Skip to content

Commit

Permalink
Use config.load_defaults for rails 7 with overrides
Browse files Browse the repository at this point in the history
https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L92
* belongs_to_required_by_default must be overridden or seeding fails
* Partial inserts cause test failures in ui-classic, content, and amazon provider
* Need to investigate the X-XSS-Protection change before using default of disabling it
* Allow deprecations to be found and fixed

Fixes ManageIQ#23172
  • Loading branch information
jrafanie committed Sep 6, 2024
1 parent 34335f9 commit 8a87f56
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 2 deletions.
23 changes: 21 additions & 2 deletions config/application.rb
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,10 @@ class Application < Rails::Application

# Disable ActionCable's request forgery protection
# This is basically matching a set of allowed origins which is not good for us
# Note, similarly named forgery protections in action controller are set to true
# https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L115C12-L115C69
# 5.0 sets: action_controller.forgery_protection_origin_check = true
# 5.2 sets: action_controller.default_protect_from_forgery = true
config.action_cable.disable_request_forgery_protection = false
# Matching the origin against the HOST header is much more convenient
config.action_cable.allow_same_origin_as_host = true
Expand All @@ -110,8 +114,23 @@ class Application < Rails::Application

config.autoload_paths += config.eager_load_paths

# config.load_defaults 6.1
# Disable defaults as ActiveRecord::Base.belongs_to_required_by_default = true causes MiqRegion.seed to fail validation on belongs_to maintenance zone
# FYI, this is where load_defaults is defined as of 7.2:
# https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L92
config.load_defaults 7.0

# TODO: this is the only change we had from defaults in 7.0. See secure_headers.rb. It's 0 in defaults.
config.action_dispatch.default_headers["X-XSS-Protection"] = "1; mode=block"

# TODO: Find and fixed any deprecated behavior. Opt in later.
config.active_support.remove_deprecated_time_with_zone_name = false
config.active_support.disable_to_s_conversion = false

# TODO: If disabled, causes cross repo test failures in content, ui-classic and amazon provider
config.active_record.partial_inserts = true

# Disable this setting as it causes MiqRegion.seed to fail validation on belongs_to maintenance zone.
# TODO: We should fix this so we don't need to carry this override.
config.active_record.belongs_to_required_by_default = false

# NOTE: If you are going to make changes to autoload_paths, please make
# sure they are all strings. Rails will push these paths into the
Expand Down
4 changes: 4 additions & 0 deletions config/initializers/secure_headers.rb
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@
config.x_content_type_options = "nosniff"
# X-XSS-Protection
# X-Permitted-Cross-Domain-Policies

#FYI, this was deprecated and disabled in rails 7. Using content security policy is the desired behavior going forward:
# https://github.com/rails/rails/commit/1f4714c3f798df227222f531141880b8e1b4170a
# https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L227
config.x_xss_protection = "1; mode=block"
config.referrer_policy = "no-referrer-when-downgrade"
# Content-Security-Policy
Expand Down

0 comments on commit 8a87f56

Please sign in to comment.