From 504bb07ae1e70b789e0a008232453849ae4dfb15 Mon Sep 17 00:00:00 2001 From: Sebastian Serth Date: Wed, 12 May 2021 14:14:50 +0200 Subject: [PATCH] Use urlsafe_csrf_tokens to allow migrating from Rails 5.2.5+ --- Gemfile | 3 +- Gemfile.lock | 72 +++++++++++++++++++++++-------------------- config/application.rb | 5 +++ yarn.lock | 6 ++-- 4 files changed, 49 insertions(+), 37 deletions(-) diff --git a/Gemfile b/Gemfile index 50b036ee..b74725fc 100644 --- a/Gemfile +++ b/Gemfile @@ -25,7 +25,8 @@ gem 'prometheus_exporter' gem 'pry-byebug' gem 'puma' gem 'pundit' -gem 'rails', '6.0.3.7' +# Switch to a newer 6.0 release while 6.0.3.7 is the newest version with the CSRF bug +gem 'rails', git: 'https://github.com/rails/rails', branch: '6-0-stable' gem 'rails_admin' gem 'rails-i18n' gem 'rails-timeago' diff --git a/Gemfile.lock b/Gemfile.lock index a87ceef9..90d35a08 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -18,10 +18,11 @@ GIT nokogiri (>= 1.10.2, < 1.12.0) rubyzip (>= 1.2.2, < 2.4.0) -GEM - remote: https://rubygems.org/ +GIT + remote: https://github.com/rails/rails + revision: ef97441036e0ebbe1aa2108d59c408707f998ffd + branch: 6-0-stable specs: - ZenTest (4.12.0) actioncable (6.0.3.7) actionpack (= 6.0.3.7) nio4r (~> 2.0) @@ -63,10 +64,6 @@ GEM globalid (>= 0.3.6) activemodel (6.0.3.7) activesupport (= 6.0.3.7) - activemodel-serializers-xml (1.0.2) - activemodel (> 5.x) - activesupport (> 5.x) - builder (~> 3.1) activerecord (6.0.3.7) activemodel (= 6.0.3.7) activesupport (= 6.0.3.7) @@ -81,6 +78,36 @@ GEM minitest (~> 5.1) tzinfo (~> 1.1) zeitwerk (~> 2.2, >= 2.2.2) + rails (6.0.3.7) + actioncable (= 6.0.3.7) + actionmailbox (= 6.0.3.7) + actionmailer (= 6.0.3.7) + actionpack (= 6.0.3.7) + actiontext (= 6.0.3.7) + actionview (= 6.0.3.7) + activejob (= 6.0.3.7) + activemodel (= 6.0.3.7) + activerecord (= 6.0.3.7) + activestorage (= 6.0.3.7) + activesupport (= 6.0.3.7) + bundler (>= 1.3.0) + railties (= 6.0.3.7) + sprockets-rails (>= 2.0.0) + railties (6.0.3.7) + actionpack (= 6.0.3.7) + activesupport (= 6.0.3.7) + method_source + rake (>= 0.8.7) + thor (>= 0.20.3, < 2.0) + +GEM + remote: https://rubygems.org/ + specs: + ZenTest (4.12.0) + activemodel-serializers-xml (1.0.2) + activemodel (> 5.x) + activesupport (> 5.x) + builder (~> 3.1) addressable (2.7.0) public_suffix (>= 2.0.2, < 5.0) amq-protocol (2.3.2) @@ -277,7 +304,7 @@ GEM pry-rails (0.3.9) pry (>= 0.10.4) public_suffix (4.0.6) - puma (5.3.0) + puma (5.3.1) nio4r (~> 2.0) pundit (2.1.0) activesupport (>= 3.0.0) @@ -292,21 +319,6 @@ GEM rack rack-test (1.1.0) rack (>= 1.0, < 3) - rails (6.0.3.7) - actioncable (= 6.0.3.7) - actionmailbox (= 6.0.3.7) - actionmailer (= 6.0.3.7) - actionpack (= 6.0.3.7) - actiontext (= 6.0.3.7) - actionview (= 6.0.3.7) - activejob (= 6.0.3.7) - activemodel (= 6.0.3.7) - activerecord (= 6.0.3.7) - activestorage (= 6.0.3.7) - activesupport (= 6.0.3.7) - bundler (>= 1.3.0) - railties (= 6.0.3.7) - sprockets-rails (>= 2.0.0) rails-controller-testing (1.0.5) actionpack (>= 5.0.1.rc1) actionview (>= 5.0.1.rc1) @@ -334,12 +346,6 @@ GEM rails (>= 5.0, < 7) remotipart (~> 1.3) sassc-rails (>= 1.3, < 3) - railties (6.0.3.7) - actionpack (= 6.0.3.7) - activesupport (= 6.0.3.7) - method_source - rake (>= 0.8.7) - thor (>= 0.20.3, < 2.0) rainbow (3.0.0) rake (13.0.3) ransack (2.4.2) @@ -425,11 +431,11 @@ GEM sentry-rails (4.4.0) railties (>= 5.0) sentry-ruby-core (~> 4.4.0.pre.beta) - sentry-ruby (4.4.1) + sentry-ruby (4.4.2) concurrent-ruby (~> 1.0, >= 1.0.2) faraday (>= 1.0) - sentry-ruby-core (= 4.4.1) - sentry-ruby-core (4.4.1) + sentry-ruby-core (= 4.4.2) + sentry-ruby-core (4.4.2) concurrent-ruby faraday shoulda-matchers (4.5.1) @@ -546,7 +552,7 @@ DEPENDENCIES puma pundit rack-mini-profiler - rails (= 6.0.3.7) + rails! rails-controller-testing rails-i18n rails-timeago diff --git a/config/application.rb b/config/application.rb index 0be1801d..8cb60d8c 100644 --- a/config/application.rb +++ b/config/application.rb @@ -13,6 +13,11 @@ module CodeOcean # Initialize configuration defaults for originally generated Rails version. config.load_defaults 6.0 + # In Rails 5.2.5, the CSRF token format is accidentally changed to urlsafe-encoded. + # If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens = true`. + # ToDo: Remove after upgrade to Rails 6.1 + Rails.application.config.action_controller.urlsafe_csrf_tokens = true + # Settings in config/environments/* take precedence over those specified here. # Application configuration can go into files in config/initializers # -- all .rb files in that directory are automatically loaded after loading diff --git a/yarn.lock b/yarn.lock index eeb9e2b6..e95bdaa7 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5689,9 +5689,9 @@ postcss-selector-parser@^5.0.0-rc.3, postcss-selector-parser@^5.0.0-rc.4: uniq "^1.0.1" postcss-selector-parser@^6.0.0, postcss-selector-parser@^6.0.2: - version "6.0.5" - resolved "https://registry.yarnpkg.com/postcss-selector-parser/-/postcss-selector-parser-6.0.5.tgz#042d74e137db83e6f294712096cb413f5aa612c4" - integrity sha512-aFYPoYmXbZ1V6HZaSvat08M97A8HqO6Pjz+PiNpw/DhuRrC72XWAdp3hL6wusDCN31sSmcZyMGa2hZEuX+Xfhg== + version "6.0.6" + resolved "https://registry.yarnpkg.com/postcss-selector-parser/-/postcss-selector-parser-6.0.6.tgz#2c5bba8174ac2f6981ab631a42ab0ee54af332ea" + integrity sha512-9LXrvaaX3+mcv5xkg5kFwqSzSH1JIObIx51PrndZwlmznwXRfxMddDvo9gve3gVR8ZTKgoFDdWkbRFmEhT4PMg== dependencies: cssesc "^3.0.0" util-deprecate "^1.0.2"