From 2927a4b464907f7fa0b2ae461234126b0449afb1 Mon Sep 17 00:00:00 2001 From: Sarah Miller Date: Mon, 18 Sep 2023 15:16:23 -0500 Subject: [PATCH] Revert "Revert "bump ruby patch version, oauth2, and faraday"" --- .ruby-version | 2 +- Dockerfile | 2 +- Gemfile | 5 +- Gemfile.lock | 179 +++++++++++++++++--------------- Rakefile | 2 +- config/initializers/omniauth.rb | 4 +- 6 files changed, 101 insertions(+), 93 deletions(-) diff --git a/.ruby-version b/.ruby-version index 49cdd668e1..6a81b4c837 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.7.6 +2.7.8 diff --git a/Dockerfile b/Dockerfile index f2263dbf76..a9d5fcf28a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:2.7.6-slim +FROM ruby:2.7.8-slim # Install dependencies RUN \ diff --git a/Gemfile b/Gemfile index e997a3ac2b..d84841531b 100644 --- a/Gemfile +++ b/Gemfile @@ -5,7 +5,7 @@ ruby File.read('.ruby-version').strip # gems that have rails engines are are always needed group :preload do - gem 'rails', '~> 6.1.7.3' + gem 'rails', '~> 6.1.7.6' gem 'dotenv' gem 'connection_pool' gem 'marco-polo' @@ -20,10 +20,11 @@ group :preload do end gem 'dogstatsd-ruby' -gem 'puma' +gem 'puma', '~>5.6.7' gem 'attr_encrypted' gem 'sawyer' gem 'dalli' +gem 'oauth2', '~>2.0.9' gem 'omniauth' gem 'omniauth-oauth2' gem 'omniauth-github', git: "https://github.com/omniauth/omniauth-github.git" # needs >1.3.0 diff --git a/Gemfile.lock b/Gemfile.lock index 2c921bf791..9486ea0cbc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -194,62 +194,62 @@ GEM GEM remote: https://rubygems.org/ specs: - actioncable (6.1.7.3) - actionpack (= 6.1.7.3) - activesupport (= 6.1.7.3) + actioncable (6.1.7.6) + actionpack (= 6.1.7.6) + activesupport (= 6.1.7.6) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (6.1.7.3) - actionpack (= 6.1.7.3) - activejob (= 6.1.7.3) - activerecord (= 6.1.7.3) - activestorage (= 6.1.7.3) - activesupport (= 6.1.7.3) + actionmailbox (6.1.7.6) + actionpack (= 6.1.7.6) + activejob (= 6.1.7.6) + activerecord (= 6.1.7.6) + activestorage (= 6.1.7.6) + activesupport (= 6.1.7.6) mail (>= 2.7.1) - actionmailer (6.1.7.3) - actionpack (= 6.1.7.3) - actionview (= 6.1.7.3) - activejob (= 6.1.7.3) - activesupport (= 6.1.7.3) + actionmailer (6.1.7.6) + actionpack (= 6.1.7.6) + actionview (= 6.1.7.6) + activejob (= 6.1.7.6) + activesupport (= 6.1.7.6) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (6.1.7.3) - actionview (= 6.1.7.3) - activesupport (= 6.1.7.3) + actionpack (6.1.7.6) + actionview (= 6.1.7.6) + activesupport (= 6.1.7.6) rack (~> 2.0, >= 2.0.9) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (6.1.7.3) - actionpack (= 6.1.7.3) - activerecord (= 6.1.7.3) - activestorage (= 6.1.7.3) - activesupport (= 6.1.7.3) + actiontext (6.1.7.6) + actionpack (= 6.1.7.6) + activerecord (= 6.1.7.6) + activestorage (= 6.1.7.6) + activesupport (= 6.1.7.6) nokogiri (>= 1.8.5) - actionview (6.1.7.3) - activesupport (= 6.1.7.3) + actionview (6.1.7.6) + activesupport (= 6.1.7.6) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) active_hash (3.0.0) activesupport (>= 5.0.0) - activejob (6.1.7.3) - activesupport (= 6.1.7.3) + activejob (6.1.7.6) + activesupport (= 6.1.7.6) globalid (>= 0.3.6) - activemodel (6.1.7.3) - activesupport (= 6.1.7.3) - activerecord (6.1.7.3) - activemodel (= 6.1.7.3) - activesupport (= 6.1.7.3) - activestorage (6.1.7.3) - actionpack (= 6.1.7.3) - activejob (= 6.1.7.3) - activerecord (= 6.1.7.3) - activesupport (= 6.1.7.3) + activemodel (6.1.7.6) + activesupport (= 6.1.7.6) + activerecord (6.1.7.6) + activemodel (= 6.1.7.6) + activesupport (= 6.1.7.6) + activestorage (6.1.7.6) + actionpack (= 6.1.7.6) + activejob (= 6.1.7.6) + activerecord (= 6.1.7.6) + activesupport (= 6.1.7.6) marcel (~> 1.0) mini_mime (>= 1.1.0) - activesupport (6.1.7.3) + activesupport (6.1.7.6) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) @@ -309,7 +309,7 @@ GEM chef-utils (18.1.29) concurrent-ruby coderay (1.1.1) - commonmarker (0.23.9) + commonmarker (0.23.10) concurrent-ruby (1.2.2) connection_pool (2.2.1) crack (0.4.3) @@ -327,10 +327,10 @@ GEM railties (>= 5) dotenv (2.2.1) encryptor (3.0.0) - erubi (1.11.0) + erubi (1.12.0) erubis (2.7.0) execjs (2.7.0) - faraday (2.7.4) + faraday (2.7.10) faraday-net_http (>= 2.0, < 3.1) ruby2_keywords (>= 0.0.4) faraday-http-cache (2.5.0) @@ -378,7 +378,7 @@ GEM httparty (0.21.0) mini_mime (>= 1.0.0) multi_xml (>= 0.5.2) - i18n (1.13.0) + i18n (1.14.1) concurrent-ruby (~> 1.0) inflection (1.0.0) interception (0.5) @@ -394,7 +394,7 @@ GEM json (2.6.3) jsonpath (1.1.2) multi_json - jwt (2.7.0) + jwt (2.7.1) kubeclient (4.11.0) http (>= 3.0, < 6.0) jsonpath (~> 1.0) @@ -410,9 +410,9 @@ GEM railties (>= 4) request_store (~> 1.0) logstash-event (1.2.02) - loofah (2.19.1) + loofah (2.21.3) crass (~> 1.0.2) - nokogiri (>= 1.5.9) + nokogiri (>= 1.12.0) mail (2.7.1) mini_mime (>= 0.1.1) marcel (1.0.2) @@ -425,8 +425,8 @@ GEM mime-types (3.4.1) mime-types-data (~> 3.2015) mime-types-data (3.2023.0218.1) - mini_mime (1.1.2) - mini_portile2 (2.8.1) + mini_mime (1.1.5) + mini_portile2 (2.8.4) minitest (5.11.3) minitest-rails (6.1.0) minitest (~> 5.10) @@ -447,20 +447,21 @@ GEM net-ldap (0.16.1) netrc (0.11.0) newrelic_rpm (6.7.0.359) - nio4r (2.5.8) - nokogiri (1.14.3) - mini_portile2 (~> 2.8.0) + nio4r (2.5.9) + nokogiri (1.15.4) + mini_portile2 (~> 2.8.2) racc (~> 1.4) - nokogiri (1.14.3-x86_64-darwin) + nokogiri (1.15.4-x86_64-darwin) racc (~> 1.4) - nokogiri (1.14.3-x86_64-linux) + nokogiri (1.15.4-x86_64-linux) racc (~> 1.4) - oauth2 (1.4.11) + oauth2 (2.0.9) faraday (>= 0.17.3, < 3.0) jwt (>= 1.0, < 3.0) - multi_json (~> 1.3) multi_xml (~> 0.5) rack (>= 1.2, < 4) + snaky_hash (~> 2.0) + version_gem (~> 1.1) octokit (6.1.1) faraday (>= 1, < 3) sawyer (~> 0.9) @@ -472,10 +473,9 @@ GEM omniauth-gitlab (1.0.2) omniauth (~> 1.0) omniauth-oauth2 (~> 1.0) - omniauth-google-oauth2 (0.8.2) + omniauth-google-oauth2 (0.8.0) jwt (>= 2.0) - oauth2 (~> 1.1) - omniauth (~> 1.1) + omniauth (>= 1.1.1) omniauth-oauth2 (>= 1.6) omniauth-ldap (1.0.5) net-ldap (~> 0.12) @@ -512,42 +512,44 @@ GEM binding_of_caller (>= 0.7) pry (>= 0.9.11) public_suffix (5.0.1) - puma (5.6.4) + puma (5.6.7) nio4r (~> 2.0) pyu-ruby-sasl (0.0.3.3) - racc (1.6.2) - rack (2.2.7) + racc (1.7.1) + rack (2.2.8) rack-mini-profiler (1.1.4) rack (>= 1.2.0) - rack-test (2.0.2) + rack-test (2.1.0) rack (>= 1.3) - rails (6.1.7.3) - actioncable (= 6.1.7.3) - actionmailbox (= 6.1.7.3) - actionmailer (= 6.1.7.3) - actionpack (= 6.1.7.3) - actiontext (= 6.1.7.3) - actionview (= 6.1.7.3) - activejob (= 6.1.7.3) - activemodel (= 6.1.7.3) - activerecord (= 6.1.7.3) - activestorage (= 6.1.7.3) - activesupport (= 6.1.7.3) + rails (6.1.7.6) + actioncable (= 6.1.7.6) + actionmailbox (= 6.1.7.6) + actionmailer (= 6.1.7.6) + actionpack (= 6.1.7.6) + actiontext (= 6.1.7.6) + actionview (= 6.1.7.6) + activejob (= 6.1.7.6) + activemodel (= 6.1.7.6) + activerecord (= 6.1.7.6) + activestorage (= 6.1.7.6) + activesupport (= 6.1.7.6) bundler (>= 1.15.0) - railties (= 6.1.7.3) + railties (= 6.1.7.6) sprockets-rails (>= 2.0.0) rails-controller-testing (1.0.5) actionpack (>= 5.0.1.rc1) actionview (>= 5.0.1.rc1) activesupport (>= 5.0.1.rc1) - rails-dom-testing (2.0.3) - activesupport (>= 4.2.0) + rails-dom-testing (2.2.0) + activesupport (>= 5.0.0) + minitest nokogiri (>= 1.6) - rails-html-sanitizer (1.4.4) - loofah (~> 2.19, >= 2.19.1) - railties (6.1.7.3) - actionpack (= 6.1.7.3) - activesupport (= 6.1.7.3) + rails-html-sanitizer (1.6.0) + loofah (~> 2.21) + nokogiri (~> 1.14) + railties (6.1.7.6) + actionpack (= 6.1.7.6) + activesupport (= 6.1.7.6) method_source rake (>= 12.2) thor (~> 1.0) @@ -613,6 +615,9 @@ GEM sexp_processor (4.12.1) single_cov (1.3.2) slop (3.6.0) + snaky_hash (2.0.1) + hashie + version_gem (~> 1.1, >= 1.1.1) socksify (1.7.1) soft_deletion (1.6.0) activerecord (>= 4.2.0, < 6.2.0) @@ -627,7 +632,7 @@ GEM stackprof (0.2.12) terminal-table (1.8.0) unicode-display_width (~> 1.1, >= 1.1.1) - thor (1.2.1) + thor (1.2.2) tilt (2.0.10) tzinfo (2.0.6) concurrent-ruby (~> 1.0) @@ -639,16 +644,17 @@ GEM unicode-display_width (1.8.0) validates_lengths_from_database (0.8.0) activerecord (>= 4) + version_gem (1.1.3) warden (1.2.7) rack (>= 1.0) webmock (3.0.1) addressable (>= 2.3.6) crack (>= 0.3.2) hashdiff - websocket-driver (0.7.5) + websocket-driver (0.7.6) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) - zeitwerk (2.6.8) + zeitwerk (2.6.11) zendesk_api (2.0.1) faraday (> 2.0.0) faraday-multipart @@ -701,6 +707,7 @@ DEPENDENCIES momentjs-rails mysql2 net-http-persistent + oauth2 (~> 2.0.9) octokit omniauth omniauth-atlassian-bitbucket @@ -718,9 +725,9 @@ DEPENDENCIES pry-rails pry-rescue pry-stack_explorer - puma + puma (~> 5.6.7) rack-mini-profiler - rails (~> 6.1.7.3) + rails (~> 6.1.7.6) rails-assets-bootstrap-select! rails-assets-jquery! rails-assets-jquery-cookie! @@ -774,7 +781,7 @@ DEPENDENCIES webmock RUBY VERSION - ruby 2.7.6p219 + ruby 2.7.8p225 BUNDLED WITH 2.3.25 diff --git a/Rakefile b/Rakefile index 436a278d38..20e90a076a 100644 --- a/Rakefile +++ b/Rakefile @@ -63,7 +63,7 @@ task :bundle_audit do # TODO: remove CVE-2015-9284 once https://github.com/omniauth/omniauth/pull/809 is resolved # TODO: remove CVE-2022-0759 once local development works on newer version # TODO: remove GHSA-hjp3-5g2q-7jww will need ruby 3.0 - sh "bundle-audit check --update --ignore CVE-2015-9284 CVE-2022-0759 GHSA-hjp3-5g2q-7jww" + sh "bundle-audit check --update --ignore CVE-2015-9284 CVE-2022-0759 GHSA-hjp3-5g2q-7jww CVE-2023-34246" end desc "Run rubocop" diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 5d170a930b..b3a84c9b18 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -38,8 +38,8 @@ ENV.fetch("GITLAB_SECRET"), client_options: { site: Rails.application.config.samson.gitlab.web_url, - authorize_url: '/oauth/authorize', - token_url: '/oauth/token' + authorize_url: 'oauth/authorize', + token_url: 'oauth/token' } ) end