🚨 [security] Update all of rails: 5.2.3 → 5.2.4.2 (minor)

[depfu]

---

🚨 Your version of actionview has known security vulnerabilities 🚨

Advisory: CVE-2020-5267
Disclosed: March 19, 2020
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8

Possible XSS vulnerability in ActionView

There is a possible XSS vulnerability in ActionView's JavaScript literal
escape helpers. Views that use the j or escape_javascript methods
may be susceptible to XSS attacks.

Versions Affected: All.
Not affected: None.
Fixed Versions: 6.0.2.2, 5.2.4.2

Impact

There is a possible XSS vulnerability in the j and escape_javascript
methods in ActionView. These methods are used for escaping JavaScript string
literals. Impacted code will look something like this:

<script>let a = `<%= j unknown_input %>`</script>

or

<script>let a = `<%= escape_javascript unknown_input %>`</script>

Releases

The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.

Workarounds

For those that can't upgrade, the following monkey patch may be used:

ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
  {
    "`" => "\\`",
    "$" => "\\$"
  }
)
module ActionView::Helpers::JavaScriptHelper

alias :old_ej :escape_javascript

alias :old_j :j
def escape_javascript(javascript)

javascript = javascript.to_s

if javascript.empty?

result = ""

else

result = javascript.gsub(/(\|</|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)

end

javascript.html_safe? ? result.html_safe : result

end
alias :j :escape_javascript

end

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (5.2.3 → 5.2.4.2) · Repo

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailer (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog

↗️ activesupport (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.5 → 1.1.6) · Repo · Changelog

Release Notes

1.1.6 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.10.7 → 1.10.9) · Repo · Changelog

Release Notes

1.10.9

More info than we can show here.

1.10.8

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• version bump to v1.10.9
• update CHANGELOG
• Change return type to RubyArray
• update CHANGELOG for #1985
• Work around a bug in libxml2
• version bump to v1.10.8
• update CHANGELOG for v1.10.8
• remove patches from the hoe Manifest
• update to use rake-compiler ~1.1.0
• backport libxml2 patch for CVE-2020-7595

↗️ rack (indirect, 2.1.1 → 2.2.2) · Repo · Changelog

Release Notes

2.2.2 (from changelog)

More info than we can show here.

2.2.1 (from changelog)

More info than we can show here.

2.2.0 (from changelog)

More info than we can show here.

2.1.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 5.2.3 → 5.2.4.2) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ websocket-driver (indirect, 0.7.0 → 0.7.1) · Repo · Changelog

Release Notes

0.7.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

• Bump version to 0.7.1
• Change markdown formatting of docs.
• Remove a redundant statement from the Hybi setup code.
• Fail a draft-76 connection of a header does not contain any digits.
• Depend on Rake < 12.3 if we're running on Ruby < 2.0.
• Reformat the C and Java native extension modules.
• Fix an uninitialised variable warning.
• Update Travis target versions.
• Switch license to Apache 2.0.
• Test on Ruby 2.5.0.
• I think you have to use jruby-head instead of jruby-9 now.
• Bump the Ruby versions for Travis.
• If any header used by Hybi is present, then pick Hybi, and likewise for Draft76. This means the driver is more likely to pick Hybi and report likely combinations of malformed headers as errors to the client.
• If any driver encounters a validation error in the request headers, it can throw an error and Driver#start will catch that and send a 400 response to the client.

↗️ websocket-extensions (indirect, 0.1.3 → 0.1.4) · Repo · Changelog

Release Notes

0.1.4 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• Bump version to 0.1.4
• Change markdown formatting of docs.
• Fix deprecation warning about =~ being called on TrueClass.
• Fix RSpec warnings about raise_error with no arguments.
• Update Travis target versions.
• Switch license to Apache 2.0.
• Test on Ruby 2.5.0.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)