🚨 [security] [ruby] Update all of rails: 6.1.3.2 → 6.1.4.1 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (6.1.3.2 → 6.1.4.1) · Repo

Release Notes

6.1.4

Active Support

• MemCacheStore: convert any underlying value (including false) to an Entry.

  See #42559.

  Alex Ghiculescu

• Fix bug in number_with_precision when using large BigDecimal values.

  Fixes #42302.

  Federico Aldunate, Zachary Scott

• Check byte size instead of length on secure_compare.

  Tietew

• Fix Time.at to not lose :in option.

  Ryuta Kamizono

• Require a path for config.cache_store = :file_store.

  Alex Ghiculescu

• Avoid having to store complex object in the default translation file.

  Rafael Mendonça França

Active Model

• Fix to_json for ActiveModel::Dirty object.

  Exclude +mutations_from_database+ attribute from json as it lead to recursion.

  Anil Maurya

Active Record

• Do not try to rollback transactions that failed due to a ActiveRecord::TransactionRollbackError.

  Jamie McCarthy

• Raise an error if pool_config is nil in set_pool_config.

  Eileen M. Uchitelle

• Fix compatibility with psych >= 4.

  Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility
  Active Record's schema cache loader and YAMLColumn now uses YAML.unsafe_load if available.

  Jean Boussier

• Support using replicas when using rails dbconsole.

  Christopher Thornton

• Restore connection pools after transactional tests.

  Eugene Kenny

• Change upsert_all to fails cleanly for MySQL when :unique_by is used.

  Bastian Bartmann

• Fix user-defined self.default_scope to respect table alias.

  Ryuta Kamizono

• Clear @cache_keys cache after update_all, delete_all, destroy_all.

  Ryuta Kamizono

• Changed Arel predications contains and overlaps to use
  quoted_node so that PostgreSQL arrays are quoted properly.

  Bradley Priest

• Fix merge when the where clauses have string contents.

  Ryuta Kamizono

• Fix rollback of parent destruction with nested dependent: :destroy.

  Jacopo Beschi

• Fix binds logging for "WHERE ... IN ..." statements.

  Ricardo Díaz

• Handle false in relation strict loading checks.

  Previously when a model had strict loading set to true and then had a
  relation set strict_loading to false the false wasn't considered when
  deciding whether to raise/warn about strict loading.

  class Dog < ActiveRecord::Base
    self.strict_loading_by_default = true
  has_many :treats, strict_loading: false
  
  end
  
  

  In the example, dog.treats would still raise even though
  strict_loading was set to false. This is a bug effecting more than
  Active Storage which is why I made this PR superceeding #41461. We need
  to fix this for all applications since the behavior is a little
  surprising. I took the test from ##41461 and the code suggestion from #41453
  with some additions.

  Eileen M. Uchitelle, Radamés Roriz

• Fix numericality validator without precision.

  Ryuta Kamizono

• Fix aggregate attribute on Enum types.

  Ryuta Kamizono

• Fix CREATE INDEX statement generation for PostgreSQL.

  eltongo

• Fix where clause on enum attribute when providing array of strings.

  Ryuta Kamizono

• Fix unprepared_statement to work it when nesting.

  Ryuta Kamizono

Action View

• The translate helper now passes default values that aren't
  translation keys through I18n.translate for interpolation.

  Jonathan Hefner

• Don't attach UJS form submission handlers to Turbo forms.

  David Heinemeier Hansson

• Allow both current_page?(url_hash) and current_page?(**url_hash) on Ruby 2.7.

  Ryuta Kamizono

Action Pack

• Ignore file fixtures on db:fixtures:load

  Kevin Sjöberg

• Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.

  Dylan Thacker-Smith

• Correctly place optional path parameter booleans.

  Previously, if you specify a url parameter that is part of the path as false it would include that part
  of the path as parameter for example:

  get "(/optional/:optional_id)/things" => "foo#foo", as: :things
  things_path(optional_id: false) # => /things?optional_id=false
  

  After this change, true and false will be treated the same when used as optional path parameters. Meaning now:

  get '(this/:my_bool)/that' as: :that
  that_path(my_bool: true) # => /this/true/that
  
  that_path(my_bool: false) # => /this/false/that
  
  

  Adam Hess

• Add support for 'private, no-store' Cache-Control headers.

  Previously, 'no-store' was exclusive; no other directives could be specified.

  Alex Smith

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• Fix ArgumentError with ruby 3.0 on RemoteConnection#disconnect.

  Vladislav

Active Storage

• The parameters sent to ffmpeg for generating a video preview image are now
  configurable under config.active_storage.video_preview_arguments.

  Brendon Muir

• Fix Active Storage update task when running in an engine.

  Justin Malčić*

• Don't raise an error if the mime type is not recognized.

  Fixes #41777.

  Alex Ghiculescu

• ActiveStorage::PreviewError is raised when a previewer is unable to generate a preview image.

  Alex Robbin

• respond with 404 given invalid variation key when asking for representations.

  George Claghorn

• Blob creation shouldn't crash if no service selected.

  Alex Ghiculescu

Action Mailbox

• No changes.

Action Text

• Always render attachment partials as HTML with :html format inside trix editor.

  James Brooks

Railties

• Fix compatibility with psych >= 4.

  Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility
  Rails.application.config_for now uses YAML.unsafe_load if available.

  Jean Boussier

• Ensure Rails.application.config_for always cast hashes to ActiveSupport::OrderedOptions.

  Jean Boussier

• Fix create migration generator with --pretend option.

  euxx

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Release Notes

6.1.4.1 (from changelog)

• No changes.

6.1.4 (from changelog)

• Fix ArgumentError with ruby 3.0 on RemoteConnection#disconnect.

  Vladislav

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailbox (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

↗️ actionmailer (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Release Notes

6.1.4.1 (from changelog)

• No changes.

6.1.4 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization
middleware in Action Pack. This vulnerability has been assigned the CVE
identifier CVE-2021-22942.

Versions Affected: >= 6.0.0.
Not affected: < 6.0.0
Fixed Versions: 6.1.4.1, 6.0.4.1

Impact

Specially crafted “X-Forwarded-Host” headers in combination with certain
“allowed host” formats can cause the Host Authorization middleware in
Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot.
For example, configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted
Host header can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not
take in to account domain name case sensitivity.

Releases

The fixed releases are available at the normal locations.

Workarounds

In the case a patch can’t be applied, the following monkey patch can be
used in an initializer:

module ActionDispatch
  class HostAuthorization
    HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
    VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
    VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
<span class="pl-k">private</span>
  <span class="pl-k">def</span> <span class="pl-en">authorized?</span><span class="pl-kos">(</span><span class="pl-s1">request</span><span class="pl-kos">)</span>
    <span class="pl-s1">origin_host</span> <span class="pl-c1">=</span>
      <span class="pl-s1">request</span><span class="pl-kos">.</span><span class="pl-en">get_header</span><span class="pl-kos">(</span><span class="pl-s">"HTTP_HOST"</span><span class="pl-kos">)</span>&amp;.<span class="pl-en">slice</span><span class="pl-kos">(</span><span class="pl-c1">VALID_ORIGIN_HOST</span><span class="pl-kos">,</span> <span class="pl-c1">1</span><span class="pl-kos">)</span> || <span class="pl-s">""</span>
    <span class="pl-s1">forwarded_host</span> <span class="pl-c1">=</span>
      <span class="pl-s1">request</span><span class="pl-kos">.</span><span class="pl-en">x_forwarded_host</span>&amp;.<span class="pl-en">slice</span><span class="pl-kos">(</span><span class="pl-c1">VALID_FORWARDED_HOST</span><span class="pl-kos">,</span> <span class="pl-c1">1</span><span class="pl-kos">)</span> || <span class="pl-s">""</span>
    <span class="pl-c1">@permissions</span><span class="pl-kos">.</span><span class="pl-en">allows?</span><span class="pl-kos">(</span><span class="pl-s1">origin_host</span><span class="pl-kos">)</span> &amp;&amp;
      <span class="pl-kos">(</span><span class="pl-s1">forwarded_host</span><span class="pl-kos">.</span><span class="pl-en">blank?</span> || <span class="pl-c1">@permissions</span><span class="pl-kos">.</span><span class="pl-en">allows?</span><span class="pl-kos">(</span><span class="pl-s1">forwarded_host</span><span class="pl-kos">)</span><span class="pl-kos">)</span>
  <span class="pl-k">end</span>

end

end

Release Notes

6.1.4.1 (from changelog)

• [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.

  Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

6.1.4 (from changelog)

• Ignore file fixtures on db:fixtures:load

  Kevin Sjöberg

• Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.

  Dylan Thacker-Smith

• Correctly place optional path parameter booleans.

  Previously, if you specify a url parameter that is part of the path as false it would include that part of the path as parameter for example:

  get "(/optional/:optional_id)/things" => "foo#foo", as: :things
  things_path(optional_id: false) # => /things?optional_id=false
  

  After this change, true and false will be treated the same when used as optional path parameters. Meaning now:

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actiontext (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Release Notes

6.1.4.1 (from changelog)

• No changes.

6.1.4 (from changelog)

• Always render attachment partials as HTML with :html format inside trix editor.

  James Brooks

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Release Notes

6.1.4.1 (from changelog)

• No changes.

6.1.4 (from changelog)

• The translate helper now passes default values that aren't translation keys through I18n.translate for interpolation.

  Jonathan Hefner

• Don't attach UJS form submission handlers to Turbo forms.

  David Heinemeier Hansson

• Allow both current_page?(url_hash) and current_page?(**url_hash) on Ruby 2.7.

  Ryuta Kamizono

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Release Notes

6.1.4.1 (from changelog)

• No changes.

6.1.4 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Release Notes

6.1.4.1 (from changelog)

• No changes.

6.1.4 (from changelog)

• Fix to_json for ActiveModel::Dirty object.

  Exclude +mutations_from_database+ attribute from json as it lead to recursion.

  Anil Maurya

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Release Notes

6.1.4.1 (from changelog)

• No changes.

6.1.4 (from changelog)

• Do not try to rollback transactions that failed due to a ActiveRecord::TransactionRollbackError.

  Jamie McCarthy

• Raise an error if pool_config is nil in set_pool_config.

  Eileen M. Uchitelle

• Fix compatibility with psych >= 4.

  Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility Active Record's schema cache loader and YAMLColumn now uses YAML.unsafe_load if available.

  Jean Boussier

• Support using replicas when using rails dbconsole.

  Christopher Thornton

• Restore connection pools after transactional tests.

  Eugene Kenny

• Change upsert_all to fails cleanly for MySQL when :unique_by is used.

  Bastian Bartmann

• Fix user-defined self.default_scope to respect table alias.

  Ryuta Kamizono

• Clear @cache_keys cache after update_all, delete_all, destroy_all.

  Ryuta Kamizono

• Changed Arel predications contains and overlaps to use quoted_node so that PostgreSQL arrays are quoted properly.

  Bradley Priest

• Fix merge when the where clauses have string contents.

  Ryuta Kamizono

• Fix rollback of parent destruction with nested dependent: :destroy.

  Jacopo Beschi

• Fix binds logging for "WHERE ... IN ..." statements.

  Ricardo Díaz

• Handle false in relation strict loading checks.

  Previously when a model had strict loading set to true and then had a relation set strict_loading to false the false wasn't considered when deciding whether to raise/warn about strict loading.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Release Notes

6.1.4.1 (from changelog)

• No changes.

6.1.4 (from changelog)

• The parameters sent to ffmpeg for generating a video preview image are now configurable under config.active_storage.video_preview_arguments.

  Brendon Muir

• Fix Active Storage update task when running in an engine.

  Justin Malčić*

• Don't raise an error if the mime type is not recognized.

  Fixes #41777.

  Alex Ghiculescu

• ActiveStorage::PreviewError is raised when a previewer is unable to generate a preview image.

  Alex Robbin

• respond with 404 given invalid variation key when asking for representations.

  George Claghorn

• Blob creation shouldn't crash if no service selected.

  Alex Ghiculescu

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Release Notes

6.1.4.1 (from changelog)

• No changes.

6.1.4 (from changelog)

• MemCacheStore: convert any underlying value (including false) to an Entry.

  See #42559.

  Alex Ghiculescu

• Fix bug in number_with_precision when using large BigDecimal values.

  Fixes #42302.

  Federico Aldunate, Zachary Scott

• Check byte size instead of length on secure_compare.

  Tietew

• Fix Time.at to not lose :in option.

  Ryuta Kamizono

• Require a path for config.cache_store = :file_store.

  Alex Ghiculescu

• Avoid having to store complex object in the default translation file.

  Rafael Mendonça França

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.8 → 1.1.9) · Repo · Changelog

Release Notes

1.1.9 (from changelog)

concurrent-ruby:

• (#866) Child promise state not set to :pending immediately after #execute when parent has completed
• (#905, #872) Fix RubyNonConcurrentPriorityQueue#delete method
• (2df0337d) Make sure locks are not shared on shared when objects are dup/cloned
• (#900, #906, #796, #847, #911) Fix Concurrent::Set tread-safety issues on CRuby
• (#907) Add new ConcurrentMap backend for TruffleRuby

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ globalid (indirect, 0.4.2 → 0.5.2) · Repo · Changelog

Release Notes

0.5.2

• Add back Ruby 2.5 support so gem install rails works out of the box, thereby satisfying Rails' Ruby version requirement. See rails/rails#42931

0.5.1

• New: Allow expiration to be turned off globally #128
• Fixed: Support for ruby-head #132
• Maintainance: Drop support for EOL'ed Rubies (< 2.6.0) and Rails 4.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.9.1 → 2.12.0) · Repo · Changelog

Release Notes

2.12.0

2.12.0 / 2021-08-11

Features

• Support empty HTML5 data attributes. [#215]

2.11.0

2.11.0 / 2021-07-31

Features

• Allow HTML5 element wbr.
• Allow all CSS property values for border-collapse. [#201]

Changes

• Deprecating Loofah::HTML5::SafeList::VOID_ELEMENTS which is not a canonical list of void HTML4 or HTML5 elements.
• Removed some elements from Loofah::HTML5::SafeList::VOID_ELEMENTS that either are not acceptable elements or aren't considered "void" by libxml2.

2.10.0

2.10.0 / 2021-06-06

Features

• Allow CSS properties overflow-x and overflow-y. [#206] (Thanks, @sampokuokkanen!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ marcel (indirect, 1.0.1 → 1.0.2) · Repo

Release Notes

1.0.2

• Include Apache license in gem release. (a525d5b)
• Prefer audio/x-wav for WAV audio files. (#45)
• Prefer application/x-x509-ca-cert for Privacy-Enhanced Mail certificates. (#46)
• Prefer audio/flac for FLAC audio files. (#47)
• Prefer audio/aac for Advanced Audio Coding audio files. (#49)
• Prefer application/vnd.ms-access for Microsodt Access DB files. (#50)
• Support text/x-scss and text/x-sass stylesheets. (#52)
• Support encrypted Microsoft Access DB files. (#53)
• Prefer application/x-ole-storage for Microsoft Office files. (#54)
• Prefer text/markdown for Markdown files. (#55)
• Prefer audio/mpc for Musepack audio files. (#56)
• Support audio/webm audio files. (#58)
• Support image/avif images files. (#63)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_mime (indirect, 1.0.3 → 1.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.5.7 → 2.5.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.3.0 → 1.4.2) · Repo · Changelog

Release Notes

1.4.2

1.4.2 / 2021-08-23

• Slightly improve performance.

  Assuming elements are more common than comments, make one less method call per node.

1.4.1

1.4.1 / 2021-08-18

• Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.

  Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
  passed through elements to the scrubber's keep_node? method.

  This change once again allows the scrubber to make the decision on comment nodes, but still skips
  other non-elements like processing instructions (see #115).

  Mike Dalessio

1.4.0

1.4.0 / 2021-08-18

• Processing Instructions are no longer allowed by Rails::Html::PermitScrubber

  Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
  are no known security issues associated with these PIs, but similar to comments it's preferred to
  omit these nodes when possible from sanitized output.

  Fixes #115.

  Mike Dalessio

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 6.1.3.2 → 6.1.4.1) · Repo · Changelog

Release Notes

6.1.4.1 (from changelog)

• No changes.

6.1.4 (from changelog)

• Fix compatibility with psych >= 4.

  Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility Rails.application.config_for now uses YAML.unsafe_load if available.

  Jean Boussier

• Ensure Rails.application.config_for always cast hashes to ActiveSupport::OrderedOptions.

  Jean Boussier

• Fix create migration generator with --pretend option.

  euxx

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 13.0.3 → 13.0.6) · Repo · Changelog

Release Notes

13.0.6 (from changelog)

• Additional fix for #389 Pull request #390 by hsbt

13.0.5 (from changelog)

• Fixed the regression of #388 Pull request #389 by hsbt

13.0.4 (from changelog)

• Fix rake test loader swallowing useful error information. Pull request #367 by deivid-rodriguez

• Add -C/–directory option the same as GNU make. Pull request #376 by nobu

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ websocket-driver (indirect, 0.7.3 → 0.7.5) · Repo · Changelog

Release Notes

0.7.5 (from changelog)

• Do not change the encoding of strings passed to Driver#text

0.7.4 (from changelog)

• Optimise conversions between strings and byte arrays and related encoding operations, to reduce amount of allocation and copying

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #254.

[depfu]

Closed in favor of #254.