diff --git a/Gemfile b/Gemfile index 7612af2..daae5a4 100644 --- a/Gemfile +++ b/Gemfile @@ -3,7 +3,7 @@ ruby '2.6.3' gem 'rails_12factor', group: :production -gem 'rails', '~> 6.0.3', '>= 6.0.3.5' +gem 'rails', '~> 6.1.6', '>= 6.1.6.1' # Use sqlite3 as the database for Active Record gem 'pg' # Use SCSS for stylesheets diff --git a/Gemfile.lock b/Gemfile.lock index 34f201b..99dd39c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,200 +1,215 @@ GEM remote: https://rubygems.org/ specs: - actioncable (6.0.3.6) - actionpack (= 6.0.3.6) + actioncable (6.1.6.1) + actionpack (= 6.1.6.1) + activesupport (= 6.1.6.1) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (6.0.3.6) - actionpack (= 6.0.3.6) - activejob (= 6.0.3.6) - activerecord (= 6.0.3.6) - activestorage (= 6.0.3.6) - activesupport (= 6.0.3.6) + actionmailbox (6.1.6.1) + actionpack (= 6.1.6.1) + activejob (= 6.1.6.1) + activerecord (= 6.1.6.1) + activestorage (= 6.1.6.1) + activesupport (= 6.1.6.1) mail (>= 2.7.1) - actionmailer (6.0.3.6) - actionpack (= 6.0.3.6) - actionview (= 6.0.3.6) - activejob (= 6.0.3.6) + actionmailer (6.1.6.1) + actionpack (= 6.1.6.1) + actionview (= 6.1.6.1) + activejob (= 6.1.6.1) + activesupport (= 6.1.6.1) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (6.0.3.6) - actionview (= 6.0.3.6) - activesupport (= 6.0.3.6) - rack (~> 2.0, >= 2.0.8) + actionpack (6.1.6.1) + actionview (= 6.1.6.1) + activesupport (= 6.1.6.1) + rack (~> 2.0, >= 2.0.9) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (6.0.3.6) - actionpack (= 6.0.3.6) - activerecord (= 6.0.3.6) - activestorage (= 6.0.3.6) - activesupport (= 6.0.3.6) + actiontext (6.1.6.1) + actionpack (= 6.1.6.1) + activerecord (= 6.1.6.1) + activestorage (= 6.1.6.1) + activesupport (= 6.1.6.1) nokogiri (>= 1.8.5) - actionview (6.0.3.6) - activesupport (= 6.0.3.6) + actionview (6.1.6.1) + activesupport (= 6.1.6.1) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (6.0.3.6) - activesupport (= 6.0.3.6) + activejob (6.1.6.1) + activesupport (= 6.1.6.1) globalid (>= 0.3.6) - activemodel (6.0.3.6) - activesupport (= 6.0.3.6) - activerecord (6.0.3.6) - activemodel (= 6.0.3.6) - activesupport (= 6.0.3.6) - activestorage (6.0.3.6) - actionpack (= 6.0.3.6) - activejob (= 6.0.3.6) - activerecord (= 6.0.3.6) - marcel (~> 1.0.0) - activesupport (6.0.3.6) + activemodel (6.1.6.1) + activesupport (= 6.1.6.1) + activerecord (6.1.6.1) + activemodel (= 6.1.6.1) + activesupport (= 6.1.6.1) + activestorage (6.1.6.1) + actionpack (= 6.1.6.1) + activejob (= 6.1.6.1) + activerecord (= 6.1.6.1) + activesupport (= 6.1.6.1) + marcel (~> 1.0) + mini_mime (>= 1.1.0) + activesupport (6.1.6.1) concurrent-ruby (~> 1.0, >= 1.0.2) - i18n (>= 0.7, < 2) - minitest (~> 5.1) - tzinfo (~> 1.1) - zeitwerk (~> 2.2, >= 2.2.2) - addressable (2.7.0) + i18n (>= 1.6, < 2) + minitest (>= 5.1) + tzinfo (~> 2.0) + zeitwerk (~> 2.3) + addressable (2.8.0) public_suffix (>= 2.0.2, < 5.0) attr_encrypted (3.1.0) encryptor (~> 3.0.0) - bcrypt (3.1.13) - binding_of_caller (0.8.0) + bcrypt (3.1.18) + binding_of_caller (1.0.0) debug_inspector (>= 0.0.1) builder (3.2.4) byebug (11.1.3) - concurrent-ruby (1.1.8) + concurrent-ruby (1.1.10) coveralls (0.8.23) json (>= 1.8, < 3) simplecov (~> 0.16.1) term-ansicolor (~> 1.3) thor (>= 0.19.4, < 2.0) tins (~> 1.6) - crack (0.4.3) - safe_yaml (~> 1.0.0) + crack (0.4.5) + rexml crass (1.0.6) - debug_inspector (0.0.3) - devise (4.7.1) + debug_inspector (1.1.0) + devise (4.8.1) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 4.1.0) responders warden (~> 1.2.3) devise-bootstrap-views (1.1.0) - docile (1.3.2) + docile (1.4.0) encryptor (3.0.0) - erubi (1.10.0) - execjs (2.7.0) + erubi (1.11.0) + execjs (2.8.1) factory_bot (4.11.1) activesupport (>= 3.0.0) factory_bot_rails (4.11.1) factory_bot (~> 4.11.1) railties (>= 3.0.0) - faraday (1.0.1) - multipart-post (>= 1.2, < 3) - ffi (1.12.2) - globalid (0.4.2) - activesupport (>= 4.2.0) + faraday (2.4.0) + faraday-net_http (~> 2.0) + ruby2_keywords (>= 0.0.4) + faraday-net_http (2.1.0) + ffi (1.15.5) + globalid (1.0.0) + activesupport (>= 5.0) hashdiff (0.2.2) - hashie (4.1.0) - i18n (1.8.10) + hashie (5.0.0) + i18n (1.12.0) concurrent-ruby (~> 1.0) - jbuilder (2.10.0) + jbuilder (2.11.5) + actionview (>= 5.0.0) activesupport (>= 5.0.0) - jquery-rails (4.4.0) + jquery-rails (4.5.0) rails-dom-testing (>= 1, < 3) railties (>= 4.2.0) thor (>= 0.14, < 2.0) - json (2.3.0) - jwt (2.2.1) - loofah (2.9.1) + json (2.6.2) + jwt (2.4.1) + loofah (2.18.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.1) mini_mime (>= 0.1.1) - marcel (1.0.1) + marcel (1.0.2) method_source (1.0.0) - mini_mime (1.1.0) - mini_portile2 (2.5.1) + mini_mime (1.1.2) + mini_portile2 (2.8.0) minitest (5.10.3) - mocha (1.11.2) - multi_json (1.14.1) + mocha (1.14.0) multi_xml (0.6.0) - multipart-post (2.1.1) - nio4r (2.5.7) - nokogiri (1.11.3) - mini_portile2 (~> 2.5.0) + nio4r (2.5.8) + nokogiri (1.13.8) + mini_portile2 (~> 2.8.0) racc (~> 1.4) - oauth2 (1.4.4) - faraday (>= 0.8, < 2.0) + oauth2 (2.0.6) + faraday (>= 0.17.3, < 3.0) jwt (>= 1.0, < 3.0) - multi_json (~> 1.3) multi_xml (~> 0.5) rack (>= 1.2, < 3) - octokit (4.18.0) - faraday (>= 0.9) - sawyer (~> 0.8.0, >= 0.5.3) - omniauth (1.9.1) + rash_alt (>= 0.4, < 1) + version_gem (~> 1.1) + octokit (4.25.1) + faraday (>= 1, < 3) + sawyer (~> 0.9) + omniauth (2.1.0) hashie (>= 3.4.6) - rack (>= 1.6.2, < 3) - omniauth-github (1.4.0) - omniauth (~> 1.5) - omniauth-oauth2 (>= 1.4.0, < 2.0) - omniauth-oauth2 (1.6.0) - oauth2 (~> 1.1) - omniauth (~> 1.9) + rack (>= 2.2.3) + rack-protection + omniauth-github (2.0.0) + omniauth (~> 2.0) + omniauth-oauth2 (~> 1.7.1) + omniauth-oauth2 (1.7.3) + oauth2 (>= 1.4, < 3) + omniauth (>= 1.9, < 3) orm_adapter (0.5.0) - pg (1.2.3) - public_suffix (4.0.5) - puma (5.2.2) + pg (1.4.2) + psych (4.0.4) + stringio + public_suffix (4.0.7) + puma (5.6.4) nio4r (~> 2.0) - racc (1.5.2) - rack (2.2.3) - rack-test (1.1.0) - rack (>= 1.0, < 3) - rails (6.0.3.6) - actioncable (= 6.0.3.6) - actionmailbox (= 6.0.3.6) - actionmailer (= 6.0.3.6) - actionpack (= 6.0.3.6) - actiontext (= 6.0.3.6) - actionview (= 6.0.3.6) - activejob (= 6.0.3.6) - activemodel (= 6.0.3.6) - activerecord (= 6.0.3.6) - activestorage (= 6.0.3.6) - activesupport (= 6.0.3.6) - bundler (>= 1.3.0) - railties (= 6.0.3.6) + racc (1.6.0) + rack (2.2.4) + rack-protection (2.2.2) + rack + rack-test (2.0.2) + rack (>= 1.3) + rails (6.1.6.1) + actioncable (= 6.1.6.1) + actionmailbox (= 6.1.6.1) + actionmailer (= 6.1.6.1) + actionpack (= 6.1.6.1) + actiontext (= 6.1.6.1) + actionview (= 6.1.6.1) + activejob (= 6.1.6.1) + activemodel (= 6.1.6.1) + activerecord (= 6.1.6.1) + activestorage (= 6.1.6.1) + activesupport (= 6.1.6.1) + bundler (>= 1.15.0) + railties (= 6.1.6.1) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) - rails-html-sanitizer (1.3.0) + rails-html-sanitizer (1.4.3) loofah (~> 2.3) rails_12factor (0.0.3) rails_serve_static_assets rails_stdout_logging rails_serve_static_assets (0.0.5) rails_stdout_logging (0.0.5) - railties (6.0.3.6) - actionpack (= 6.0.3.6) - activesupport (= 6.0.3.6) + railties (6.1.6.1) + actionpack (= 6.1.6.1) + activesupport (= 6.1.6.1) method_source - rake (>= 0.8.7) - thor (>= 0.20.3, < 2.0) - rake (13.0.3) - rdoc (6.2.1) - responders (3.0.0) + rake (>= 12.2) + thor (~> 1.0) + rake (13.0.6) + rash_alt (0.4.12) + hashie (>= 3.4) + rdoc (6.4.0) + psych (>= 4.0.0) + responders (3.0.1) actionpack (>= 5.0) railties (>= 5.0) - rugged (1.0.0) - safe_yaml (1.0.5) + rexml (3.2.5) + ruby2_keywords (0.0.5) + rugged (1.5.0.1) sass-rails (6.0.0) sassc-rails (~> 2.1, >= 2.1.1) - sassc (2.3.0) + sassc (2.4.0) ffi (~> 1.9) sassc-rails (2.1.2) railties (>= 4.0.0) @@ -202,44 +217,45 @@ GEM sprockets (> 3.0) sprockets-rails tilt - sawyer (0.8.2) + sawyer (0.9.2) addressable (>= 2.3.5) - faraday (> 0.8, < 2.0) + faraday (>= 0.17.3, < 3) sdoc (1.1.0) rdoc (>= 5.0) - simple_form (5.0.2) - actionpack (>= 5.0) - activemodel (>= 5.0) + simple_form (5.1.0) + actionpack (>= 5.2) + activemodel (>= 5.2) simplecov (0.16.1) docile (~> 1.1) json (>= 1.8, < 3) simplecov-html (~> 0.10.0) simplecov-html (0.10.2) - spring (2.1.0) - sprockets (4.0.2) + spring (3.1.1) + sprockets (4.1.1) concurrent-ruby (~> 1.0) rack (> 1, < 3) - sprockets-rails (3.2.2) - actionpack (>= 4.0) - activesupport (>= 4.0) + sprockets-rails (3.4.2) + actionpack (>= 5.2) + activesupport (>= 5.2) sprockets (>= 3.0.0) + stringio (3.0.2) sync (0.5.0) term-ansicolor (1.7.1) tins (~> 1.0) - thor (1.1.0) - thread_safe (0.3.6) - tilt (2.0.10) - tins (1.24.1) + thor (1.2.1) + tilt (2.0.11) + tins (1.31.1) sync turbolinks (5.2.1) turbolinks-source (~> 5.2) turbolinks-source (5.2.0) - tzinfo (1.2.9) - thread_safe (~> 0.1) + tzinfo (2.0.5) + concurrent-ruby (~> 1.0) uglifier (4.2.0) execjs (>= 0.3.0, < 3) - warden (1.2.8) - rack (>= 2.0.6) + version_gem (1.1.0) + warden (1.2.9) + rack (>= 2.0.9) web-console (2.3.0) activemodel (>= 4.0) binding_of_caller (>= 0.7.2) @@ -249,10 +265,10 @@ GEM addressable (>= 2.3.6) crack (>= 0.3.2) hashdiff - websocket-driver (0.7.3) + websocket-driver (0.7.5) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) - zeitwerk (2.4.2) + zeitwerk (2.6.0) PLATFORMS ruby @@ -274,7 +290,7 @@ DEPENDENCIES omniauth-github pg puma (>= 4.3.5) - rails (~> 6.0.3, >= 6.0.3.5) + rails (~> 6.1.6, >= 6.1.6.1) rails_12factor rugged sass-rails (~> 6.0) diff --git a/test/unit/security.rb b/test/unit/security.rb new file mode 100644 index 0000000..f1a2217 --- /dev/null +++ b/test/unit/security.rb @@ -0,0 +1,8 @@ +require 'test_helper' + +class SecurityTest < AppfolioUnitTestCase + def test_cve_2022_32224_safe + assert(Rails.application.config.active_record.yaml_column_permitted_classes == nil || Rails.application.config.active_record.yaml_column_permitted_classes.empty?, "CVE-2022-32224 yaml_unsafe_load is unsafe") + assert(Rails.application.config.active_record.use_yaml_unsafe_load == false || Rails.application.config.active_record.use_yaml_unsafe_load == nil, "CVE-2022-32224 yaml_unsafe_load is unsafe") + end +end