Commit f40478fe authored by blackst0ne's avatar blackst0ne

Bump Ruby on Rails to 5.0.7.1

Fix the CVE-2018-16476 vulnerability.
parent 6964e510
source 'https://rubygems.org' source 'https://rubygems.org'
gem 'rails', '5.0.7' gem 'rails', '5.0.7.1'
gem 'rails-deprecated_sanitizer', '~> 1.0.3' gem 'rails-deprecated_sanitizer', '~> 1.0.3'
# Improves copy-on-write performance for MRI # Improves copy-on-write performance for MRI
......
...@@ -4,41 +4,41 @@ GEM ...@@ -4,41 +4,41 @@ GEM
RedCloth (4.3.2) RedCloth (4.3.2)
abstract_type (0.0.7) abstract_type (0.0.7)
ace-rails-ap (4.1.2) ace-rails-ap (4.1.2)
actioncable (5.0.7) actioncable (5.0.7.1)
actionpack (= 5.0.7) actionpack (= 5.0.7.1)
nio4r (>= 1.2, < 3.0) nio4r (>= 1.2, < 3.0)
websocket-driver (~> 0.6.1) websocket-driver (~> 0.6.1)
actionmailer (5.0.7) actionmailer (5.0.7.1)
actionpack (= 5.0.7) actionpack (= 5.0.7.1)
actionview (= 5.0.7) actionview (= 5.0.7.1)
activejob (= 5.0.7) activejob (= 5.0.7.1)
mail (~> 2.5, >= 2.5.4) mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0) rails-dom-testing (~> 2.0)
actionpack (5.0.7) actionpack (5.0.7.1)
actionview (= 5.0.7) actionview (= 5.0.7.1)
activesupport (= 5.0.7) activesupport (= 5.0.7.1)
rack (~> 2.0) rack (~> 2.0)
rack-test (~> 0.6.3) rack-test (~> 0.6.3)
rails-dom-testing (~> 2.0) rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.2) rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (5.0.7) actionview (5.0.7.1)
activesupport (= 5.0.7) activesupport (= 5.0.7.1)
builder (~> 3.1) builder (~> 3.1)
erubis (~> 2.7.0) erubis (~> 2.7.0)
rails-dom-testing (~> 2.0) rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.3) rails-html-sanitizer (~> 1.0, >= 1.0.3)
activejob (5.0.7) activejob (5.0.7.1)
activesupport (= 5.0.7) activesupport (= 5.0.7.1)
globalid (>= 0.3.6) globalid (>= 0.3.6)
activemodel (5.0.7) activemodel (5.0.7.1)
activesupport (= 5.0.7) activesupport (= 5.0.7.1)
activerecord (5.0.7) activerecord (5.0.7.1)
activemodel (= 5.0.7) activemodel (= 5.0.7.1)
activesupport (= 5.0.7) activesupport (= 5.0.7.1)
arel (~> 7.0) arel (~> 7.0)
activerecord_sane_schema_dumper (1.0) activerecord_sane_schema_dumper (1.0)
rails (>= 5, < 6) rails (>= 5, < 6)
activesupport (5.0.7) activesupport (5.0.7.1)
concurrent-ruby (~> 1.0, >= 1.0.2) concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2) i18n (>= 0.7, < 2)
minitest (~> 5.1) minitest (~> 5.1)
...@@ -381,7 +381,7 @@ GEM ...@@ -381,7 +381,7 @@ GEM
json (~> 1.8) json (~> 1.8)
multi_xml (>= 0.5.2) multi_xml (>= 0.5.2)
httpclient (2.8.3) httpclient (2.8.3)
i18n (1.1.1) i18n (1.2.0)
concurrent-ruby (~> 1.0) concurrent-ruby (~> 1.0)
icalendar (2.4.1) icalendar (2.4.1)
ice_nine (0.11.2) ice_nine (0.11.2)
...@@ -449,7 +449,7 @@ GEM ...@@ -449,7 +449,7 @@ GEM
loofah (2.2.3) loofah (2.2.3)
crass (~> 1.0.2) crass (~> 1.0.2)
nokogiri (>= 1.5.9) nokogiri (>= 1.5.9)
mail (2.7.0) mail (2.7.1)
mini_mime (>= 0.1.1) mini_mime (>= 0.1.1)
mail_room (0.9.1) mail_room (0.9.1)
memoist (0.16.0) memoist (0.16.0)
...@@ -623,17 +623,17 @@ GEM ...@@ -623,17 +623,17 @@ GEM
rack rack
rack-test (0.6.3) rack-test (0.6.3)
rack (>= 1.0) rack (>= 1.0)
rails (5.0.7) rails (5.0.7.1)
actioncable (= 5.0.7) actioncable (= 5.0.7.1)
actionmailer (= 5.0.7) actionmailer (= 5.0.7.1)
actionpack (= 5.0.7) actionpack (= 5.0.7.1)
actionview (= 5.0.7) actionview (= 5.0.7.1)
activejob (= 5.0.7) activejob (= 5.0.7.1)
activemodel (= 5.0.7) activemodel (= 5.0.7.1)
activerecord (= 5.0.7) activerecord (= 5.0.7.1)
activesupport (= 5.0.7) activesupport (= 5.0.7.1)
bundler (>= 1.3.0) bundler (>= 1.3.0)
railties (= 5.0.7) railties (= 5.0.7.1)
sprockets-rails (>= 2.0.0) sprockets-rails (>= 2.0.0)
rails-controller-testing (1.0.2) rails-controller-testing (1.0.2)
actionpack (~> 5.x, >= 5.0.1) actionpack (~> 5.x, >= 5.0.1)
...@@ -649,15 +649,15 @@ GEM ...@@ -649,15 +649,15 @@ GEM
rails-i18n (5.1.1) rails-i18n (5.1.1)
i18n (>= 0.7, < 2) i18n (>= 0.7, < 2)
railties (>= 5.0, < 6) railties (>= 5.0, < 6)
railties (5.0.7) railties (5.0.7.1)
actionpack (= 5.0.7) actionpack (= 5.0.7.1)
activesupport (= 5.0.7) activesupport (= 5.0.7.1)
method_source method_source
rake (>= 0.8.7) rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0) thor (>= 0.18.1, < 2.0)
rainbow (3.0.0) rainbow (3.0.0)
raindrops (0.18.0) raindrops (0.18.0)
rake (12.3.1) rake (12.3.2)
rb-fsevent (0.10.2) rb-fsevent (0.10.2)
rb-inotify (0.9.10) rb-inotify (0.9.10)
ffi (>= 0.5.0, < 2) ffi (>= 0.5.0, < 2)
...@@ -1095,7 +1095,7 @@ DEPENDENCIES ...@@ -1095,7 +1095,7 @@ DEPENDENCIES
rack-cors (~> 1.0.0) rack-cors (~> 1.0.0)
rack-oauth2 (~> 1.2.1) rack-oauth2 (~> 1.2.1)
rack-proxy (~> 0.6.0) rack-proxy (~> 0.6.0)
rails (= 5.0.7) rails (= 5.0.7.1)
rails-controller-testing rails-controller-testing
rails-deprecated_sanitizer (~> 1.0.3) rails-deprecated_sanitizer (~> 1.0.3)
rails-i18n (~> 5.1) rails-i18n (~> 5.1)
......
...@@ -45,11 +45,13 @@ module MergeRequests ...@@ -45,11 +45,13 @@ module MergeRequests
end end
if merge_request.previous_changes.include?('assignee_id') if merge_request.previous_changes.include?('assignee_id')
reassigned_merge_request_args = [merge_request, current_user]
old_assignee_id = merge_request.previous_changes['assignee_id'].first old_assignee_id = merge_request.previous_changes['assignee_id'].first
old_assignee = User.find(old_assignee_id) if old_assignee_id reassigned_merge_request_args << User.find(old_assignee_id) if old_assignee_id
create_assignee_note(merge_request) create_assignee_note(merge_request)
notification_service.async.reassigned_merge_request(merge_request, current_user, old_assignee) notification_service.async.reassigned_merge_request(*reassigned_merge_request_args)
todo_service.reassigned_merge_request(merge_request, current_user) todo_service.reassigned_merge_request(merge_request, current_user)
end end
......
...@@ -188,7 +188,7 @@ class NotificationService ...@@ -188,7 +188,7 @@ class NotificationService
# * merge_request assignee if their notification level is not Disabled # * merge_request assignee if their notification level is not Disabled
# * users with custom level checked with "reassign merge request" # * users with custom level checked with "reassign merge request"
# #
def reassigned_merge_request(merge_request, current_user, previous_assignee) def reassigned_merge_request(merge_request, current_user, previous_assignee = nil)
recipients = NotificationRecipientService.build_recipients( recipients = NotificationRecipientService.build_recipients(
merge_request, merge_request,
current_user, current_user,
......
...@@ -8,14 +8,35 @@ module MailScheduler ...@@ -8,14 +8,35 @@ module MailScheduler
include MailSchedulerQueue include MailSchedulerQueue
def perform(meth, *args) def perform(meth, *args)
deserialized_args = ActiveJob::Arguments.deserialize(args) check_arguments!(args)
deserialized_args = ActiveJob::Arguments.deserialize(args)
notification_service.public_send(meth, *deserialized_args) # rubocop:disable GitlabSecurity/PublicSend notification_service.public_send(meth, *deserialized_args) # rubocop:disable GitlabSecurity/PublicSend
rescue ActiveJob::DeserializationError rescue ActiveJob::DeserializationError
# No-op.
# This exception gets raised when an argument
# is correct (deserializeable), but it still cannot be deserialized.
# This can happen when an object has been deleted after
# rails passes this job to sidekiq, but before
# sidekiq gets it for execution.
# In this case just do nothing.
end end
def self.perform_async(*args) def self.perform_async(*args)
super(*ActiveJob::Arguments.serialize(args)) super(*ActiveJob::Arguments.serialize(args))
end end
private
# If an argument is in the ActiveJob::Arguments::TYPE_WHITELIST list,
# it means the argument cannot be deserialized.
# Which means there's something wrong with our code.
def check_arguments!(args)
args.each do |arg|
if arg.class.in?(ActiveJob::Arguments::TYPE_WHITELIST)
raise(ArgumentError, "Argument `#{arg}` cannot be deserialized because of its type")
end
end
end
end end
end end
---
title: Bump Ruby on Rails to 5.0.7.1
merge_request: 23396
author: "@blackst0ne"
type: security
...@@ -17,10 +17,21 @@ describe MailScheduler::NotificationServiceWorker do ...@@ -17,10 +17,21 @@ describe MailScheduler::NotificationServiceWorker do
end end
context 'when the arguments cannot be deserialized' do context 'when the arguments cannot be deserialized' do
it 'does nothing' do context 'when the arguments are not deserializeable' do
it 'raises exception' do
expect(worker.notification_service).not_to receive(method) expect(worker.notification_service).not_to receive(method)
expect { worker.perform(method, key.to_global_id.to_s.succ) }.to raise_exception(ArgumentError)
end
end
worker.perform(method, key.to_global_id.to_s.succ) context 'when the arguments are deserializeable' do
it 'does nothing' do
serialized_arguments = *serialize(key)
key.destroy!
expect(worker.notification_service).not_to receive(method)
expect { worker.perform(method, serialized_arguments) }.not_to raise_exception
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment