacks.

    Yuya Tanaka

  • Prevent deadlocks when waiting for connection from pool.

    Brent Wheeldon

  • Avoid extra scoping when using Relation#update that was causing this method to change the current scope.

    Ryuta Kamizono

  • Fix numericality validator not to be affected by custom getter.

    Ryuta Kamizono

  • Fix bulk change table ignores comment option on PostgreSQL.

    Yoshiyuki Kinjo

Action View

  • No changes.

Action Pack

  • Reset Capybara sessions if failed system test screenshot raising an exception.

    Reset Capybara sessions if take_failed_screenshot raise exception
    in system test after_teardown.

    Maxim Perepelitsa

  • Use request object for context if there's no controller

    There is no controller instance when using a redirect route or a
    mounted rack application so pass the request object as the context
    when resolving dynamic CSP sources in this scenario.

    Fixes #34200.

    Andrew White

  • Apply mapping to symbols returned from dynamic CSP sources

    Previously if a dynamic source returned a symbol such as :self it
    would be converted to a string implicity, e.g:

    policy.default_src -> { :self }
    

    would generate the header:

    Content-Security-Policy: default-src self
    

    and now it generates:

    Content-Security-Policy: default-src 'self'
    

    Andrew White

  • Fix rails routes -c for controller name consists of multiple word.

    Yoshiyuki Kinjo

  • Call the #redirect_to block in controller context.

    Steven Peckins

Active Job

  • Make sure assert_enqueued_with() & assert_performed_with() work reliably with hash arguments.

    Sharang Dashputre

  • Restore ActionController::Parameters support to ActiveJob::Arguments.serialize.

    Bernie Chiu

  • Restore HashWithIndifferentAccess support to ActiveJob::Arguments.deserialize.

    Gannon McGibbon

  • Include deserialized arguments in job instances returned from
    assert_enqueued_with and assert_performed_with

    Alan Wu

  • Increment execution count before deserialize arguments.

    Currently, the execution count increments after deserializes arguments.
    Therefore, if an error occurs with deserialize, it retries indefinitely.

    Yuji Yaginuma

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • Support multiple submit buttons in Active Storage forms.

    Chrıs Seelus

  • Fix ArgumentError when uploading to amazon s3

    Hiroki Sanpei

  • Add a foreign-key constraint to the active_storage_attachments table for blobs.

    George Claghorn

  • Discard ActiveStorage::PurgeJobs for missing blobs.

    George Claghorn

  • Fix uploading Tempfiles to Azure Storage.

    George Claghorn

Railties

  • Disable content security policy for mailer previews.

    Dylan Reile

  • Log the remote IP address of clients behind a proxy.

    Atul Bhosale

5.1.7

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • Fix touch option to behave consistently with Persistence#touch method.

    Ryuta Kamizono

  • Back port Rails 5.2 reverse_order Arel SQL literal fix.

    Matt Jones, Brooke Kuhlmann

  • becomes should clear the mutation tracker which is created in after_initialize.

    Fixes #32867.

    Ryuta Kamizono

Action View

  • Fix issue with button_to's to_form_params

    button_to was throwing exception when invoked with params hash that
    contains symbol and string keys. The reason for the exception was that
    to_form_params was comparing the given symbol and string keys.

    The issue is fixed by turning all keys to strings inside
    to_form_params before comparing them.

    Georgi Georgiev

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Railties

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Oct 12, 2020
@codeclimate
Copy link

codeclimate bot commented Oct 12, 2020

Code Climate has analyzed commit bea1854 and detected 0 issues on this pull request.

View more on Code Climate.

@codecov-io
Copy link

codecov-io commented Oct 12, 2020

Codecov Report

Merging #715 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #715   +/-   ##
=======================================
  Coverage   95.30%   95.30%           
=======================================
  Files          35       35           
  Lines        1236     1236           
=======================================
  Hits         1178     1178           
  Misses         58       58           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ccdb217...bea1854. Read the comment docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant