Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Ruby #57

Merged
merged 9 commits into from Apr 8, 2019

Conversation

Projects
None yet
3 participants
@johnsyweb
Copy link
Member

johnsyweb commented Apr 5, 2019

Context

Already Support of Ruby 2.3 has ended! :spinning_clock:
https://www.ruby-lang.org/en/news/2019/03/31/support-of-ruby-2-3-has-ended/

Considerations

How far should we take this upgrade?

johnsyweb added some commits Apr 5, 2019

@@ -3,16 +3,16 @@ GEM
specs:
addressable (2.5.2)
public_suffix (>= 2.0.2, < 4.0)
byebug (10.0.2)
byebug (11.0.1)

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 5, 2019

Author Member

byebug

Major version upgrade 📈❗️ 10.0.2 → 11.0.1

[change-log, source-code]

Commits

A change of 204 commits. See the full changes on the compare page.

These are the first 10 commits:

coderay (1.1.2)
daemons (1.2.6)
daemons (1.3.1)

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 5, 2019

Author Member

daemons

Minor version upgrade 📈🔶 1.2.6 → 1.3.1

[change-log, source-code]

diff-lcs (1.3)
eventmachine (1.2.7)
faraday (0.15.2)
faraday (0.15.4)

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 5, 2019

Author Member

faraday

Patch version upgrade 📈🔹 0.15.2 → 0.15.4

[change-log, source-code]

Commits

A change of 8 commits. See the full changes on the compare page.

These are the individual commits:

multipart-post (>= 1.2, < 3)
ffi (1.9.25)
ffi (1.10.0)

This comment has been minimized.

formatador (0.2.5)
guard (2.14.2)
guard (2.15.0)

This comment has been minimized.

@@ -26,7 +26,8 @@ GEM
guard (~> 2.1)
guard-compat (~> 1.1)
rspec (>= 2.99.0, < 4.0)
httparty (0.16.2)
httparty (0.16.4)

This comment has been minimized.

Copy link
@johnsyweb
@@ -36,38 +37,41 @@ GEM
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
lumberjack (1.0.13)
method_source (0.9.0)
method_source (0.9.2)

This comment has been minimized.

@@ -36,38 +37,41 @@ GEM
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
lumberjack (1.0.13)
method_source (0.9.0)
method_source (0.9.2)
mime-types (3.2.2)

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 5, 2019

Author Member

mime-types

Gem added ⛄️

[change-log, source-code]

method_source (0.9.2)
mime-types (3.2.2)
mime-types-data (~> 3.2015)
mime-types-data (3.2019.0331)

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 5, 2019

Author Member

mime-types-data

Gem added ⛄️

[change-log, source-code]

multi_xml (0.6.0)
multipart-post (2.0.0)
mustermann (1.0.3)
nenv (0.3.0)
notiffany (0.1.1)
nenv (~> 0.1)
shellany (~> 0.0)
octokit (4.12.0)
octokit (4.14.0)

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 5, 2019

Author Member

octokit

Minor version upgrade 📈🔶 4.12.0 → 4.14.0

[change-log, source-code]

Commits

A change of 71 commits. See the full changes on the compare page.

These are the first 10 commits:

sawyer (~> 0.8.0, >= 0.5.3)
oj (2.18.5)
pry (0.11.3)
pry (0.12.2)

This comment has been minimized.

coderay (~> 1.1.0)
method_source (~> 0.9.0)
pry-byebug (3.6.0)
byebug (~> 10.0)
pry-byebug (3.7.0)

This comment has been minimized.

Copy link
@johnsyweb
pry (~> 0.10)
public_suffix (3.0.3)
rack (2.0.5)
rack-protection (2.0.3)
rack (2.0.7)

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 5, 2019

Author Member

rack

Patch version upgrade 📈🔹 2.0.5 → 2.0.7

[change-log, source-code]

🎉 Patched vulnerabilities:

  • CVE-2018-16470
    Possible DoS vulnerability in Rack

    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk

    There is a possible DoS vulnerability in the multipart parser in Rack. This vulnerability has been assigned the CVE identifier CVE-2018-16470. Versions Affected: 2.0.4, 2.0.5 Not affected: <= 2.0.3 Fixed Versions: 2.0.6 Impact ------ There is a possible DoS vulnerability in the multipart parser in Rack. Carefully crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size. Impacted code can look something like this: Rack::Request.new(env).params But any code that uses the multi-part parser may be vulnerable. Rack users that have manually adjusted the buffer size in the multipart parser may be vulnerable as well. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 2.0.6 release is available at the normal locations. Workarounds ----------- To work around this issue, the following code can be used: require "rack/multipart/parser" Rack::Multipart::Parser.send :remove_const, :BUFSIZE Rack::Multipart::Parser.const_set :BUFSIZE, 16384

  • CVE-2018-16471
    Possible XSS vulnerability in Rack

    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

    There is a possible vulnerability in Rack. This vulnerability has been assigned the CVE identifier CVE-2018-16471. Versions Affected: All. Not affected: None. Fixed Versions: 2.0.6, 1.6.11 Impact ------ There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request. Applications that expect the scheme to be limited to "http" or "https" and do not escape the return value could be vulnerable to an XSS attack. Vulnerable code looks something like this: <%= request.scheme.html_safe %> Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 2.0.6 and 1.6.11 releases are available at the normal locations. Workarounds ----------- The following monkey patch can be applied to work around this issue: require "rack" require "rack/request" class Rack::Request SCHEME_WHITELIST = %w(https http).freeze def scheme if get_header(Rack::HTTPS) == 'on' 'https' elsif get_header(HTTP_X_FORWARDED_SSL) == 'on' 'https' elsif forwarded_scheme forwarded_scheme else get_header(Rack::RACK_URL_SCHEME) end end def forwarded_scheme scheme_headers = [ get_header(HTTP_X_FORWARDED_SCHEME), get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0] ] scheme_headers.each do |header| return header if SCHEME_WHITELIST.include?(header) end nil end end

Commits

A change of 9 commits. See the full changes on the compare page.

These are the individual commits:

rack (2.0.5)
rack-protection (2.0.3)
rack (2.0.7)
rack-protection (2.0.5)

This comment has been minimized.

Copy link
@johnsyweb
rack
rake (12.3.1)
rake (12.3.2)

This comment has been minimized.

rb-fsevent (0.10.3)
rb-inotify (0.9.10)
ffi (>= 0.5.0, < 2)
rb-inotify (0.10.0)

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 5, 2019

Author Member

rb-inotify

Minor version upgrade 📈🔶 0.9.10 → 0.10.0

[change-log, source-code]

Commits

A change of 23 commits. See the full changes on the compare page.

These are the first 10 commits:

rspec (3.8.0)
rspec-core (~> 3.8.0)
rspec-expectations (~> 3.8.0)
rspec-mocks (~> 3.8.0)
rspec-core (3.8.0)
rspec-support (~> 3.8.0)
rspec-expectations (3.8.1)
rspec-expectations (3.8.2)

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 5, 2019

Author Member

rspec-expectations

Patch version upgrade 📈🔹 3.8.1 → 3.8.2

[change-log, source-code]

Commits

A change of 7 commits. See the full changes on the compare page.

These are the individual commits:

@@ -79,19 +83,19 @@ GEM
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
shellany (0.0.1)
sinatra (2.0.3)
sinatra (2.0.5)

This comment has been minimized.

Copy link
@johnsyweb
tilt (~> 2.0)
slack-poster (1.0.1)
httparty (~> 0.12)
thin (1.7.2)
daemons (~> 1.0, >= 1.0.9)
eventmachine (~> 1.0, >= 1.0.4)
rack (>= 1, < 3)
thor (0.20.0)
tilt (2.0.8)
thor (0.20.3)
thor (0.20.0)
tilt (2.0.8)
thor (0.20.3)
tilt (2.0.9)

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 5, 2019

Author Member

tilt

Patch version upgrade 📈🔹 2.0.8 → 2.0.9

[change-log, source-code]

Commits

A change of 11 commits. See the full changes on the compare page.

These are the first 10 commits:

@johnsyweb johnsyweb changed the title [WIP] Upgrade Ruby Upgrade Ruby Apr 5, 2019

@gusgollings
Copy link
Member

gusgollings left a comment

LGTM! :)

@orien

orien approved these changes Apr 5, 2019

@@ -1 +1 @@
2.3.4
2.6.1

This comment has been minimized.

Copy link
@orien

orien Apr 5, 2019

Member

Ruby 2.6.2 has also been released. I think we should pull in these security fixes too.

https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-6-2-released/

This comment has been minimized.

Copy link
@johnsyweb

johnsyweb Apr 7, 2019

Author Member

Good spot. Not sure how I missed this.

johnsyweb added some commits Apr 7, 2019

@johnsyweb johnsyweb requested review from gusgollings and orien and removed request for gusgollings Apr 7, 2019

@orien

orien approved these changes Apr 8, 2019

Copy link
Member

orien left a comment

Thanks ❤️

@johnsyweb johnsyweb merged commit 1dc80fe into master Apr 8, 2019

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@johnsyweb johnsyweb deleted the paj/upgrade-ruby branch Apr 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.