🚨 [security] [ruby] Update all of rails: 6.0.3.1 → 6.0.3.4 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (6.0.3.1 → 6.0.3.4) · Repo

Release Notes

6.0.3.3

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• [CVE-2020-8185] Fix potential XSS vulnerability in the translate/t helper.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Release Notes

6.0.3.3 (from changelog)

• No changes.

6.0.3.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailbox (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

↗️ actionmailer (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Release Notes

6.0.3.3 (from changelog)

• No changes.

6.0.3.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action Pack in Development Mode

There is a possible XSS vulnerability in Action Pack while the application
server is in development mode. This vulnerability is in the Actionable
Exceptions middleware. This vulnerability has been assigned the CVE
identifier CVE-2020-8264.

Versions Affected: >= 6.0.0
Not affected: < 6.0.0
Fixed Versions: 6.0.3.4

Impact

When an application is running in development mode, and attacker can send or
embed (in another page) a specially crafted URL which can allow the attacker
to execute JavaScript in the context of the local application.

Workarounds

Until such time as the patch can be applied, application developers should
disable the Actionable Exceptions middleware in their development environment via
a line such as this one in their config/environment/development.rb:

config.middleware.delete ActionDispatch::ActionableExceptions

🚨 Untrusted users able to run pending migrations in production

There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed
an untrusted user to run any pending migrations on a Rails app running in
production.

This vulnerability has been assigned the CVE identifier CVE-2020-8185.

Versions Affected: 6.0.0 < rails < 6.0.3.2
Not affected: Applications with config.action_dispatch.show_exceptions = false (this is not a default setting in production)
Fixed Versions: rails >= 6.0.3.2

Impact

Using this issue, an attacker would be able to execute any migrations that
are pending for a Rails app running in production mode. It is important to
note that an attacker is limited to running migrations the application
developer has already defined in their application and ones that have not
already ran.

Workarounds

Until such time as the patch can be applied, application developers should
disable the ActionDispatch middleware in their production environment via
a line such as this one in their config/environment/production.rb:

config.middleware.delete ActionDispatch::ActionableExceptions

Release Notes

6.0.3.3 (from changelog)

• No changes.

6.0.3.2 (from changelog)

• [CVE-2020-8185] Only allow ActionableErrors if show_detailed_exceptions is enabled

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actiontext (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Release Notes

6.0.3.3 (from changelog)

• No changes.

6.0.3.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Security Advisories 🚨

🚨 Potential XSS vulnerability in Action View

There is a potential Cross-Site Scripting (XSS) vulnerability in Action
View's translation helpers. Views that allow the user to control the
default (not found) value of the t and translate helpers could be
susceptible to XSS attacks.

Impact

When an HTML-unsafe string is passed as the default for a missing
translation key named html or ending in _html,
the default string is incorrectly marked as HTML-safe and not escaped.
Vulnerable code may look like the following examples:

<%# The welcome_html translation is not defined for the current locale: %>
<%= t("welcome_html", default: untrusted_user_controlled_string) %>
<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>

<%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %>

Workarounds

Impacted users who can’t upgrade to a patched Rails version can avoid
this issue by manually escaping default translations with the
html_escape helper (aliased as h):

<%= t("welcome_html", default: h(untrusted_user_controlled_string)) %>

Release Notes

6.0.3.3 (from changelog)

• [CVE-2020-8185] Fix potential XSS vulnerability in the translate/t helper.

  Jonathan Hefner

6.0.3.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Release Notes

6.0.3.3 (from changelog)

• No changes.

6.0.3.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Release Notes

6.0.3.3 (from changelog)

• No changes.

6.0.3.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Release Notes

6.0.3.3 (from changelog)

• No changes.

6.0.3.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Release Notes

6.0.3.3 (from changelog)

• No changes.

6.0.3.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Release Notes

6.0.3.3 (from changelog)

• No changes.

6.0.3.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.6 → 1.1.7) · Repo · Changelog

Release Notes

1.1.7 (from changelog)

concurrent-ruby:

• (#879) Consider falsy value on Concurrent::Map#compute_if_absent for fast non-blocking path
• (#876) Reset Async queue on forking, makes Async fork-safe
• (#856) Avoid running problematic code in RubyThreadLocalVar on MRI that occasionally results in segfault
• (#853) Introduce ThreadPoolExecutor without a Queue

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.8.2 → 1.8.5) · Repo · Changelog

Release Notes

1.8.4

• Fixed issue where fallbacks were not working when I18n.fallbacks was an array - #534
• Fixed conditional around deprecating constant of INTERPOLATION_PATTERN - #531

1.8.3

Compare view: v1.8.2...v1.8.3

Features / Improvements

• Memory and speed improvements - #527+ #528
• Add option to disable fallbacks for I18n.exists? check - #482
• Add an on_fallback hook to allow users to be notified when a fallback happens - #520

Bug Fixes

• Fix an issue with deep_merge and chain fallback backends - #499 & #509
• Fix an issue with Rails ordinal number proc and keyword splatting - #521
• Pass options as keyword arguments to translation procs - #529
• Fix pluralize on unknown locale with attributes - #519

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.5.0 → 2.7.0) · Repo · Changelog

Release Notes

2.7.0

2.7.0 / 2020-08-26

Features

• Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

Fixes

• Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

2.6.0 (from changelog)

Features

• Allow CSS border-style keywords. [#188] (Thanks, @tarcisiozf!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.14.1 → 5.14.2) · Repo · Changelog

Release Notes

5.14.2 (from changelog)

• 1 bug fix:

  • Bumped ruby version to include 3.0 (trunk).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.5.2 → 2.5.4) · Repo · Changelog

Release Notes

2.5.4 (from changelog)

• #251 Intermittent SEGV during GC. (@boazsegev)

2.5.3 (from changelog)

• #241 Possible bug with Ruby >= 2.7.0 and GC.compact. (@boazsegev)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.10.9 → 1.10.10) · Repo · Changelog

Release Notes

1.10.10

1.10.10 / 2020-07-06

Features

• [MRI] Cross-built Windows gems now support Ruby 2.7 [#2029]. Note that prior to this release, the v1.11.x prereleases provided this support.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 2.2.2 → 2.2.3) · Repo · Changelog

Security Advisories 🚨

🚨 Percent-encoded cookies can be used to overwrite existing prefixed cookie names

It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected: rack < 2.2.3, rack < 2.1.4
Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions: rack >= 2.2.3, rack >= 2.1.4

Impact

An attacker may be able to trick a vulnerable application into processing an
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.

Workarounds

If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:

module Rack
  module Utils
    module_function def parse_cookies_header(header)
      return {} unless header
      header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
        next if cookie.empty?
        key, value = cookie.split('=', 2)
        cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
      end
    end
  end
end

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 6.0.3.1 → 6.0.3.4) · Repo · Changelog

Release Notes

6.0.3.3 (from changelog)

• No changes.

6.0.3.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprockets (indirect, 4.0.0 → 4.0.2) · Repo · Changelog

Release Notes

4.0.2 (from changelog)

• Fix etag and digest path compilation that were generating string with invalid digest since 4.0.1.

4.0.1 (from changelog)

• Fix for Ruby 2.7 keyword arguments warning in base.rb. #660
• Fix for when x_sprockets_linecount is missing from a source map.
• Fix subresource integrity to match the digest of the asset.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprockets-rails (indirect, 3.2.1 → 3.2.2) · Repo · Changelog

Release Notes

3.2.2

• Fix extending ActionView::Base instances with Sprockets::Rails::Helper on Rails 6.1
• Fix deprecation warning on Ruby 2.7 [#454]
• action_view/base is no longer required when rake tasks are loaded [#455]
• Asset not precompiled error exception renamed to AssetNotPrecompiledError [#414]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ websocket-driver (indirect, 0.7.2 → 0.7.3) · Repo · Changelog

Release Notes

0.7.3 (from changelog)

• Let the client accept HTTP responses that have an empty reason phrase following the 101 status code

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.3.0 → 2.4.0) · Repo · Changelog

Release Notes

2.4.0 (from changelog)

• Zeitwerk::Loader#push_dir supports an optional namespace keyword argument. Pass a class or module object if you want the given root directory to be associated with it instead of Object. Said class or module object cannot be reloadable.

• The default inflector is even more performant.

2.3.1 (from changelog)

• Saves some unnecessary allocations made internally by MRI. See #125, by @casperisfine.

• Documentation improvements.

• Internal code base maintenance.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codeclimate]

Code Climate has analyzed commit 768747f and detected 0 issues on this pull request.

View more on Code Climate.