Revert "Revert "Merge pull request #34387 from yhirano55/rails_info_properties_json""

I reverted the wrong commit. Damn it. This reverts commit f66a977fc7.
2019-01-08 22:19:22 +01:00 · 2019-01-08 22:19:22 +01:00 · 647d7e6167
parent f66a977fc7
commit 647d7e6167
13 changed files with 50 additions and 0 deletions
--- a/actioncable/actioncable.gemspec
+++ b/actioncable/actioncable.gemspec
@ -25,6 +25,9 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actioncable/CHANGELOG.md"
  }

+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
  s.add_dependency "actionpack", version

  s.add_dependency "nio4r",            "~> 2.0"
--- a/actionmailer/actionmailer.gemspec
+++ b/actionmailer/actionmailer.gemspec
@ -26,6 +26,9 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionmailer/CHANGELOG.md"
  }

+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
  s.add_dependency "actionpack", version
  s.add_dependency "actionview", version
  s.add_dependency "activejob", version
--- a/actionpack/actionpack.gemspec
+++ b/actionpack/actionpack.gemspec
@ -26,6 +26,9 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionpack/CHANGELOG.md"
  }

+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
  s.add_dependency "activesupport", version

  s.add_dependency "rack",      "~> 2.0"
--- a/actionview/actionview.gemspec
+++ b/actionview/actionview.gemspec
@ -26,6 +26,9 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionview/CHANGELOG.md"
  }

+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
  s.add_dependency "activesupport", version

  s.add_dependency "builder",       "~> 3.1"
--- a/activejob/activejob.gemspec
+++ b/activejob/activejob.gemspec
@ -25,6 +25,9 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activejob/CHANGELOG.md"
  }

+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
  s.add_dependency "activesupport", version
  s.add_dependency "globalid", ">= 0.3.6"
 end
--- a/activemodel/activemodel.gemspec
+++ b/activemodel/activemodel.gemspec
@ -25,5 +25,8 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activemodel/CHANGELOG.md"
  }

+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
  s.add_dependency "activesupport", version
 end
--- a/activerecord/activerecord.gemspec
+++ b/activerecord/activerecord.gemspec
@ -28,6 +28,9 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activerecord/CHANGELOG.md"
  }

+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
  s.add_dependency "activesupport", version
  s.add_dependency "activemodel",   version
 end
--- a/activestorage/activestorage.gemspec
+++ b/activestorage/activestorage.gemspec
@ -25,6 +25,9 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activestorage/CHANGELOG.md"
  }

+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
  s.add_dependency "actionpack", version
  s.add_dependency "activerecord", version

--- a/activesupport/activesupport.gemspec
+++ b/activesupport/activesupport.gemspec
@ -27,6 +27,9 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activesupport/CHANGELOG.md"
  }

+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
  s.add_dependency "i18n",       ">= 0.7", "< 2"
  s.add_dependency "tzinfo",     "~> 1.1"
  s.add_dependency "minitest",   "~> 5.1"
--- a/guides/source/security.md
+++ b/guides/source/security.md
@ -1235,6 +1235,11 @@ version:
 Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
 ```

+Dependency Management and CVEs
+------------------------------
+
+We don’t bump dependencies just to encourage use of new versions, including for security issues. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
+
 Additional Resources
 --------------------

--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
@ -11,6 +11,10 @@
 #   policy.object_src  :none
 #   policy.script_src  :self, :https
 #   policy.style_src   :self, :https
+<%- unless options[:skip_javascript] -%>
+#   # If you are using webpack-dev-server then specify webpack-dev-server host
+#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
+<%- end -%>

 #   # Specify URI for violation reports
 #   # policy.report_uri "/csp-violation-report-endpoint"
--- a/railties/railties.gemspec
+++ b/railties/railties.gemspec
@ -30,6 +30,9 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/railties/CHANGELOG.md"
  }

+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
  s.add_dependency "activesupport", version
  s.add_dependency "actionpack",    version

--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@ -230,6 +230,14 @@ class AppGeneratorTest < Rails::Generators::TestCase
    assert_equal "false\n", output
  end

+  def test_csp_initializer_include_connect_src_example
+    run_generator
+
+    assert_file "config/initializers/content_security_policy.rb" do |content|
+      assert_match(/#   policy\.connect_src/, content)
+    end
+  end
+
  def test_app_update_keep_the_cookie_serializer_if_it_is_already_configured
    app_root = File.join(destination_root, "myapp")
    run_generator [app_root]
@ -837,6 +845,9 @@ class AppGeneratorTest < Rails::Generators::TestCase
    end

    assert_no_gem "webpacker"
+    assert_file "config/initializers/content_security_policy.rb" do |content|
+      assert_no_match(/policy\.connect_src/, content)
+    end
  end

  def test_webpack_option_with_js_framework