diff --git a/.travis.yml b/.travis.yml index 14aecafe3..c16575b66 100644 --- a/.travis.yml +++ b/.travis.yml @@ -45,7 +45,7 @@ script: - bundle exec rake teaspoon DIR='javascripts' - bash <(curl -s https://codecov.io/bash) -f ./coverage-frontend/default/lcov.info - bundle exec brakeman -qAzw1 - - bundle exec bundle-audit check --update --ignore CVE-2020-5267 + - bundle exec bundle-audit check --update - bundle exec overcommit --sign - bundle exec overcommit --run - bundle exec rake test diff --git a/Gemfile b/Gemfile index ebcca8db9..d177c8bd3 100644 --- a/Gemfile +++ b/Gemfile @@ -1,6 +1,6 @@ source 'https://rubygems.org' -gem 'rails', '5.2.4.3' +gem 'rails', '5.2.4.4' gem 'sprockets' diff --git a/Gemfile.lock b/Gemfile.lock index bb9fdacb6..9d688a9a4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,12 +1,12 @@ GIT remote: https://github.com/projecttacoma/cqm-parsers.git - revision: 916f63f98beea308928bf64057597a50503df2ea + revision: 5b6d682e925e096443a0379609db995169c00382 branch: bonnie_version specs: cqm-parsers (0.2.1.1) activesupport (~> 5.2.1) builder (~> 3.1) - cqm-models (~> 3.0.3) + cqm-models (~> 3.0.4) erubis (~> 2.7.0) highline (~> 1.7.0) log4r (~> 1.1.10) @@ -43,43 +43,43 @@ GIT GEM remote: https://rubygems.org/ specs: - actioncable (5.2.4.3) - actionpack (= 5.2.4.3) + actioncable (5.2.4.4) + actionpack (= 5.2.4.4) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailer (5.2.4.3) - actionpack (= 5.2.4.3) - actionview (= 5.2.4.3) - activejob (= 5.2.4.3) + actionmailer (5.2.4.4) + actionpack (= 5.2.4.4) + actionview (= 5.2.4.4) + activejob (= 5.2.4.4) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.2.4.3) - actionview (= 5.2.4.3) - activesupport (= 5.2.4.3) + actionpack (5.2.4.4) + actionview (= 5.2.4.4) + activesupport (= 5.2.4.4) rack (~> 2.0, >= 2.0.8) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.2.4.3) - activesupport (= 5.2.4.3) + actionview (5.2.4.4) + activesupport (= 5.2.4.4) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.3) - activejob (5.2.4.3) - activesupport (= 5.2.4.3) + activejob (5.2.4.4) + activesupport (= 5.2.4.4) globalid (>= 0.3.6) - activemodel (5.2.4.3) - activesupport (= 5.2.4.3) - activerecord (5.2.4.3) - activemodel (= 5.2.4.3) - activesupport (= 5.2.4.3) + activemodel (5.2.4.4) + activesupport (= 5.2.4.4) + activerecord (5.2.4.4) + activemodel (= 5.2.4.4) + activesupport (= 5.2.4.4) arel (>= 9.0) - activestorage (5.2.4.3) - actionpack (= 5.2.4.3) - activerecord (= 5.2.4.3) + activestorage (5.2.4.4) + actionpack (= 5.2.4.4) + activerecord (= 5.2.4.4) marcel (~> 0.3.1) - activesupport (5.2.4.3) + activesupport (5.2.4.4) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) @@ -131,7 +131,7 @@ GEM colorize (0.8.1) commonjs (0.2.7) concurrent-ruby (1.1.7) - cqm-models (3.0.3) + cqm-models (3.0.4) cqm-reports (3.1.2) cqm-models (~> 3.0.3) cqm-validators (~> 3.0.0) @@ -199,7 +199,7 @@ GEM sprockets (~> 3.0) libv8 (3.16.14.19) log4r (1.1.10) - loofah (2.6.0) + loofah (2.7.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) macaddr (1.7.2) @@ -217,7 +217,7 @@ GEM mimemagic (0.3.5) mini_mime (1.0.2) mini_portile2 (2.4.0) - minitest (5.14.1) + minitest (5.14.2) mongo (2.13.0) bson (>= 4.8.2, < 5.0.0) mongoid (6.4.5) @@ -232,7 +232,7 @@ GEM net-ssh (6.1.0) netrc (0.11.0) newrelic_rpm (6.12.0.367) - nio4r (2.5.2) + nio4r (2.5.3) nokogiri (1.10.10) mini_portile2 (~> 2.4.0) non-stupid-digest-assets (1.0.9) @@ -256,18 +256,18 @@ GEM rack (2.2.3) rack-test (1.1.0) rack (>= 1.0, < 3) - rails (5.2.4.3) - actioncable (= 5.2.4.3) - actionmailer (= 5.2.4.3) - actionpack (= 5.2.4.3) - actionview (= 5.2.4.3) - activejob (= 5.2.4.3) - activemodel (= 5.2.4.3) - activerecord (= 5.2.4.3) - activestorage (= 5.2.4.3) - activesupport (= 5.2.4.3) + rails (5.2.4.4) + actioncable (= 5.2.4.4) + actionmailer (= 5.2.4.4) + actionpack (= 5.2.4.4) + actionview (= 5.2.4.4) + activejob (= 5.2.4.4) + activemodel (= 5.2.4.4) + activerecord (= 5.2.4.4) + activestorage (= 5.2.4.4) + activesupport (= 5.2.4.4) bundler (>= 1.3.0) - railties (= 5.2.4.3) + railties (= 5.2.4.4) sprockets-rails (>= 2.0.0) rails-controller-testing (1.0.5) actionpack (>= 5.0.1.rc1) @@ -286,9 +286,9 @@ GEM json require_all (~> 3.0) ruby-progressbar - railties (5.2.4.3) - actionpack (= 5.2.4.3) - activesupport (= 5.2.4.3) + railties (5.2.4.4) + actionpack (= 5.2.4.4) + activesupport (= 5.2.4.4) method_source rake (>= 0.8.7) thor (>= 0.19.0, < 2.0) @@ -421,7 +421,7 @@ DEPENDENCIES overcommit pry pry-byebug - rails (= 5.2.4.3) + rails (= 5.2.4.4) rails-controller-testing rails_best_practices rest-client diff --git a/config/application.rb b/config/application.rb index 31ee0c78a..8562651c2 100644 --- a/config/application.rb +++ b/config/application.rb @@ -5,7 +5,6 @@ require "action_controller/railtie" require "action_mailer/railtie" require "rails/test_unit/railtie" -require_relative './security_patch_cve20205267' if defined?(Bundler) # If you precompile assets before deploying to production, use this line diff --git a/config/security_patch_cve20205267.rb b/config/security_patch_cve20205267.rb deleted file mode 100644 index 1b79ceb50..000000000 --- a/config/security_patch_cve20205267.rb +++ /dev/null @@ -1,39 +0,0 @@ -# Name: actionview -# Version: 4.2.11.1 -# Advisory: CVE-2020-5267 -# Criticality: Unknown -# URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 -# Title: Possible XSS vulnerability in ActionView -# Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 - -ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!( - { - "`" => "\\`", - "$" => "\\$" - } -) - -module ActionView - module Helpers - module JavaScriptHelper - alias old_ej escape_javascript - alias old_j j - - def escape_javascript(javascript) - javascript = javascript.to_s - result = if javascript.empty? - "" - else - javascript.gsub(%r{(\\|