From dc7eb80d71d34b24b07f6386bab9d1ef44a95a40 Mon Sep 17 00:00:00 2001 From: pengyin-shan Date: Fri, 4 Nov 2022 11:22:50 -0400 Subject: [PATCH 1/4] fix issue240 by claiming symbol, data and time to be safe. Update to ruby 2.7 --- CHANGELOG.md | 12 ++++++++++++ Dockerfile.production | 6 +++++- config/environments/development.rb | 3 +++ config/environments/production.rb | 3 +++ config/environments/sandbox.rb | 3 +++ config/environments/staging.rb | 3 +++ config/environments/test.rb | 3 +++ config/environments/uat.rb | 2 ++ 8 files changed, 34 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ec3734cb1..dffe52485d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,17 @@ # Changelog +## [3.0.4+portage-3.0.15] - 2022-11-04 + +### Changed + +- Upgrade ruby 2.6.9 to 2.7.6 due to a bug fix of ruby for XCode 14 (https://bugs.ruby-lang.org/issues/18912) was only pushed to ruby >=2.7 + +- Updated Docker.production file to fix a rake issue when pushing to docker + +### Fixed + +- Fixed the bug that some users saw 'Tried to Load Specific Class: Symbol' error message when moving to Download tab [#240](https://github.com/portagenetwork/roadmap/issues/240) + ## [3.0.4+portage-3.0.14] - 2022-08-26 ### Added diff --git a/Dockerfile.production b/Dockerfile.production index 3d7d1f5619..74622f4875 100644 --- a/Dockerfile.production +++ b/Dockerfile.production @@ -1,4 +1,4 @@ -FROM ruby:2.6.6 +FROM ruby:2.7.6 # Setup bundle to install gems to volume ENV BUNDLE_PATH=/bundle/ \ @@ -43,6 +43,10 @@ RUN RAILS_ENV=production bundle install --jobs=3 --retry=3 COPY . $INSTALL_PATH RUN NODE_ENV=production yarn install --prod --check-files +RUN bundle config set force_ruby_platform true + +# /bundle/ruby/2.7.0/bin/rake error: Could not find nokogiri-1.13.6, mini_portile2-2.5.3 in locally installed gems (Bundler::GemNotFound) +RUN bundle update rake RUN DATABASE_URL=nulldb://user:test@127.0.0.1/roadmap RAILS_ENV=production SECRET_KEY_BASE=change_me DEVISE_SECRET_KEY=pickasecuretoken bundle exec rake assets:precompile EXPOSE 3000 diff --git a/config/environments/development.rb b/config/environments/development.rb index d222d888a1..9c1b60c6a4 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -68,6 +68,9 @@ # Use an evented file watcher to asynchronously detect changes in source code, # routes, locales, etc. This feature depends on the listen gem. config.file_watcher = ActiveSupport::EventedFileUpdateChecker + + # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] end # Used by Rails' routes url_helpers (typically when including a link in an email) diff --git a/config/environments/production.rb b/config/environments/production.rb index a0892b7450..5e9abae066 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -82,6 +82,9 @@ # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false + # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] + # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) diff --git a/config/environments/sandbox.rb b/config/environments/sandbox.rb index c4874fd377..3c2876aa90 100644 --- a/config/environments/sandbox.rb +++ b/config/environments/sandbox.rb @@ -82,6 +82,9 @@ # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false + # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] + # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) diff --git a/config/environments/staging.rb b/config/environments/staging.rb index 44a5f9a120..2bc564cc01 100644 --- a/config/environments/staging.rb +++ b/config/environments/staging.rb @@ -81,6 +81,9 @@ # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false + # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] + # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) diff --git a/config/environments/test.rb b/config/environments/test.rb index 8d4fac41a4..72e0df9776 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -50,6 +50,9 @@ # config.action_view.raise_on_missing_translations = true config.i18n.enforce_available_locales = false + + # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] end # Used by Rails' routes url_helpers (typically when including a link in an email) diff --git a/config/environments/uat.rb b/config/environments/uat.rb index a31f108ef9..8941f5119c 100644 --- a/config/environments/uat.rb +++ b/config/environments/uat.rb @@ -94,4 +94,6 @@ enable_starttls_auto: true } + # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] end From 33bd8265cda6de62b03ff374b2911fb428795b43 Mon Sep 17 00:00:00 2001 From: pengyin-shan Date: Fri, 4 Nov 2022 11:40:17 -0400 Subject: [PATCH 2/4] add HashWithIndifferentAccess to safe_uyaml list --- config/environments/development.rb | 2 +- config/environments/production.rb | 2 +- config/environments/sandbox.rb | 2 +- config/environments/staging.rb | 2 +- config/environments/test.rb | 2 +- config/environments/uat.rb | 5 +++-- 6 files changed, 8 insertions(+), 7 deletions(-) diff --git a/config/environments/development.rb b/config/environments/development.rb index 9c1b60c6a4..8b00ec2484 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -70,7 +70,7 @@ config.file_watcher = ActiveSupport::EventedFileUpdateChecker # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] + config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] end # Used by Rails' routes url_helpers (typically when including a link in an email) diff --git a/config/environments/production.rb b/config/environments/production.rb index 5e9abae066..918285b3df 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -83,7 +83,7 @@ config.active_record.dump_schema_after_migration = false # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] + config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) diff --git a/config/environments/sandbox.rb b/config/environments/sandbox.rb index 3c2876aa90..2971c1e816 100644 --- a/config/environments/sandbox.rb +++ b/config/environments/sandbox.rb @@ -83,7 +83,7 @@ config.active_record.dump_schema_after_migration = false # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] + config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) diff --git a/config/environments/staging.rb b/config/environments/staging.rb index 2bc564cc01..08d3203e2a 100644 --- a/config/environments/staging.rb +++ b/config/environments/staging.rb @@ -82,7 +82,7 @@ config.active_record.dump_schema_after_migration = false # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] + config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) diff --git a/config/environments/test.rb b/config/environments/test.rb index 72e0df9776..3f61cdfe55 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -52,7 +52,7 @@ config.i18n.enforce_available_locales = false # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] + config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] end # Used by Rails' routes url_helpers (typically when including a link in an email) diff --git a/config/environments/uat.rb b/config/environments/uat.rb index 8941f5119c..2232c4329a 100644 --- a/config/environments/uat.rb +++ b/config/environments/uat.rb @@ -80,6 +80,9 @@ # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) + # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] + # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false @@ -94,6 +97,4 @@ enable_starttls_auto: true } - # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] end From 4daad39f1c9577c5717abd7b27e154a6cf266764 Mon Sep 17 00:00:00 2001 From: pengyin-shan Date: Fri, 4 Nov 2022 12:39:33 -0400 Subject: [PATCH 3/4] adjust line length for rubocop --- config/environments/development.rb | 3 ++- config/environments/production.rb | 3 ++- config/environments/sandbox.rb | 3 ++- config/environments/staging.rb | 5 +++-- config/environments/test.rb | 3 ++- config/environments/uat.rb | 5 +++-- 6 files changed, 14 insertions(+), 8 deletions(-) diff --git a/config/environments/development.rb b/config/environments/development.rb index 8b00ec2484..ee7b5b0fce 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -69,7 +69,8 @@ # routes, locales, etc. This feature depends on the listen gem. config.file_watcher = ActiveSupport::EventedFileUpdateChecker - # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + # CVE-2022-32224: add some compatibility with YAML.safe_load + # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] end diff --git a/config/environments/production.rb b/config/environments/production.rb index 918285b3df..24ccbe7b04 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -82,7 +82,8 @@ # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false - # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + # CVE-2022-32224: add some compatibility with YAML.safe_load + # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] # Use syslog for logging diff --git a/config/environments/sandbox.rb b/config/environments/sandbox.rb index 2971c1e816..3be66055b1 100644 --- a/config/environments/sandbox.rb +++ b/config/environments/sandbox.rb @@ -82,7 +82,8 @@ # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false - # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + # CVE-2022-32224: add some compatibility with YAML.safe_load + # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] # Use syslog for logging diff --git a/config/environments/staging.rb b/config/environments/staging.rb index 08d3203e2a..1624d2ff18 100644 --- a/config/environments/staging.rb +++ b/config/environments/staging.rb @@ -81,8 +81,9 @@ # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false - # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] + # CVE-2022-32224: add some compatibility with YAML.safe_load + # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer + config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) diff --git a/config/environments/test.rb b/config/environments/test.rb index 3f61cdfe55..d2d5b228b2 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -51,7 +51,8 @@ config.i18n.enforce_available_locales = false - # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer + # CVE-2022-32224: add some compatibility with YAML.safe_load + # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] end diff --git a/config/environments/uat.rb b/config/environments/uat.rb index 2232c4329a..5c1beb66b5 100644 --- a/config/environments/uat.rb +++ b/config/environments/uat.rb @@ -80,8 +80,9 @@ # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) - # CVE-2022-32224: fix to compatible with YAML.safe_load that Rails 5,6,7 that are used as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] + # CVE-2022-32224: add some compatibility with YAML.safe_load + # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer + config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false From 14effcf2eb0a9c5dc006784986997083aa21a3ab Mon Sep 17 00:00:00 2001 From: pengyin-shan Date: Fri, 4 Nov 2022 15:01:36 -0400 Subject: [PATCH 4/4] move common config setting to application.rb --- config/application.rb | 4 ++++ config/environments/development.rb | 4 ---- config/environments/production.rb | 4 ---- config/environments/sandbox.rb | 4 ---- config/environments/staging.rb | 4 ---- config/environments/test.rb | 4 ---- config/environments/uat.rb | 4 ---- 7 files changed, 4 insertions(+), 24 deletions(-) diff --git a/config/application.rb b/config/application.rb index cc9c4c3f5e..85eaf335af 100644 --- a/config/application.rb +++ b/config/application.rb @@ -30,6 +30,10 @@ class Application < Rails::Application config.autoload_paths += %W[#{config.root}/lib] + # CVE-2022-32224: add some compatibility with YAML.safe_load + # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer + config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] + # HTML tags that are allowed to pass through `sanitize`. config.action_view.sanitized_allowed_tags = %w[ p br strong em a table thead tbody tr td th tfoot caption ul ol li diff --git a/config/environments/development.rb b/config/environments/development.rb index ee7b5b0fce..d222d888a1 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -68,10 +68,6 @@ # Use an evented file watcher to asynchronously detect changes in source code, # routes, locales, etc. This feature depends on the listen gem. config.file_watcher = ActiveSupport::EventedFileUpdateChecker - - # CVE-2022-32224: add some compatibility with YAML.safe_load - # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] end # Used by Rails' routes url_helpers (typically when including a link in an email) diff --git a/config/environments/production.rb b/config/environments/production.rb index 24ccbe7b04..a0892b7450 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -82,10 +82,6 @@ # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false - # CVE-2022-32224: add some compatibility with YAML.safe_load - # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] - # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) diff --git a/config/environments/sandbox.rb b/config/environments/sandbox.rb index 3be66055b1..c4874fd377 100644 --- a/config/environments/sandbox.rb +++ b/config/environments/sandbox.rb @@ -82,10 +82,6 @@ # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false - # CVE-2022-32224: add some compatibility with YAML.safe_load - # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] - # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) diff --git a/config/environments/staging.rb b/config/environments/staging.rb index 1624d2ff18..44a5f9a120 100644 --- a/config/environments/staging.rb +++ b/config/environments/staging.rb @@ -81,10 +81,6 @@ # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false - # CVE-2022-32224: add some compatibility with YAML.safe_load - # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] - # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) diff --git a/config/environments/test.rb b/config/environments/test.rb index d2d5b228b2..8d4fac41a4 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -50,10 +50,6 @@ # config.action_view.raise_on_missing_translations = true config.i18n.enforce_available_locales = false - - # CVE-2022-32224: add some compatibility with YAML.safe_load - # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] end # Used by Rails' routes url_helpers (typically when including a link in an email) diff --git a/config/environments/uat.rb b/config/environments/uat.rb index 5c1beb66b5..a31f108ef9 100644 --- a/config/environments/uat.rb +++ b/config/environments/uat.rb @@ -80,10 +80,6 @@ # Use syslog for logging config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant')) - # CVE-2022-32224: add some compatibility with YAML.safe_load - # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer - config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time] - # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false