🚨 [security] Update activesupport: 4.2.7 → 5.2.4.3 (major)

[depfu]

---

🚨 Your version of activesupport has known security vulnerabilities 🚨

Advisory: CVE-2020-8165
Disclosed: May 18, 2020
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

data = cache.fetch("demo", raw: true) { untrusted_string }

Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ activesupport (indirect, 4.2.7 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible information leak / session hijacking vulnerability.

  The ActionDispatch::Session::MemcacheStore is still vulnerable given it requires the
  gem dalli to be updated as well.

  CVE-2019-16782.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

5.2.4

Active Support

• Make ActiveSupport::Logger Fiber-safe. Fixes #36752.

  Use Fiber.current.__id__ in ActiveSupport::Logger#local_level= in order
  to make log level local to Ruby Fibers in addition to Threads.

  Example:

  logger = ActiveSupport::Logger.new(STDOUT)
  logger.level = 1
  p "Main is debug? #{logger.debug?}"
  Fiber.new {
  
  logger.local_level = 0
  
  p "Thread is debug? #{logger.debug?}"
  
  }.resume
  p "Main is debug? #{logger.debug?}"
  
  

  Before:

  Main is debug? false
  Thread is debug? true
  Main is debug? true
  

  After:

  Main is debug? false
  Thread is debug? true
  Main is debug? false
  

  Alexander Varnin

Active Model

• Type cast falsy boolean symbols on boolean attribute as false.

  Fixes #35676.

  Ryuta Kamizono

Active Record

• Fix circular autosave: true causes invalid records to be saved.

  Prior to the fix, when there was a circular series of autosave: true
  associations, the callback for a has_many association was run while
  another instance of the same callback on the same association hadn't
  finished running. When control returned to the first instance of the
  callback, the instance variable had changed, and subsequent associated
  records weren't saved correctly. Specifically, the ID field for the
  belongs_to corresponding to the has_many was nil.

  Fixes #28080.

  Larry Reid

• PostgreSQL: Fix GROUP BY with ORDER BY virtual count attribute.

  Fixes #36022.

  Ryuta Kamizono

• Fix sqlite3 collation parsing when using decimal columns.

  Martin R. Schuster

• Make ActiveRecord ConnectionPool.connections method thread-safe.

  Fixes #36465.

  Jeff Doering

• Assign all attributes before calling build to ensure the child record is visible in
  before_add and after_add callbacks for has_many :through associations.

  Fixes #33249.

  Ryan H. Kerr

Action View

• Allow programmatic click events to trigger Rails UJS click handlers.
  Programmatic click events (eg. ones generated by Rails.fire(link, "click")) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.

  Sudara Williams

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• Use original bundler environment variables during the process of generating a new rails project.

  Marco Costa

• Allow loading seeds without ActiveJob.

  Fixes #35782

  Jeremy Weathers

• Only force :async ActiveJob adapter to :inline during seeding.

  BatedUrGonnaDie

5.2.3

Active Support

• Add ActiveSupport::HashWithIndifferentAccess#assoc.

  assoc can now be called with either a string or a symbol.

  Stefan Schüßler

• Fix String#safe_constantize throwing a LoadError for incorrectly cased constant references.

  Keenan Brock

• Allow Range#=== and Range#cover? on Range

  Range#cover? can now accept a range argument like Range#include? and
  Range#===. Range#=== works correctly on Ruby 2.6. Range#include? is moved
  into a new file, with these two methods.

  utilum

• If the same block is included multiple times for a Concern, an exception is no longer raised.

  Mark J. Titorenko, Vlad Bokov

Active Model

• Fix date value when casting a multiparameter date hash to not convert
  from Gregorian date to Julian date.

  Before:

  Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
  => #<Day id: nil, day: "0001-01-03", created_at: nil, updated_at: nil>
  

  After:

  Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
  => #<Day id: nil, day: "0001-01-01", created_at: nil, updated_at: nil>
  

  Fixes #28521.

  Sayan Chakraborty

• Fix numericality equality validation of BigDecimal and Float
  by casting to BigDecimal on both ends of the validation.

  Gannon McGibbon

Active Record

• Fix different count calculation when using size with manual select with DISTINCT.

  Fixes #35214.

  Juani Villarejo

• Fix prepared statements caching to be enabled even when query caching is enabled.

  Ryuta Kamizono

• Don't allow where with invalid value matches to nil values.

  Fixes #33624.

  Ryuta Kamizono

• Restore an ability that class level update without giving ids.

  Fixes #34743.

  Ryuta Kamizono

• Fix join table column quoting with SQLite.

  Gannon McGibbon

• Ensure that delete_all on collection proxy returns affected count.

  Ryuta Kamizono

• Reset scope after delete on collection association to clear stale offsets of removed records.

  Gannon McGibbon

Action View

• Prevent non-primary mouse keys from triggering Rails UJS click handlers.
  Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
  For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.

  <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
  

  Fixes #34541

  Wolfgang Hobmaier

Action Pack

• Allow using combine the Cache Control public and no-cache headers.

  Before this change, even if public was specified for Cache Control header,
  it was excluded when no-cache was included. This fixed to keep public
  header as is.

  Fixes #34780.

  Yuji Yaginuma

• Allow nil params for ActionController::TestCase.

  Ryo Nakamura

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• Seed database with inline ActiveJob job adapter.

  Gannon McGibbon

• Fix boolean interaction in scaffold system tests.

  Gannon McGibbon

5.1.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Fix touch option to behave consistently with Persistence#touch method.

  Ryuta Kamizono

• Back port Rails 5.2 reverse_order Arel SQL literal fix.

  Matt Jones, Brooke Kuhlmann

• becomes should clear the mutation tracker which is created in after_initialize.

  Fixes #32867.

  Ryuta Kamizono

Action View

• Fix issue with button_to's to_form_params

  button_to was throwing exception when invoked with params hash that
  contains symbol and string keys. The reason for the exception was that
  to_form_params was comparing the given symbol and string keys.

  The issue is fixed by turning all keys to strings inside
  to_form_params before comparing them.

  Georgi Georgiev

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Railties

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 0.8.1 → 1.8.2) · Repo · Changelog

Release Notes

1.8.2

• Restoration of #499 via #509 - deep_merge! & deep_merge methods appear again in the Hash refinement.
• An issue was introduced in v1.7.0 where some translations were returned as hashes, see #510. This was fixed in 1b5e345, and is available in this release.

1.2.0

• Provide a uniform API between Simple, KeyValue and Chain backends - #109 (one of our oldest PRs, and I am pleased that @kidpollo has persisted for all this time!)
• Support translation hashes with numeric keys in Simple backend - #422
• Add CacheFile backend module - #423
• Add JSON backend module - #429
• Updated README to point to the wiki - #438
• Added plural rules for oc locale - #440
• Removed tests from the bundled gem (leading to smaller download sizes) - #441
• Added a post-install message about fallback breaking change introduced in v1.1.0 - #442

1.1.1

• Expose translations with an option to perform initialization (if it hasn't been done already) (#353 / #254)
• Removed un-used Kernel core extension #436
• Added project metadata for RubyGems #434

1.1.0

• Simplified default exception handler - #414
• Fallbacks now exclude default locale - #415, possibly fixes #413 + #338
• Fixed deprecated use of assert_nothing_raised #417
• Fixed pluralization behavior for KeyValue backend with subtrees disabled - #419
• Allow yaml file extension - #421

1.0.1

• Removed creation of some anonymous objects in I18n - #393
• Added missing key exception_handler to reserved keys - #412

Thanks to @stereobooster and @tjoyal.

0.9.5

• #404 reported a regression in 0.9.3, which wasn't fixed by 0.9.4. #408 fixes this issue.

Thanks @wjordan!

0.9.4

• Fixed a regression with chained backends introduced in v0.9.3 (#402) - #405 - bug report / #407 - PR to fix
• Optimize Backend::Simple#available_locales - reports are that this is now 4x faster than previously - #406

0.9.3

(For those wondering where v0.9.2 went: I got busy after I pushed the commit for the release, so there was no gem release that day. I am not busy today, so here is v0.9.3 in its stead. This changelog contains changes from v0.9.1 -> v0.9.3)

• I18n no longer stores translations for unavailable locales. #391.
• Added the ability to interpolate with arrays #395.
• Documentation for lambda has been corrected. #396
• I18n will use oj -- a faster JSON library -- but only if it is available. #398
• Fixed an issue with translate and default: [false] as an option. #399
• Fixed an issue with translate with nil and empty keys. #400
• Fix issue with disabled subtrees and pluralization for KeyValue backend #402

Thank you to @stereobooster, @fatkodima and @lulalala for the patches that went towards this release. We appreciate your efforts!

0.9.1

• Reverted Hash#slice behaviour introduced with #250 - See #390.
• Fixed a regression caused by #387, where translations may have returned a not-helpful error message - See #389

0.9.0

• Made Backend::Memoize threadsafe. See #51 and #352.
• Added a middleware I18n::Middleware that should be used to ensure that i18n config is reset correctly between requests. See #381 and #382.

0.8.6

Fixed a small regression introduced in v0.8.5 when using fallbacks - See #378

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.10.1 → 5.14.1) · Repo · Changelog

Release Notes

5.14.0 (from changelog)

• 2 minor enhancements:

  • Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)

  • Changed assert_raises to only catch Assertion since that covers Skip and friends.

• 3 bug fixes:

  • Added example for value wrapper with block to Expectations module. (stomar)

  • Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)

  • Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)

5.13.0 (from changelog)

• 9 minor enhancements:

  • Added Minitest::Guard#osx?

  • Added examples to documentation for assert_raises. (lxxxvi)

  • Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.

  • Added fail_after(year, month, day, msg) to allow time-bombing after a deadline.

  • Added skip_until(year, month, day, msg) to allow deferring until a deadline.

  • Deprecated Minitest::Guard#maglev?

  • Deprecated Minitest::Guard#rubinius?

  • Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)

  • Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)

• 3 bug fixes:

  • Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)

  • Improved documentation for _/value/expect, especially for blocks. (svoop)

  • Support new Proc#to_s format. (ko1)

5.12.2 (from changelog)

• 1 bug fix:

  • After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.

5.12.1 (from changelog)

• 1 minor enhancement:

  • Added documentation for Reporter classes. (sshaw)

• 3 bug fixes:

  • Avoid using 'match?' to support older ruby versions. (y-yagi)

  • Fixed broken link to reference on goodness-of-fit testing. (havenwood)

  • Update requirements in readme and Rakefile/hoe spec.

5.12.0 (from changelog)

• 8 minor enhancements:

  • Added a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)

  • Changed mu_pp_for_diff to make having both n and \n easier to debug.

  • Deprecated $N for specifying number of parallel test runners. Use MT_CPU.

  • Deprecated use of global expectations. To be removed from MT6.

  • Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.

  • Extended Assertions#mu_pp to output encoding and validity if invalid to improve diffs.

  • Extended Assertions#mu_pp_for_diff to make escaped newlines more obvious in diffs.

  • Fail gracefully when expectation used outside of `it`.

• 3 bug fixes:

  • Check `option` klass before match. Fixes 2.6 warning. (y-yagi)

  • Fixed Assertions#diff from recalculating if set to nil

  • Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.2 → 1.2.7) · Repo · Changelog

Release Notes

1.2.7

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

1.2.6

• Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
• Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
• Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

1.2.5

• Support recursively (deep) freezing Country and Timezone instances. #80.
• Allow negative daylight savings time offsets to be derived when reading from zoneinfo files. The utc_offset and std_offset are now derived correctly for Europe/Dublin in the 2018a and 2018b releases of the Time Zone Database.

TZInfo v1.2.5 on RubyGems.org

1.2.4

• Ignore the leapseconds file that is included in zoneinfo directories installed with version 2017c and later of the Time Zone Database.

TZInfo v1.2.4 on RubyGems.org

1.2.3

• Reduce the number of String objects allocated when loading zoneinfo files. #54.
• Make Timezone#friendly_identifier compatible with frozen string literals.
• Improve the algorithm for deriving the utc_offset from zoneinfo files. This now correctly handles Pacific/Apia switching from one side of the International Date Line to the other whilst observing daylight savings time. #66.
• Fix an UnknownTimezone exception when calling transitions_up_to or offsets_up_to on a TimezoneProxy instance obtained from Timezone.get_proxy.
• Allow the Factory zone to be obtained from the Zoneinfo data source.
• Ignore the /usr/share/zoneinfo/timeconfig symlink included in Slackware distributions. #64.
• Fix Timezone#strftime handling of %Z expansion when %Z is prefixed with more than one percent. #31.
• Support expansion of %z, %:z, %::z and %:::z to the UTC offset of the time zone in Timezone#strftime. #31 and #67.

TZInfo v1.2.3 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 concurrent-ruby (added, 1.1.6)

🗑️ json (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)