🚨 [security] Update activesupport: 5.2.0 → 5.2.4.3 (minor)

[depfu]

---

🚨 Your version of activesupport has known security vulnerabilities 🚨

Advisory: CVE-2020-8165
Disclosed: May 18, 2020
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

data = cache.fetch("demo", raw: true) { untrusted_string }

Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ activesupport (indirect, 5.2.0 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible information leak / session hijacking vulnerability.

  The ActionDispatch::Session::MemcacheStore is still vulnerable given it requires the
  gem dalli to be updated as well.

  CVE-2019-16782.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

5.2.4

Active Support

• Make ActiveSupport::Logger Fiber-safe. Fixes #36752.

  Use Fiber.current.__id__ in ActiveSupport::Logger#local_level= in order
  to make log level local to Ruby Fibers in addition to Threads.

  Example:

  logger = ActiveSupport::Logger.new(STDOUT)
  logger.level = 1
  p "Main is debug? #{logger.debug?}"
  Fiber.new {
  
  logger.local_level = 0
  
  p "Thread is debug? #{logger.debug?}"
  
  }.resume
  p "Main is debug? #{logger.debug?}"
  
  

  Before:

  Main is debug? false
  Thread is debug? true
  Main is debug? true
  

  After:

  Main is debug? false
  Thread is debug? true
  Main is debug? false
  

  Alexander Varnin

Active Model

• Type cast falsy boolean symbols on boolean attribute as false.

  Fixes #35676.

  Ryuta Kamizono

Active Record

• Fix circular autosave: true causes invalid records to be saved.

  Prior to the fix, when there was a circular series of autosave: true
  associations, the callback for a has_many association was run while
  another instance of the same callback on the same association hadn't
  finished running. When control returned to the first instance of the
  callback, the instance variable had changed, and subsequent associated
  records weren't saved correctly. Specifically, the ID field for the
  belongs_to corresponding to the has_many was nil.

  Fixes #28080.

  Larry Reid

• PostgreSQL: Fix GROUP BY with ORDER BY virtual count attribute.

  Fixes #36022.

  Ryuta Kamizono

• Fix sqlite3 collation parsing when using decimal columns.

  Martin R. Schuster

• Make ActiveRecord ConnectionPool.connections method thread-safe.

  Fixes #36465.

  Jeff Doering

• Assign all attributes before calling build to ensure the child record is visible in
  before_add and after_add callbacks for has_many :through associations.

  Fixes #33249.

  Ryan H. Kerr

Action View

• Allow programmatic click events to trigger Rails UJS click handlers.
  Programmatic click events (eg. ones generated by Rails.fire(link, "click")) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.

  Sudara Williams

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• Use original bundler environment variables during the process of generating a new rails project.

  Marco Costa

• Allow loading seeds without ActiveJob.

  Fixes #35782

  Jeremy Weathers

• Only force :async ActiveJob adapter to :inline during seeding.

  BatedUrGonnaDie

5.2.3

Active Support

• Add ActiveSupport::HashWithIndifferentAccess#assoc.

  assoc can now be called with either a string or a symbol.

  Stefan Schüßler

• Fix String#safe_constantize throwing a LoadError for incorrectly cased constant references.

  Keenan Brock

• Allow Range#=== and Range#cover? on Range

  Range#cover? can now accept a range argument like Range#include? and
  Range#===. Range#=== works correctly on Ruby 2.6. Range#include? is moved
  into a new file, with these two methods.

  utilum

• If the same block is included multiple times for a Concern, an exception is no longer raised.

  Mark J. Titorenko, Vlad Bokov

Active Model

• Fix date value when casting a multiparameter date hash to not convert
  from Gregorian date to Julian date.

  Before:

  Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
  => #<Day id: nil, day: "0001-01-03", created_at: nil, updated_at: nil>
  

  After:

  Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
  => #<Day id: nil, day: "0001-01-01", created_at: nil, updated_at: nil>
  

  Fixes #28521.

  Sayan Chakraborty

• Fix numericality equality validation of BigDecimal and Float
  by casting to BigDecimal on both ends of the validation.

  Gannon McGibbon

Active Record

• Fix different count calculation when using size with manual select with DISTINCT.

  Fixes #35214.

  Juani Villarejo

• Fix prepared statements caching to be enabled even when query caching is enabled.

  Ryuta Kamizono

• Don't allow where with invalid value matches to nil values.

  Fixes #33624.

  Ryuta Kamizono

• Restore an ability that class level update without giving ids.

  Fixes #34743.

  Ryuta Kamizono

• Fix join table column quoting with SQLite.

  Gannon McGibbon

• Ensure that delete_all on collection proxy returns affected count.

  Ryuta Kamizono

• Reset scope after delete on collection association to clear stale offsets of removed records.

  Gannon McGibbon

Action View

• Prevent non-primary mouse keys from triggering Rails UJS click handlers.
  Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
  For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.

  <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
  

  Fixes #34541

  Wolfgang Hobmaier

Action Pack

• Allow using combine the Cache Control public and no-cache headers.

  Before this change, even if public was specified for Cache Control header,
  it was excluded when no-cache was included. This fixed to keep public
  header as is.

  Fixes #34780.

  Yuji Yaginuma

• Allow nil params for ActionController::TestCase.

  Ryo Nakamura

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• Seed database with inline ActiveJob job adapter.

  Gannon McGibbon

• Fix boolean interaction in scaffold system tests.

  Gannon McGibbon

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.0.5 → 1.1.6) · Repo · Changelog

Release Notes

1.1.6 (from changelog)

concurrent-ruby:

• (#841) Concurrent.disable_at_exit_handlers! is no longer needed and was deprecated.
• (#841) AbstractExecutorService#auto_terminate= was deprecated and has no effect. Set :auto_terminate option instead when executor is initialized.

1.1.5 (from changelog)

concurrent-ruby:

• fix potential leak of context on JRuby and Java 7

concurrent-ruby-edge:

• Add finalized Concurrent::Cancellation
• Add finalized Concurrent::Throttle
• Add finalized Concurrent::Promises::Channel
• Add new Concurrent::ErlangActor

1.1.4 (from changelog)

• (#780) Remove java_alias of 'submit' method of Runnable to let executor service work on java 11
• (#776) Fix NameError on defining a struct with a name which is already taken in an ancestor

1.1.0

concurrent-ruby:

• requires at least Ruby 2.0
• Promises
  are moved from concurrent-ruby-edge to concurrent-ruby
• Add support for TruffleRuby
  • (#734) Fix Array/Hash/Set construction broken on TruffleRuby
  • AtomicReference fixed
• fixed documentation and README links
• fix Set for TruffleRuby and Rubinius
• CI stabilization
• remove sharp dependency edge -> core
• remove warnings
• documentation updates
• Exchanger is no longer documented as edge since it was already available in
  concurrent-ruby
• (#644) Fix Map#each and #each_pair not returning enumerator outside of MRI
• (#659) Edge promises fail during error handling
• (#741) Raise on recursive Delay#value call
• (#727) #717 fix global IO executor on JRuby
• (#740) Drop support for CRuby 1.9, JRuby 1.7, Rubinius.
• (#737) Move AtomicMarkableReference out of Edge
• (#708) Prefer platform specific memory barriers
• (#735) Fix wrong expected exception in channel spec assertion
• (#729) Allow executor option in Promise#then
• (#725) fix timeout check to use timeout_interval
• (#719) update engine detection
• (#660) Add specs for Promise#zip/Promise.zip ordering
• (#654) Promise.zip execution changes
• (#666) Add thread safe set implementation
• (#651) #699 #to_s, #inspect should not output negative object IDs.
• (#685) Avoid RSpec warnings about raise_error
• (#680) Avoid RSpec monkey patching, persist spec results locally, use RSpec
  v3.7.0
• (#665) Initialize the monitor for new subarrays on Rubinius
• (#661) Fix error handling in edge promises

concurrent-ruby-edge:

• (#659) Edge promises fail during error handling
• Edge files clearly separated in lib-edge
• added ReInclude
• add Promises.zip_futures_over_on

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.0.1 → 1.8.2) · Repo · Changelog

Release Notes

1.8.2

• Restoration of #499 via #509 - deep_merge! & deep_merge methods appear again in the Hash refinement.
• An issue was introduced in v1.7.0 where some translations were returned as hashes, see #510. This was fixed in 1b5e345, and is available in this release.

1.2.0

• Provide a uniform API between Simple, KeyValue and Chain backends - #109 (one of our oldest PRs, and I am pleased that @kidpollo has persisted for all this time!)
• Support translation hashes with numeric keys in Simple backend - #422
• Add CacheFile backend module - #423
• Add JSON backend module - #429
• Updated README to point to the wiki - #438
• Added plural rules for oc locale - #440
• Removed tests from the bundled gem (leading to smaller download sizes) - #441
• Added a post-install message about fallback breaking change introduced in v1.1.0 - #442

1.1.1

• Expose translations with an option to perform initialization (if it hasn't been done already) (#353 / #254)
• Removed un-used Kernel core extension #436
• Added project metadata for RubyGems #434

1.1.0

• Simplified default exception handler - #414
• Fallbacks now exclude default locale - #415, possibly fixes #413 + #338
• Fixed deprecated use of assert_nothing_raised #417
• Fixed pluralization behavior for KeyValue backend with subtrees disabled - #419
• Allow yaml file extension - #421

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.11.3 → 5.14.1) · Repo · Changelog

Release Notes

5.14.0 (from changelog)

• 2 minor enhancements:

  • Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)

  • Changed assert_raises to only catch Assertion since that covers Skip and friends.

• 3 bug fixes:

  • Added example for value wrapper with block to Expectations module. (stomar)

  • Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)

  • Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)

5.13.0 (from changelog)

• 9 minor enhancements:

  • Added Minitest::Guard#osx?

  • Added examples to documentation for assert_raises. (lxxxvi)

  • Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.

  • Added fail_after(year, month, day, msg) to allow time-bombing after a deadline.

  • Added skip_until(year, month, day, msg) to allow deferring until a deadline.

  • Deprecated Minitest::Guard#maglev?

  • Deprecated Minitest::Guard#rubinius?

  • Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)

  • Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)

• 3 bug fixes:

  • Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)

  • Improved documentation for _/value/expect, especially for blocks. (svoop)

  • Support new Proc#to_s format. (ko1)

5.12.2 (from changelog)

• 1 bug fix:

  • After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.

5.12.1 (from changelog)

• 1 minor enhancement:

  • Added documentation for Reporter classes. (sshaw)

• 3 bug fixes:

  • Avoid using 'match?' to support older ruby versions. (y-yagi)

  • Fixed broken link to reference on goodness-of-fit testing. (havenwood)

  • Update requirements in readme and Rakefile/hoe spec.

5.12.0 (from changelog)

• 8 minor enhancements:

  • Added a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)

  • Changed mu_pp_for_diff to make having both n and \n easier to debug.

  • Deprecated $N for specifying number of parallel test runners. Use MT_CPU.

  • Deprecated use of global expectations. To be removed from MT6.

  • Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.

  • Extended Assertions#mu_pp to output encoding and validity if invalid to improve diffs.

  • Extended Assertions#mu_pp_for_diff to make escaped newlines more obvious in diffs.

  • Fail gracefully when expectation used outside of `it`.

• 3 bug fixes:

  • Check `option` klass before match. Fixes 2.6 warning. (y-yagi)

  • Fixed Assertions#diff from recalculating if set to nil

  • Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 60 commits:

• prepped for release
• + Minitest.filter_backtrace returns original backtrace if filter comes back empty.
• Refactored positive spec tests w/ a custom assertion.
• + Return true on a successful refute. (jusleg)
• Updated rake specs for latest assertions.
• - Fixed expectation doco to not use global expectations.
• prepped for release
• Closed temporary IOs when exiting capture_subprocess_io. (doudou)
• - Added example for value wrapper with block to Expectations module. (stomar)
• Added minitest_log to known modules (BurdetteLamar)
• + Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)
• - Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)
• + Changed assert_raises to only catch Assertion since that covers Skip and friends.
• - Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)
• prepped for release
• + Deprecated Minitest::Guard#maglev?
• + Added skip_until(year, month, day, msg) to allow deferring until a deadline.
• Reworked some of metametameta to be more flexible.
• + Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.
• re-sorted assertions after path additions
• + Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)
• + Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)
• - Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)
• + Added examples to documentation for assert_raises. (lxxxvi)
• - Support new Proc#to_s format. (ko1)
• - Improved documentation for _/value/expect, especially for blocks. (svoop)
• prepped for release
• - After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.
• prepped for release
• - Fixed broken link to reference on goodness-of-fit testing. (havenwood)
• Added mini-apivore to readme.
• - Update requirements in readme and Rakefile/hoe spec.
• + Added documentation for Reporter classes. (sshaw)
• Added minitest-global_expectations to readme. (jeremyevans)
• - Avoid using 'match?' to support older ruby versions. (y-yagi)
• Tweaked multithreading section of README. (iHiD)
• prepped for release
• Reworked the \n vs \\n mu_pp_for_diff situation.
• Extended assert_mu_pp and assert_mu_pp_for_diff to auto-quote strings to make tests more grokkable.
• minor editing to comment
• Turn off parallelism on stub and spec meta tests because they hit class methods (globals)
• Added mutant-minitest to readme. (mjb)
• + Add a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)
• - Check `option[:filter]` klass before match. Fixes 2.6 warning. (y-yagi)
• Fixed 2.6 warning in test_refute_match_matcher_object by adding explicit =~ method. (y-yagi)
• Added doco for using Rake::TestTask. (schneems)
• Added minitest-mock_expectations to readme. (bogdanvlviv)
• - Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)
• minor rearrangement of requires
• Added tests for message and using message/lambad w/ assertions.
• + Changed mu_pp_for_diff to make having both \n and \\n easier to debug.
• Overhauled and sorted test_minitest_assertions.rb in prep for new mu_pp_for_diff changes.
• Split tests out into test_minitest_assertions.rb
• - Fixed Assertions#diff from recalculating if set to nil
• + Deprecated $N for specifying number of parallel test runners. Use MT_CPU.
• + Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.
• + Deprecated use of global expectations. To be removed from MT6.
• + Fail gracefully when expectation used outside of `it`.
• Converted all minitest/spec tests over to use _ to avoid deprecation warnings.
• Avoid teardown assertion check if test is skipped

↗️ tzinfo (indirect, 1.2.5 → 1.2.7) · Repo · Changelog

Release Notes

1.2.7

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

1.2.6

• Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
• Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
• Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

• Improve grammar.
• Preparing v1.2.7.
• Update to Ruby 2.7.1.
• Revert to Ruby 2.4.9 and 2.7.0.
• Update to Ruby 2.4.10, 2.5.8, 2.6.6, 2.7.1 and JRuby 9.2.11.1.
• Use shields.io for badges.
• Update copyright years.
• Add a build status badge for AppVeyor.
• Replace broken links.
• Use https for links where available.
• Update to JRuby 9.2.11.0.
• Merge pull request #112.
• Test for just the non-existence of #untaint.
• Fix comments relating to taint/untaint removal.
• Don't rely on lexicographic version comparisons.
• Fix test failures on Ruby 1.8.7.
• Fix erroneous 'wrong number of arguments' errors on JRuby 9.0.5.0.
• `$VERBOSE = false` won't be worked since `rb_warning` is changed to `rb_warn`
• Update to Ruby 2.7.0.
• Update copyright years.
• Preparing v1.2.6.
• Replace expired gem signing certificate.
• Fix a comment.
• Ruby Enterprise Edition requires older versions of RubyGems and Bundler.
• Fix block not being called by RubyCoreSupport.open_file on JRuby 9.2.
• Revert "Try and fix an incorrect rake version being picked with JRuby 1.7."
• Try and fix an incorrect rake version being picked with JRuby 1.7.
• Convert to UNIX line endings.
• Simplify minitest version constraint.
• Update to Ruby v2.7.0-rc2.
• Run CI tests on Windows with AppVeyor.
• Enable verbose test output.
• Update Travis CI Ruby versions.
• Prevent bundler from attempting to use version minitest v5.12.0.
• Allow newer versions of Rake that fix warnings with Ruby 2.7.
• Eliminate a warning when calling File.open with keyword arguments.
• Suppress deprecation warnings due to Object#untaint on Ruby 2.7.
• Fix test failures on Ruby 1.8.7 caused by DateTime issues.
• Remove the unused REQUIRE_PATH constant from RubyDataSource.
• Fix SecurityErrors when loading data in safe mode.
• Test that RUBY_ENGINE is defined.
• Skip tests that fail due to Ruby bug 14060 on Ruby 2.4.4.
• Update to the latest Ruby, JRuby and Rubinius releases.
• Fix a documentation typo.
• Return the correct seconds since the epoch value for strftime with %s.
• Restrictions on timezones only apply to older (pre-1.9) Ruby releases.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)