From 93b0e1eb22a1cbc37ae033f007d73c0ae2da8e26 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Sun, 9 Feb 2020 17:13:02 +0100 Subject: [PATCH 01/17] Bump Rails. --- Gemfile | 2 +- Gemfile.lock | 114 +++++++++++++++++++++++++++------------------------ 2 files changed, 62 insertions(+), 54 deletions(-) diff --git a/Gemfile b/Gemfile index 08653baa5..9ac7acdcb 100644 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source "https://rubygems.org" -gem "rails", "5.1.7" +gem "rails", "5.2.4.1" # Legacy Rails features, remove me! # responders (class level) diff --git a/Gemfile.lock b/Gemfile.lock index d09c9e391..8720509a1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -2,25 +2,25 @@ GEM remote: https://rubygems.org/ remote: https://gems.diasporafoundation.org/ specs: - actioncable (5.1.7) - actionpack (= 5.1.7) + actioncable (5.2.4.1) + actionpack (= 5.2.4.1) nio4r (~> 2.0) - websocket-driver (~> 0.6.1) - actionmailer (5.1.7) - actionpack (= 5.1.7) - actionview (= 5.1.7) - activejob (= 5.1.7) + websocket-driver (>= 0.6.1) + actionmailer (5.2.4.1) + actionpack (= 5.2.4.1) + actionview (= 5.2.4.1) + activejob (= 5.2.4.1) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.1.7) - actionview (= 5.1.7) - activesupport (= 5.1.7) - rack (~> 2.0) + actionpack (5.2.4.1) + actionview (= 5.2.4.1) + activesupport (= 5.2.4.1) + rack (~> 2.0, >= 2.0.8) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.1.7) - activesupport (= 5.1.7) + actionview (5.2.4.1) + activesupport (= 5.2.4.1) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) @@ -28,18 +28,22 @@ GEM active_model_serializers (0.9.7) activemodel (>= 3.2) concurrent-ruby (~> 1.0) - activejob (5.1.7) - activesupport (= 5.1.7) + activejob (5.2.4.1) + activesupport (= 5.2.4.1) globalid (>= 0.3.6) - activemodel (5.1.7) - activesupport (= 5.1.7) - activerecord (5.1.7) - activemodel (= 5.1.7) - activesupport (= 5.1.7) - arel (~> 8.0) + activemodel (5.2.4.1) + activesupport (= 5.2.4.1) + activerecord (5.2.4.1) + activemodel (= 5.2.4.1) + activesupport (= 5.2.4.1) + arel (>= 9.0) activerecord-import (1.0.2) activerecord (>= 3.2) - activesupport (5.1.7) + activestorage (5.2.4.1) + actionpack (= 5.2.4.1) + activerecord (= 5.2.4.1) + marcel (~> 0.3.1) + activesupport (5.2.4.1) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) @@ -53,7 +57,7 @@ GEM addressable (2.6.0) public_suffix (>= 2.0.2, < 4.0) aes_key_wrap (1.0.1) - arel (8.0.0) + arel (9.0.0) asset_sync (2.7.0) activemodel (>= 4.1.0) fog-core @@ -73,7 +77,7 @@ GEM sassc (>= 2.0.0) bootstrap-switch-rails (3.3.3) buftok (0.2.0) - builder (3.2.3) + builder (3.2.4) byebug (11.0.1) capybara (3.15.0) addressable @@ -127,7 +131,7 @@ GEM compass (~> 1.0.0) sass-rails (< 5.1) sprockets (< 4.0) - concurrent-ruby (1.1.5) + concurrent-ruby (1.1.6) configurate (0.3.1) connection_pool (2.2.2) coveralls (0.8.23) @@ -138,7 +142,7 @@ GEM tins (~> 1.6) crack (0.4.3) safe_yaml (~> 1.0.0) - crass (1.0.4) + crass (1.0.6) cucumber (3.1.2) builder (>= 2.1.2) cucumber-core (~> 3.2.0) @@ -203,7 +207,7 @@ GEM entypo-rails (3.0.0) railties (>= 4.1, < 6) equalizer (0.0.11) - erubi (1.8.0) + erubi (1.9.0) eslintrb (2.1.0) execjs multi_json (>= 1.3) @@ -322,7 +326,7 @@ GEM mime-types (~> 3.0) multi_xml (>= 0.5.2) httpclient (2.8.3) - i18n (1.6.0) + i18n (1.8.2) concurrent-ruby (~> 1.0) i18n-inflector (2.6.7) i18n (>= 0.4.1) @@ -377,7 +381,7 @@ GEM multi_json (~> 1.10) logging-rails (0.6.0) logging (>= 1.8) - loofah (2.2.3) + loofah (2.4.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) lumberjack (1.0.13) @@ -385,6 +389,8 @@ GEM systemu (~> 2.6.5) mail (2.7.1) mini_mime (>= 0.1.1) + marcel (0.3.3) + mimemagic (~> 0.3.2) markdown-it-html5-embed (1.0.0) markerb (1.1.0) memoizable (0.4.2) @@ -393,10 +399,11 @@ GEM mime-types (3.2.2) mime-types-data (~> 3.2015) mime-types-data (3.2019.0331) + mimemagic (0.3.4) mini_magick (4.9.3) - mini_mime (1.0.1) + mini_mime (1.0.2) mini_portile2 (2.4.0) - minitest (5.11.3) + minitest (5.14.0) mobile-fu (1.4.0) rack-mobile-detect rails @@ -407,7 +414,7 @@ GEM mysql2 (0.5.2) naught (1.1.0) nenv (0.3.0) - nio4r (2.3.1) + nio4r (2.5.2) nokogiri (1.10.3) mini_portile2 (~> 2.4.0) notiffany (0.1.1) @@ -489,7 +496,7 @@ GEM pry (~> 0.10) public_suffix (3.1.1) raabro (1.1.6) - rack (2.0.7) + rack (2.2.2) rack-cors (1.0.3) rack-google-analytics (1.2.0) actionpack @@ -510,17 +517,18 @@ GEM rack rack-test (1.1.0) rack (>= 1.0, < 3) - rails (5.1.7) - actioncable (= 5.1.7) - actionmailer (= 5.1.7) - actionpack (= 5.1.7) - actionview (= 5.1.7) - activejob (= 5.1.7) - activemodel (= 5.1.7) - activerecord (= 5.1.7) - activesupport (= 5.1.7) + rails (5.2.4.1) + actioncable (= 5.2.4.1) + actionmailer (= 5.2.4.1) + actionpack (= 5.2.4.1) + actionview (= 5.2.4.1) + activejob (= 5.2.4.1) + activemodel (= 5.2.4.1) + activerecord (= 5.2.4.1) + activestorage (= 5.2.4.1) + activesupport (= 5.2.4.1) bundler (>= 1.3.0) - railties (= 5.1.7) + railties (= 5.2.4.1) sprockets-rails (>= 2.0.0) rails-assets-autosize (4.0.2) rails-assets-backbone (1.3.3) @@ -575,23 +583,23 @@ GEM rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) - rails-html-sanitizer (1.0.4) - loofah (~> 2.2, >= 2.2.2) + rails-html-sanitizer (1.3.0) + loofah (~> 2.3) rails-i18n (5.1.3) i18n (>= 0.7, < 2) railties (>= 5.0, < 6) rails-timeago (2.17.1) actionpack (>= 3.1) activesupport (>= 3.1) - railties (5.1.7) - actionpack (= 5.1.7) - activesupport (= 5.1.7) + railties (5.2.4.1) + actionpack (= 5.2.4.1) + activesupport (= 5.2.4.1) method_source rake (>= 0.8.7) - thor (>= 0.18.1, < 2.0) + thor (>= 0.19.0, < 2.0) rainbow (3.0.0) raindrops (0.19.0) - rake (12.3.2) + rake (12.3.3) rb-fsevent (0.10.3) rb-inotify (0.10.0) ffi (~> 1.0) @@ -731,7 +739,7 @@ GEM unf (~> 0.1.0) typhoeus (1.3.1) ethon (>= 0.9.0) - tzinfo (1.2.5) + tzinfo (1.2.6) thread_safe (~> 0.1) uglifier (4.1.20) execjs (>= 0.3.0, < 3) @@ -767,7 +775,7 @@ GEM addressable (>= 2.3.6) crack (>= 0.3.2) hashdiff (>= 0.4.0, < 2.0.0) - websocket-driver (0.6.5) + websocket-driver (0.7.1) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.4) will_paginate (3.1.7) @@ -858,7 +866,7 @@ DEPENDENCIES rack-piwik (= 0.3.0) rack-rewrite (= 1.5.1) rack-ssl (= 1.4.1) - rails (= 5.1.7) + rails (= 5.2.4.1) rails-assets-autosize (= 4.0.2)! rails-assets-backbone (= 1.3.3)! rails-assets-blueimp-gallery (= 2.33.0)! From 25e9728fae9646294c3bd14e8d9377925528abf6 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Sun, 9 Feb 2020 17:38:19 +0100 Subject: [PATCH 02/17] Do not depend on the default parameter being set in Person#initialize. ActiveRecord 5.2.x occasionally calls with a nil parameter explicitly provided, so using default arguments does not work. --- app/models/person.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/models/person.rb b/app/models/person.rb index 8745a1179..64746200e 100644 --- a/app/models/person.rb +++ b/app/models/person.rb @@ -185,6 +185,8 @@ class Person < ApplicationRecord # end # will not work! The nil profile will be overriden with an empty one. def initialize(params={}) + params = {} if params.nil? + profile_set = params.has_key?(:profile) || params.has_key?("profile") params[:profile_attributes] = params.delete(:profile) if params.has_key?(:profile) && params[:profile].is_a?(Hash) super From 75ef13b5d17795b835fe461e9be8080f3cf7d22b Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Sun, 9 Feb 2020 18:02:06 +0100 Subject: [PATCH 03/17] Replace content_security_policy_nonce with content_security_policy_script_nonce. To avoid an conflict with Rails, and to avoid confusing by twitter's gem overloading the method. --- app/views/conversations/new.mobile.haml | 2 +- app/views/layouts/_head.haml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/views/conversations/new.mobile.haml b/app/views/conversations/new.mobile.haml index d8e8feb04..fb8e6806f 100644 --- a/app/views/conversations/new.mobile.haml +++ b/app/views/conversations/new.mobile.haml @@ -2,7 +2,7 @@ -# licensed under the Affero General Public License version 3 or later. See -# the COPYRIGHT file. -%script{nonce: content_security_policy_nonce(:script)} +%script{nonce: content_security_policy_script_nonce} :plain $(document).ready(function () { var data = $.parseJSON( "#{escape_javascript(@contacts_json).html_safe}" ), diff --git a/app/views/layouts/_head.haml b/app/views/layouts/_head.haml index a85a96c74..9b6b92f66 100644 --- a/app/views/layouts/_head.haml +++ b/app/views/layouts/_head.haml @@ -21,7 +21,7 @@ = stylesheet_link_tag :poltergeist_disable_transition, media: "all" = jquery_include_tag -= include_gon(camel_case: true, nonce: content_security_policy_nonce(:script)) += include_gon(camel_case: true, nonce: content_security_policy_script_nonce) = yield(:javascript) = csrf_meta_tag From 35da56109f9774a52386b175473241f89f7d7568 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 18:11:38 +0100 Subject: [PATCH 04/17] Create a dup string from the return value of .truncate. Due to a bug in Rails, .truncate returns a frozen string if the string actually changed, but not if there are no changes. This leads to inconsistent behaviour, and broken tests. This was fixed upstream, see https://github.com/rails/rails/pull/36109, but the fix did not make it into 5.2.x, so we have to work around for the time being. --- lib/diaspora/message_renderer.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/diaspora/message_renderer.rb b/lib/diaspora/message_renderer.rb index 4477ae587..0072cbd57 100644 --- a/lib/diaspora/message_renderer.rb +++ b/lib/diaspora/message_renderer.rb @@ -35,11 +35,12 @@ module Diaspora def append_and_truncate if options[:truncate] - @message = message.truncate options[:truncate]-options[:append].to_s.size + # TODO: Remove .dup when upgrading to Rails 6.x. + @message = @message.truncate(options[:truncate] - options[:append].to_s.size).dup end - message << options[:append].to_s - message << options[:append_after_truncate].to_s + @message << options[:append].to_s + @message << options[:append_after_truncate].to_s end def escape From 45e8b54beabb7d1ba9a9f0909c3cc2d0d572a8e4 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 22:35:10 +0100 Subject: [PATCH 05/17] Check for status codes instead of relying on response.redirect?. Rack did so much refactoring, we do not see a Response object here anymore. --- .../api/openid_connect/authorizations_controller.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/controllers/api/openid_connect/authorizations_controller.rb b/app/controllers/api/openid_connect/authorizations_controller.rb index bc35f11b9..555a718b3 100644 --- a/app/controllers/api/openid_connect/authorizations_controller.rb +++ b/app/controllers/api/openid_connect/authorizations_controller.rb @@ -104,8 +104,9 @@ module Api end def handle_start_point_response(endpoint) - _status, header, response = endpoint.call(request.env) - if response.redirect? + status, header, _response = endpoint.call(request.env) + + if status.in?([301, 302, 303, 307, 308]) redirect_to header["Location"] else save_params_and_render_consent_form(endpoint) From e40a07f204fb1641264fd927092b0829491ba1da Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 19:51:34 +0100 Subject: [PATCH 06/17] Replace be_success with be_successful in specs. be_success is deprecated and will be removed in Rails 6. --- spec/controllers/admins_controller_spec.rb | 8 ++--- .../aspect_memberships_controller_spec.rb | 6 ++-- spec/controllers/comments_controller_spec.rb | 4 +-- spec/controllers/contacts_controller_spec.rb | 8 ++--- .../conversations_controller_spec.rb | 36 +++++++++---------- spec/controllers/help_controller_spec.rb | 2 +- spec/controllers/home_controller_spec.rb | 4 +-- .../jasmine_fixtures/streams_spec.rb | 2 +- spec/controllers/node_info_controller_spec.rb | 4 +-- .../notifications_controller_spec.rb | 14 ++++---- spec/controllers/people_controller_spec.rb | 28 +++++++-------- spec/controllers/photos_controller_spec.rb | 10 +++--- spec/controllers/posts_controller_spec.rb | 6 ++-- spec/controllers/profiles_controller_spec.rb | 2 +- spec/controllers/reshares_controller_spec.rb | 4 +-- .../share_visibilities_controller_spec.rb | 2 +- .../status_messages_controller_spec.rb | 6 ++-- spec/controllers/streams_controller_spec.rb | 12 +++---- spec/controllers/tags_controller_spec.rb | 2 +- spec/controllers/terms_controller_spec.rb | 4 +-- spec/controllers/users_controller_spec.rb | 4 +-- 21 files changed, 84 insertions(+), 84 deletions(-) diff --git a/spec/controllers/admins_controller_spec.rb b/spec/controllers/admins_controller_spec.rb index a9e61eb6a..1ee4a7321 100644 --- a/spec/controllers/admins_controller_spec.rb +++ b/spec/controllers/admins_controller_spec.rb @@ -30,7 +30,7 @@ describe AdminsController, :type => :controller do it "succeeds" do get :dashboard - expect(response).to be_success + expect(response).to be_successful end it "warns the user about unreviewed reports" do @@ -62,7 +62,7 @@ describe AdminsController, :type => :controller do it 'succeeds and renders user_search' do get :user_search - expect(response).to be_success + expect(response).to be_successful expect(response).to render_template(:user_search) end @@ -139,7 +139,7 @@ describe AdminsController, :type => :controller do it "succeeds and renders stats" do get :stats - expect(response).to be_success + expect(response).to be_successful expect(response).to render_template(:stats) expect(response.body).to include( I18n.translate( @@ -151,7 +151,7 @@ describe AdminsController, :type => :controller do it "succeeds and renders stats for different ranges" do %w(week 2weeks month).each do |range| get :stats, params: {range: range} - expect(response).to be_success + expect(response).to be_successful expect(response).to render_template(:stats) expect(response.body).not_to include( I18n.translate( diff --git a/spec/controllers/aspect_memberships_controller_spec.rb b/spec/controllers/aspect_memberships_controller_spec.rb index 903e732ef..e2174e7e7 100644 --- a/spec/controllers/aspect_memberships_controller_spec.rb +++ b/spec/controllers/aspect_memberships_controller_spec.rb @@ -25,7 +25,7 @@ describe AspectMembershipsController, type: :controller do it "succeeds" do post :create, params: {person_id: bob.person.id, aspect_id: @aspect1.id}, format: :json - expect(response).to be_success + expect(response).to be_successful end it "creates an aspect membership" do @@ -75,14 +75,14 @@ describe AspectMembershipsController, type: :controller do it "removes contacts from an aspect" do membership = alice.add_contact_to_aspect(@contact, @aspect1) delete :destroy, params: {id: membership.id}, format: :json - expect(response).to be_success + expect(response).to be_successful @aspect1.reload expect(@aspect1.contacts.to_a).not_to include @contact end it "aspect membership does not exist" do delete :destroy, params: {id: 123}, format: :json - expect(response).not_to be_success + expect(response).not_to be_successful expect(response.body).to eq(I18n.t("aspect_memberships.destroy.no_membership")) end end diff --git a/spec/controllers/comments_controller_spec.rb b/spec/controllers/comments_controller_spec.rb index 597205268..a6b0a45cc 100644 --- a/spec/controllers/comments_controller_spec.rb +++ b/spec/controllers/comments_controller_spec.rb @@ -29,7 +29,7 @@ describe CommentsController, :type => :controller do it 'responds to format mobile' do post :create, params: comment_hash, format: :mobile - expect(response).to be_success + expect(response).to be_successful end end @@ -136,7 +136,7 @@ describe CommentsController, :type => :controller do it 'works for mobile' do get :index, params: {post_id: @message.id}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it 'returns all the comments for a post' do diff --git a/spec/controllers/contacts_controller_spec.rb b/spec/controllers/contacts_controller_spec.rb index 608d664e8..10cdc3ab5 100644 --- a/spec/controllers/contacts_controller_spec.rb +++ b/spec/controllers/contacts_controller_spec.rb @@ -14,14 +14,14 @@ describe ContactsController, :type => :controller do context 'format mobile' do it "succeeds" do get :index, format: :mobile - expect(response).to be_success + expect(response).to be_successful end end context 'format html' do it "succeeds" do get :index - expect(response).to be_success + expect(response).to be_successful end it "doesn't assign contacts" do @@ -43,7 +43,7 @@ describe ContactsController, :type => :controller do it "succeeds" do get :index, params: {q: @person1.first_name}, format: :json - expect(response).to be_success + expect(response).to be_successful end it "responds with json" do @@ -133,7 +133,7 @@ describe ContactsController, :type => :controller do describe '#spotlight' do it 'succeeds' do get :spotlight - expect(response).to be_success + expect(response).to be_successful end it 'gets queries for users in the app config' do diff --git a/spec/controllers/conversations_controller_spec.rb b/spec/controllers/conversations_controller_spec.rb index aaf81076c..3ea06721f 100644 --- a/spec/controllers/conversations_controller_spec.rb +++ b/spec/controllers/conversations_controller_spec.rb @@ -20,7 +20,7 @@ describe ConversationsController, :type => :controller do context "desktop" do it "succeeds" do get :new, params: {modal: true} - expect(response).to be_success + expect(response).to be_successful end end @@ -76,13 +76,13 @@ describe ConversationsController, :type => :controller do it "succeeds" do get :index - expect(response).to be_success + expect(response).to be_successful expect(assigns[:visibilities]).to match_array(@visibilities) end it "succeeds with json" do get :index, format: :json - expect(response).to be_success + expect(response).to be_successful json = JSON.parse(response.body) expect(json.first["conversation"]).to be_present end @@ -94,7 +94,7 @@ describe ConversationsController, :type => :controller do it "retrieves a conversation" do get :index, params: {conversation_id: @conversations.first.id} - expect(response).to be_success + expect(response).to be_successful expect(assigns[:visibilities]).to match_array(@visibilities) expect(assigns[:conversation]).to eq(@conversations.first) end @@ -108,7 +108,7 @@ describe ConversationsController, :type => :controller do it "retrieves a conversation message with out markdown content " do get :index @conversation = @conversations.first - expect(response).to be_success + expect(response).to be_successful expect(response.body).to match(/cool stuff/) expect(response.body).not_to match(%r{cool stuff}) end @@ -134,7 +134,7 @@ describe ConversationsController, :type => :controller do it "responds with the conversation id as JSON" do post :create, params: params, format: :js - expect(response).to be_success + expect(response).to be_successful expect(JSON.parse(response.body)["id"]).to eq(Conversation.first.id) end @@ -172,7 +172,7 @@ describe ConversationsController, :type => :controller do it "responds with the conversation id as JSON" do post :create, params: params, format: :js - expect(response).to be_success + expect(response).to be_successful expect(JSON.parse(response.body)["id"]).to eq(Conversation.first.id) end end @@ -195,7 +195,7 @@ describe ConversationsController, :type => :controller do it "responds with an error message" do post :create, params: params, format: :js - expect(response).not_to be_success + expect(response).not_to be_successful expect(response.body).to eq(I18n.t("conversations.create.fail")) end end @@ -218,7 +218,7 @@ describe ConversationsController, :type => :controller do it "responds with an error message" do post :create, params: params, format: :js - expect(response).not_to be_success + expect(response).not_to be_successful expect(response.body).to eq(I18n.t("javascripts.conversation.create.no_recipient")) end end @@ -241,7 +241,7 @@ describe ConversationsController, :type => :controller do it "responds with an error message" do post :create, params: params, format: :js - expect(response).not_to be_success + expect(response).not_to be_successful expect(response.body).to eq(I18n.t("javascripts.conversation.create.no_recipient")) end end @@ -272,7 +272,7 @@ describe ConversationsController, :type => :controller do it "responds with an error message" do post :create, params: params, format: :js - expect(response).not_to be_success + expect(response).not_to be_successful expect(response.body).to eq(I18n.t("javascripts.conversation.create.no_recipient")) end end @@ -301,7 +301,7 @@ describe ConversationsController, :type => :controller do it "responds with the conversation id as JSON" do post :create, params: params, format: :js - expect(response).to be_success + expect(response).to be_successful expect(JSON.parse(response.body)["id"]).to eq(Conversation.first.id) end @@ -339,7 +339,7 @@ describe ConversationsController, :type => :controller do it "responds with the conversation id as JSON" do post :create, params: params, format: :js - expect(response).to be_success + expect(response).to be_successful expect(JSON.parse(response.body)["id"]).to eq(Conversation.first.id) end end @@ -362,7 +362,7 @@ describe ConversationsController, :type => :controller do it "responds with an error message" do post :create, params: params, format: :js - expect(response).not_to be_success + expect(response).not_to be_successful expect(response.body).to eq(I18n.t("conversations.create.fail")) end end @@ -385,7 +385,7 @@ describe ConversationsController, :type => :controller do it "responds with an error message" do post :create, params: params, format: :js - expect(response).not_to be_success + expect(response).not_to be_successful expect(response.body).to eq(I18n.t("javascripts.conversation.create.no_recipient")) end end @@ -408,7 +408,7 @@ describe ConversationsController, :type => :controller do it "responds with an error message" do post :create, params: params, format: :js - expect(response).not_to be_success + expect(response).not_to be_successful expect(response.body).to eq(I18n.t("javascripts.conversation.create.no_recipient")) end end @@ -433,7 +433,7 @@ describe ConversationsController, :type => :controller do it "responds with an error message" do post :create, params: params, format: :js - expect(response).not_to be_success + expect(response).not_to be_successful expect(response.body).to eq(I18n.t("javascripts.conversation.create.no_recipient")) end end @@ -452,7 +452,7 @@ describe ConversationsController, :type => :controller do it "succeeds with json" do get :show, params: {id: conversation.id}, format: :json - expect(response).to be_success + expect(response).to be_successful expect(assigns[:conversation]).to eq(conversation) expect(response.body).to include conversation.guid end diff --git a/spec/controllers/help_controller_spec.rb b/spec/controllers/help_controller_spec.rb index 11feab03b..a4d1c03c4 100644 --- a/spec/controllers/help_controller_spec.rb +++ b/spec/controllers/help_controller_spec.rb @@ -4,7 +4,7 @@ describe HelpController, type: :controller do describe "#faq" do it "succeeds" do get :faq - expect(response).to be_success + expect(response).to be_successful end it "fails on mobile" do diff --git a/spec/controllers/home_controller_spec.rb b/spec/controllers/home_controller_spec.rb index 6f8b8e031..deb97ecb7 100644 --- a/spec/controllers/home_controller_spec.rb +++ b/spec/controllers/home_controller_spec.rb @@ -33,12 +33,12 @@ describe HomeController, type: :controller do describe "#podmin" do it "succeeds" do get :podmin - expect(response).to be_success + expect(response).to be_successful end it "succeeds on mobile" do get :podmin, format: :mobile - expect(response).to be_success + expect(response).to be_successful end end diff --git a/spec/controllers/jasmine_fixtures/streams_spec.rb b/spec/controllers/jasmine_fixtures/streams_spec.rb index ea58bf176..3297816d2 100644 --- a/spec/controllers/jasmine_fixtures/streams_spec.rb +++ b/spec/controllers/jasmine_fixtures/streams_spec.rb @@ -54,7 +54,7 @@ TXT Timecop.travel(time) do get :multi, :format => :json - expect(response).to be_success + expect(response).to be_successful save_fixture(response.body, "stream_json") end end diff --git a/spec/controllers/node_info_controller_spec.rb b/spec/controllers/node_info_controller_spec.rb index 80cae293a..ba3c10738 100644 --- a/spec/controllers/node_info_controller_spec.rb +++ b/spec/controllers/node_info_controller_spec.rb @@ -5,7 +5,7 @@ describe NodeInfoController do it "responds to JSON" do get :jrd, format: :json - expect(response).to be_success + expect(response).to be_successful end it "returns a JRD" do @@ -38,7 +38,7 @@ describe NodeInfoController do it "responds to JSON" do get :document, params: {version: version}, format: :json - expect(response).to be_success + expect(response).to be_successful end it "calls NodeInfoPresenter" do diff --git a/spec/controllers/notifications_controller_spec.rb b/spec/controllers/notifications_controller_spec.rb index 21b812885..19c940481 100644 --- a/spec/controllers/notifications_controller_spec.rb +++ b/spec/controllers/notifications_controller_spec.rb @@ -37,7 +37,7 @@ describe NotificationsController, :type => :controller do end get :update, params: {id: note.id, set_unread: "true"}, format: :json - expect(response).to be_success + expect(response).to be_successful updated_note = Notification.find(note.id) expect(updated_note.unread).to eq(true) @@ -64,7 +64,7 @@ describe NotificationsController, :type => :controller do it 'succeeds' do get :index - expect(response).to be_success + expect(response).to be_successful expect(assigns[:notifications].count).to eq(1) end @@ -73,7 +73,7 @@ describe NotificationsController, :type => :controller do @notification.touch end get :index, format: :json - expect(response).to be_success + expect(response).to be_successful response_json = JSON.parse(response.body) note_html = Nokogiri::HTML(response_json["notification_list"][0]["also_commented"]["note_html"]) timeago_content = note_html.css("time")[0]["data-time-ago"] @@ -94,7 +94,7 @@ describe NotificationsController, :type => :controller do it 'succeeds on mobile' do get :index, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it 'paginates the notifications' do @@ -128,7 +128,7 @@ describe NotificationsController, :type => :controller do it 'succeeds on mobile' do eve.share_with(alice.person, eve.aspects.first) get :index, format: :mobile - expect(response).to be_success + expect(response).to be_successful end end @@ -157,12 +157,12 @@ describe NotificationsController, :type => :controller do it "succeeds" do get :index - expect(response).to be_success + expect(response).to be_successful end it "succeeds on mobile" do get :index, format: :mobile - expect(response).to be_success + expect(response).to be_successful end end end diff --git a/spec/controllers/people_controller_spec.rb b/spec/controllers/people_controller_spec.rb index e979a9c00..dd11edadf 100644 --- a/spec/controllers/people_controller_spec.rb +++ b/spec/controllers/people_controller_spec.rb @@ -33,7 +33,7 @@ describe PeopleController, :type => :controller do describe 'via json' do it 'succeeds' do get :index, params: {q: "Korth"}, format: :json - expect(response).to be_success + expect(response).to be_successful end it 'responds with json' do @@ -109,23 +109,23 @@ describe PeopleController, :type => :controller do it "succeeds if there is exactly one match" do get :index, params: {q: "Korth"} expect(assigns[:people].length).to eq(1) - expect(response).to be_success + expect(response).to be_successful end it "succeeds if there are no matches" do get :index, params: {q: "Korthsauce"} expect(assigns[:people].length).to eq(0) - expect(response).to be_success + expect(response).to be_successful end it 'succeeds if you search for the empty term' do get :index, params: {q: ""} - expect(response).to be_success + expect(response).to be_successful end it 'succeeds if you search for punctuation' do get :index, params: {q: "+"} - expect(response).to be_success + expect(response).to be_successful end it "excludes people who have searchable off" do @@ -225,7 +225,7 @@ describe PeopleController, :type => :controller do profile = user2.profile profile.update_attribute(:first_name, "") get :show, params: {id: user2.person.to_param} - expect(response).to be_success + expect(response).to be_successful expect(response.body).not_to include(profile.first_name) end @@ -244,12 +244,12 @@ describe PeopleController, :type => :controller do context "when the person is the current user" do it "succeeds" do get :show, params: {id: @user.person.to_param} - expect(response).to be_success + expect(response).to be_successful end it 'succeeds on the mobile site' do get :show, params: {id: @user.person.to_param}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it "assigns the right person" do @@ -271,7 +271,7 @@ describe PeopleController, :type => :controller do it 'succeeds on the mobile site' do get :show, params: {id: @person.to_param}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it 'forces to sign in if the person is remote' do @@ -316,12 +316,12 @@ describe PeopleController, :type => :controller do it "succeeds" do get :show, params: {id: @person.to_param} - expect(response).to be_success + expect(response).to be_successful end it 'succeeds on the mobile site' do get :show, params: {id: @person.to_param}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it 'marks a corresponding notifications as read' do @@ -351,12 +351,12 @@ describe PeopleController, :type => :controller do it "succeeds" do get :show, params: {id: @person.to_param} - expect(response).to be_success + expect(response).to be_successful end it 'succeeds on the mobile site' do get :show, params: {id: @person.to_param}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it "leaks no private profile info" do @@ -406,7 +406,7 @@ describe PeopleController, :type => :controller do message = @user.post :status_message, :text => 'test more', :to => @aspect.id @user.comment!(message, cmmt) get :stream, params: {person_id: @user.person.to_param}, format: :json - expect(response).to be_success + expect(response).to be_successful expect(response.body).to include(cmmt) end end diff --git a/spec/controllers/photos_controller_spec.rb b/spec/controllers/photos_controller_spec.rb index f9f17762e..b443e862d 100644 --- a/spec/controllers/photos_controller_spec.rb +++ b/spec/controllers/photos_controller_spec.rb @@ -81,17 +81,17 @@ describe PhotosController, :type => :controller do it "succeeds without any available pictures" do get :index, params: {person_id: FactoryGirl.create(:person).guid} - expect(response).to be_success + expect(response).to be_successful end it "succeeds on mobile devices without any available pictures" do get :index, params: {person_id: FactoryGirl.create(:person).guid}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it "succeeds on mobile devices with available pictures" do get :index, params: {person_id: bob.person.guid}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it "displays the logged in user's pictures" do @@ -145,7 +145,7 @@ describe PhotosController, :type => :controller do it "succeeds on the mobile site" do get :index, params: {person_id: @person.to_param}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it "forces to sign in if the person is remote" do @@ -227,7 +227,7 @@ describe PhotosController, :type => :controller do it 'should return 200 for existing stuff on mobile devices' do get :show, params: {person_id: alice.person.guid, id: @alices_photo.id}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it "doesn't leak private photos to the public" do diff --git a/spec/controllers/posts_controller_spec.rb b/spec/controllers/posts_controller_spec.rb index 47c669ba4..d9e9b4a6d 100644 --- a/spec/controllers/posts_controller_spec.rb +++ b/spec/controllers/posts_controller_spec.rb @@ -19,7 +19,7 @@ describe PostsController, type: :controller do expect_any_instance_of(PostService).to receive(:mark_user_notifications).with(post.id) get :show, params: {id: post.id} - expect(response).to be_success + expect(response).to be_successful end it "succeeds after removing a mention when closing the mentioned user's account" do @@ -32,7 +32,7 @@ describe PostsController, type: :controller do user.close_account! get :show, params: {id: msg.id} - expect(response).to be_success + expect(response).to be_successful end it "renders the application layout on mobile" do @@ -45,7 +45,7 @@ describe PostsController, type: :controller do expect_any_instance_of(PostService).to receive(:mark_user_notifications).with(reshare_id) get :show, params: {id: reshare_id}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end end diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb index b5b635796..00700caec 100644 --- a/spec/controllers/profiles_controller_spec.rb +++ b/spec/controllers/profiles_controller_spec.rb @@ -25,7 +25,7 @@ describe ProfilesController, :type => :controller do describe '#edit' do it 'succeeds' do get :edit - expect(response).to be_success + expect(response).to be_successful end it 'sets the profile to the current users profile' do diff --git a/spec/controllers/reshares_controller_spec.rb b/spec/controllers/reshares_controller_spec.rb index d266c4b71..3a31f424f 100644 --- a/spec/controllers/reshares_controller_spec.rb +++ b/spec/controllers/reshares_controller_spec.rb @@ -13,7 +13,7 @@ describe ResharesController, :type => :controller do it 'requires authentication' do post_request! - expect(response).not_to be_success + expect(response).not_to be_successful end context 'with an authenticated user' do @@ -23,7 +23,7 @@ describe ResharesController, :type => :controller do end it 'succeeds' do - expect(response).to be_success + expect(response).to be_successful post_request! end diff --git a/spec/controllers/share_visibilities_controller_spec.rb b/spec/controllers/share_visibilities_controller_spec.rb index 6f0716558..29ba5e90d 100644 --- a/spec/controllers/share_visibilities_controller_spec.rb +++ b/spec/controllers/share_visibilities_controller_spec.rb @@ -17,7 +17,7 @@ describe ShareVisibilitiesController, :type => :controller do it 'succeeds' do put :update, params: {id: 42, post_id: @status.id}, format: :js - expect(response).to be_success + expect(response).to be_successful end it 'it calls toggle_hidden_shareable' do diff --git a/spec/controllers/status_messages_controller_spec.rb b/spec/controllers/status_messages_controller_spec.rb index 14e6999ab..a5eacf4ae 100644 --- a/spec/controllers/status_messages_controller_spec.rb +++ b/spec/controllers/status_messages_controller_spec.rb @@ -17,7 +17,7 @@ describe StatusMessagesController, :type => :controller do describe '#bookmarklet' do it 'succeeds' do get :bookmarklet - expect(response).to be_success + expect(response).to be_successful end it 'contains a complete html document' do @@ -34,14 +34,14 @@ describe StatusMessagesController, :type => :controller do title: "Surprised Kitty", notes: "cute kitty" } - expect(response).to be_success + expect(response).to be_successful end end describe '#new' do it 'succeeds' do get :new, params: {person_id: bob.person.id} - expect(response).to be_success + expect(response).to be_successful end it 'should redirect on desktop version' do diff --git a/spec/controllers/streams_controller_spec.rb b/spec/controllers/streams_controller_spec.rb index d46c22887..e628f91ae 100644 --- a/spec/controllers/streams_controller_spec.rb +++ b/spec/controllers/streams_controller_spec.rb @@ -15,19 +15,19 @@ describe StreamsController, :type => :controller do describe "#public" do it "succeeds" do get :public - expect(response).to be_success + expect(response).to be_successful end end describe "#multi" do it "succeeds" do get :multi - expect(response).to be_success + expect(response).to be_successful end it "succeeds on mobile" do get :multi, format: :mobile - expect(response).to be_success + expect(response).to be_successful end context "getting started" do @@ -54,7 +54,7 @@ describe StreamsController, :type => :controller do describe "a GET to #{stream_path}" do it "assigns a stream of the proper class" do get stream_path - expect(response).to be_success + expect(response).to be_successful expect(assigns[:stream]).to be_a stream_class end end @@ -65,12 +65,12 @@ describe StreamsController, :type => :controller do describe "#public" do it "succeeds" do get :public - expect(response).to be_success + expect(response).to be_successful end it "succeeds on mobile" do get :public, format: :mobile - expect(response).to be_success + expect(response).to be_successful end end diff --git a/spec/controllers/tags_controller_spec.rb b/spec/controllers/tags_controller_spec.rb index c537e49a5..a3aaadfc0 100644 --- a/spec/controllers/tags_controller_spec.rb +++ b/spec/controllers/tags_controller_spec.rb @@ -105,7 +105,7 @@ describe TagsController, :type => :controller do it 'succeeds with mobile' do get :show, params: {name: "foo"}, format: :mobile - expect(response).to be_success + expect(response).to be_successful end it "returns the post with the correct age" do diff --git a/spec/controllers/terms_controller_spec.rb b/spec/controllers/terms_controller_spec.rb index ea22bbc94..dc5457e34 100644 --- a/spec/controllers/terms_controller_spec.rb +++ b/spec/controllers/terms_controller_spec.rb @@ -4,12 +4,12 @@ describe TermsController, type: :controller do describe "#index" do it "succeeds" do get :index - expect(response).to be_success + expect(response).to be_successful end it "succeeds on mobile" do get :index, format: :mobile - expect(response).to be_success + expect(response).to be_successful end end end diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index ffeb120ff..85c70f18d 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -327,12 +327,12 @@ describe UsersController, :type => :controller do describe 'getting_started' do it 'does not fail miserably' do get :getting_started - expect(response).to be_success + expect(response).to be_successful end it 'does not fail miserably on mobile' do get :getting_started, format: :mobile - expect(response).to be_success + expect(response).to be_successful end context "with inviter" do From 4685df634cbc6fe12b6da5aac427d87e22c4d0a9 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 19:57:09 +0100 Subject: [PATCH 07/17] Make Person.search_query_string public. Accessibility of private/protected class methods in :scope is deprecated and will be removed in Rails 6.0. --- app/models/person.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/person.rb b/app/models/person.rb index 64746200e..db799d7d7 100644 --- a/app/models/person.rb +++ b/app/models/person.rb @@ -209,7 +209,7 @@ class Person < ApplicationRecord self.guid end - private_class_method def self.search_query_string(query) + def self.search_query_string(query) query = query.downcase like_operator = AppConfig.postgres? ? "ILIKE" : "LIKE" From 2e2b42ef1ad6719848567fd38bf8d71e95004607 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 20:21:34 +0100 Subject: [PATCH 08/17] Mark non-attribute usage in SQL queries as safe. Non-attribute arguments will be disallowed in Rails 6.0. --- app/controllers/admins_controller.rb | 11 +++++++++-- app/controllers/contacts_controller.rb | 2 +- app/models/person.rb | 6 +++--- app/services/like_service.rb | 2 +- app/services/reshare_service.rb | 2 +- 5 files changed, 15 insertions(+), 8 deletions(-) diff --git a/app/controllers/admins_controller.rb b/app/controllers/admins_controller.rb index f0fa8bb5c..daad7c46f 100644 --- a/app/controllers/admins_controller.rb +++ b/app/controllers/admins_controller.rb @@ -51,7 +51,11 @@ class AdminsController < Admin::AdminController end def stats - @popular_tags = ActsAsTaggableOn::Tagging.joins(:tag).limit(50).order('count(taggings.id) DESC').group(:tag).count + @popular_tags = ActsAsTaggableOn::Tagging.joins(:tag) + .limit(50) + .order(Arel.sql("count(taggings.id) DESC")) + .group(:tag) + .count case params[:range] when "week" @@ -72,7 +76,10 @@ class AdminsController < Admin::AdminController create_hash(model, :range => range) end - @posts_per_day = Post.where("created_at >= ?", Date.today - 21.days).group("DATE(created_at)").order("DATE(created_at) ASC").count + @posts_per_day = Post.where("created_at >= ?", Time.zone.today - 21.days) + .group(Arel.sql("DATE(created_at)")) + .order(Arel.sql("DATE(created_at) ASC")) + .count @most_posts_within = @posts_per_day.values.max.to_f @user_count = User.count diff --git a/app/controllers/contacts_controller.rb b/app/controllers/contacts_controller.rb index f62050734..34a45b383 100644 --- a/app/controllers/contacts_controller.rb +++ b/app/controllers/contacts_controller.rb @@ -66,7 +66,7 @@ class ContactsController < ApplicationController when "receiving" current_user.contacts.receiving when "by_aspect" - order.unshift "contact_id IS NOT NULL DESC" + order.unshift Arel.sql("contact_id IS NOT NULL DESC") contacts_by_aspect(@aspect.id) else raise ArgumentError, "unknown type #{type}" diff --git a/app/models/person.rb b/app/models/person.rb index db799d7d7..081a08dd8 100644 --- a/app/models/person.rb +++ b/app/models/person.rb @@ -162,7 +162,7 @@ class Person < ApplicationRecord contacts.id IS NOT NULL AS is_contact SQL ) - .order(<<-SQL + .order(Arel.sql(<<-SQL is_author DESC, is_commenter DESC, is_liker DESC, @@ -170,7 +170,7 @@ class Person < ApplicationRecord profiles.full_name, people.diaspora_handle SQL - ) + )) } def self.community_spotlight @@ -241,7 +241,7 @@ class Person < ApplicationRecord query = query.where(contacts: {sharing: true, receiving: true}) if mutual query.where(closed_account: false) - .order(["contacts.user_id IS NULL", "profiles.last_name ASC", "profiles.first_name ASC"]) + .order([Arel.sql("contacts.user_id IS NULL"), "profiles.last_name ASC", "profiles.first_name ASC"]) end def name(opts = {}) diff --git a/app/services/like_service.rb b/app/services/like_service.rb index b5623a048..64bb990fa 100644 --- a/app/services/like_service.rb +++ b/app/services/like_service.rb @@ -22,7 +22,7 @@ class LikeService def find_for_post(post_id) likes = post_service.find!(post_id).likes - user ? likes.order("author_id = #{user.person.id} DESC") : likes + user ? likes.order(Arel.sql("author_id = #{user.person.id} DESC")) : likes end private diff --git a/app/services/reshare_service.rb b/app/services/reshare_service.rb index c4bd94ff6..2f4c73c6f 100644 --- a/app/services/reshare_service.rb +++ b/app/services/reshare_service.rb @@ -13,7 +13,7 @@ class ReshareService def find_for_post(post_id) reshares = post_service.find!(post_id).reshares - user ? reshares.order("author_id = #{user.person.id} DESC") : reshares + user ? reshares.order(Arel.sql("author_id = #{user.person.id} DESC")) : reshares end private From 71023a8713df91ffbd1b4747ff7c534a9e167734 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 20:26:22 +0100 Subject: [PATCH 09/17] Replace secret_token with secret_key_base. secrets.secret_token is deprecated in favor of secret_key_base and will be removed in Rails 6.0. --- config/initializers/set_session_secret.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/set_session_secret.rb b/config/initializers/set_session_secret.rb index 57304735f..46723d65d 100644 --- a/config/initializers/set_session_secret.rb +++ b/config/initializers/set_session_secret.rb @@ -1,3 +1,3 @@ # frozen_string_literal: true -Rails.application.config.secret_token = AppConfig.secret_token +Rails.application.config.secret_key_base = AppConfig.secret_token From 67d73ece8090f6e8fa3b7103c26141fa25141e4f Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 20:31:52 +0100 Subject: [PATCH 10/17] Bump secure_headers. --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 9ac7acdcb..382be596b 100644 --- a/Gemfile +++ b/Gemfile @@ -154,7 +154,7 @@ gem "string-direction", "1.2.1" # Security Headers -gem "secure_headers", "6.1.1" +gem "secure_headers", "6.3.0" # Services diff --git a/Gemfile.lock b/Gemfile.lock index 8720509a1..ed38a31d0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -668,7 +668,7 @@ GEM scss_lint (0.55.0) rake (>= 0.9, < 13) sass (~> 3.4.20) - secure_headers (6.1.1) + secure_headers (6.3.0) shellany (0.0.1) shoulda-matchers (4.0.1) activesupport (>= 4.2.0) @@ -905,7 +905,7 @@ DEPENDENCIES ruby-oembed (= 0.12.0) rubyzip (= 1.2.2) sass-rails (= 5.0.7) - secure_headers (= 6.1.1) + secure_headers (= 6.3.0) shoulda-matchers (= 4.0.1) sidekiq (= 5.2.7) sidekiq-cron (= 1.1.0) From b7ee911778c37318fbb62457348d478881a52d74 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 20:32:48 +0100 Subject: [PATCH 11/17] Bump excon. --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ed38a31d0..3e12364d6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -216,7 +216,7 @@ GEM tzinfo ethon (0.12.0) ffi (>= 1.3.0) - excon (0.64.0) + excon (0.72.0) execjs (2.7.0) eye (0.10.0) celluloid (~> 0.17.3) From d898b5ba69ec7001b9bec83657065121a58352d8 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 20:33:37 +0100 Subject: [PATCH 12/17] Bump rack-cors. --- Gemfile | 2 +- Gemfile.lock | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 382be596b..c1f934b24 100644 --- a/Gemfile +++ b/Gemfile @@ -54,7 +54,7 @@ gem "configurate", "0.3.1" # Cross-origin resource sharing -gem "rack-cors", "1.0.3", require: "rack/cors" +gem "rack-cors", "1.1.1", require: "rack/cors" # CSS diff --git a/Gemfile.lock b/Gemfile.lock index 3e12364d6..e5c7ac212 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -497,7 +497,8 @@ GEM public_suffix (3.1.1) raabro (1.1.6) rack (2.2.2) - rack-cors (1.0.3) + rack-cors (1.1.1) + rack (>= 2.0.0) rack-google-analytics (1.2.0) actionpack activesupport @@ -861,7 +862,7 @@ DEPENDENCIES pronto-scss (= 0.10.0) pry pry-byebug - rack-cors (= 1.0.3) + rack-cors (= 1.1.1) rack-google-analytics (= 1.2.0) rack-piwik (= 0.3.0) rack-rewrite (= 1.5.1) From 43b83cf8f710786f8703f2b0ef3ed84d30ec3425 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 20:36:30 +0100 Subject: [PATCH 13/17] Bump json-jwt. --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index e5c7ac212..55c77d04f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -354,7 +354,7 @@ GEM rails (>= 4.0, < 6.0) sprockets (>= 3.0.0) json (2.2.0) - json-jwt (1.10.2) + json-jwt (1.11.0) activesupport (>= 4.2) aes_key_wrap bindata From 905df19a346eb8148da49b173e544924517eec33 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 20:38:13 +0100 Subject: [PATCH 14/17] Bump rubyzip. --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index c1f934b24..c2d890c11 100644 --- a/Gemfile +++ b/Gemfile @@ -201,7 +201,7 @@ gem "logging-rails", "0.6.0", require: "logging/rails" # Reading and writing zip files -gem "rubyzip", "1.2.2", require: "zip" +gem "rubyzip", "1.3.0", require: "zip" # Prevent occasions where minitest is not bundled in # packaged versions of ruby. See following issues/prs: diff --git a/Gemfile.lock b/Gemfile.lock index 55c77d04f..f3c97edae 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -650,7 +650,7 @@ GEM ruby-oembed (0.12.0) ruby-progressbar (1.10.1) ruby_dep (1.5.0) - rubyzip (1.2.2) + rubyzip (1.3.0) rugged (0.28.2) safe_yaml (1.0.5) sass (3.4.25) @@ -904,7 +904,7 @@ DEPENDENCIES rubocop (= 0.72.0) rubocop-rails (= 2.1.0) ruby-oembed (= 0.12.0) - rubyzip (= 1.2.2) + rubyzip (= 1.3.0) sass-rails (= 5.0.7) secure_headers (= 6.3.0) shoulda-matchers (= 4.0.1) From bc601f7c3492dc408824286e97673fafebab4aa9 Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 20:44:25 +0100 Subject: [PATCH 15/17] Bump devise. --- Gemfile | 2 +- Gemfile.lock | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index c2d890c11..874630e26 100644 --- a/Gemfile +++ b/Gemfile @@ -26,7 +26,7 @@ gem "json-schema", "2.8.1" # Authentication -gem "devise", "4.6.1" +gem "devise", "4.7.1" gem "devise-two-factor", "3.0.3" gem "devise_lastseenable", "0.0.6" gem "rqrcode", "0.10.1" diff --git a/Gemfile.lock b/Gemfile.lock index f3c97edae..a51a064e4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -169,10 +169,10 @@ GEM cucumber-tag_expressions (1.1.1) cucumber-wire (0.0.1) database_cleaner (1.7.0) - devise (4.6.1) + devise (4.7.1) bcrypt (~> 3.0) orm_adapter (~> 0.1) - railties (>= 4.1.0, < 6.0) + railties (>= 4.1.0) responders warden (~> 1.2.3) devise-two-factor (3.0.3) @@ -805,7 +805,7 @@ DEPENDENCIES cucumber-api-steps (= 0.14) cucumber-rails (= 1.7.0) database_cleaner (= 1.7.0) - devise (= 4.6.1) + devise (= 4.7.1) devise-two-factor (= 3.0.3) devise_lastseenable (= 0.0.6) diaspora-prosody-config (= 0.0.7) From ec72ac12774a26230dd5ac17ae48725e357b8dbc Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 20:47:05 +0100 Subject: [PATCH 16/17] Bump nokogiri. --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 874630e26..b10f65b3a 100644 --- a/Gemfile +++ b/Gemfile @@ -142,7 +142,7 @@ gem "leaflet-rails", "1.5.1" # Parsing -gem "nokogiri", "1.10.3" +gem "nokogiri", "1.10.8" gem "open_graph_reader", "0.7.0" # also update User-Agent in features/support/webmock.rb gem "redcarpet", "3.4.0" gem "ruby-oembed", "0.12.0" diff --git a/Gemfile.lock b/Gemfile.lock index a51a064e4..045f2bbb0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -415,7 +415,7 @@ GEM naught (1.1.0) nenv (0.3.0) nio4r (2.5.2) - nokogiri (1.10.3) + nokogiri (1.10.8) mini_portile2 (~> 2.4.0) notiffany (0.1.1) nenv (~> 0.1) @@ -846,7 +846,7 @@ DEPENDENCIES minitest mobile-fu (= 1.4.0) mysql2 (= 0.5.2) - nokogiri (= 1.10.3) + nokogiri (= 1.10.8) omniauth (= 1.9.0) omniauth-tumblr (= 1.2) omniauth-twitter (= 1.4.0) From b0181fbbb9d551c330df8f29fc1768d9b619662c Mon Sep 17 00:00:00 2001 From: Dennis Schubert Date: Tue, 11 Feb 2020 20:48:32 +0100 Subject: [PATCH 17/17] Bump mini_magick. closes #8108 --- Changelog.md | 3 +++ Gemfile | 2 +- Gemfile.lock | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index 2c5a37950..886b5cc40 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,8 @@ # 0.7.13.0 +## Security +* Fixes [USN-4274-1](https://usn.ubuntu.com/4274-1/), a potential Denial-of-Service vulnerability in Nokogiri. [#8108](https://github.com/diaspora/diaspora/pull/8108) + ## Refactor * Set better example values for unicorn stdout/stderr log settings [#8058](https://github.com/diaspora/diaspora/pull/8058) * Replace dependency on rails-assets.org with custom gems cache at gems.diasporafoundation.org [#8087](https://github.com/diaspora/diaspora/pull/8087) diff --git a/Gemfile b/Gemfile index b10f65b3a..4416b5feb 100644 --- a/Gemfile +++ b/Gemfile @@ -81,7 +81,7 @@ gem "activerecord-import", "1.0.2" gem "carrierwave", "1.3.1" gem "fog-aws", "3.5.1" -gem "mini_magick", "4.9.3" +gem "mini_magick", "4.10.1" # GUID generation gem "uuid", "2.3.9" diff --git a/Gemfile.lock b/Gemfile.lock index 045f2bbb0..dcfa93edc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -400,7 +400,7 @@ GEM mime-types-data (~> 3.2015) mime-types-data (3.2019.0331) mimemagic (0.3.4) - mini_magick (4.9.3) + mini_magick (4.10.1) mini_mime (1.0.2) mini_portile2 (2.4.0) minitest (5.14.0) @@ -842,7 +842,7 @@ DEPENDENCIES logging-rails (= 0.6.0) markdown-it-html5-embed (= 1.0.0) markerb (= 1.1.0) - mini_magick (= 4.9.3) + mini_magick (= 4.10.1) minitest mobile-fu (= 1.4.0) mysql2 (= 0.5.2)