From 647d7e61679ac4c28c081532ad0a0d7e1f80482b Mon Sep 17 00:00:00 2001
From: Kasper Timm Hansen <kaspth@gmail.com>
Date: Tue, 8 Jan 2019 22:19:22 +0100
Subject: [PATCH] Revert "Revert "Merge pull request #34387 from
 yhirano55/rails_info_properties_json""

I reverted the wrong commit. Damn it.

This reverts commit f66a977fc7ae30d2a07124ad91924c4ee638a703.
---
 actioncable/actioncable.gemspec                       |  3 +++
 actionmailer/actionmailer.gemspec                     |  3 +++
 actionpack/actionpack.gemspec                         |  3 +++
 actionview/actionview.gemspec                         |  3 +++
 activejob/activejob.gemspec                           |  3 +++
 activemodel/activemodel.gemspec                       |  3 +++
 activerecord/activerecord.gemspec                     |  3 +++
 activestorage/activestorage.gemspec                   |  3 +++
 activesupport/activesupport.gemspec                   |  3 +++
 guides/source/security.md                             |  5 +++++
 .../config/initializers/content_security_policy.rb.tt |  4 ++++
 railties/railties.gemspec                             |  3 +++
 railties/test/generators/app_generator_test.rb        | 11 +++++++++++
 13 files changed, 50 insertions(+)

diff --git a/actioncable/actioncable.gemspec b/actioncable/actioncable.gemspec
index c98ec9afc9..29836f012f 100644
--- a/actioncable/actioncable.gemspec
+++ b/actioncable/actioncable.gemspec
@@ -25,6 +25,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actioncable/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "actionpack", version
 
   s.add_dependency "nio4r",            "~> 2.0"
diff --git a/actionmailer/actionmailer.gemspec b/actionmailer/actionmailer.gemspec
index 4503a30cca..c76cb3ec72 100644
--- a/actionmailer/actionmailer.gemspec
+++ b/actionmailer/actionmailer.gemspec
@@ -26,6 +26,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionmailer/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "actionpack", version
   s.add_dependency "actionview", version
   s.add_dependency "activejob", version
diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec
index b3967f6ce4..c4c755b7ac 100644
--- a/actionpack/actionpack.gemspec
+++ b/actionpack/actionpack.gemspec
@@ -26,6 +26,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionpack/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
 
   s.add_dependency "rack",      "~> 2.0"
diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec
index dfc0072469..d8bd233ceb 100644
--- a/actionview/actionview.gemspec
+++ b/actionview/actionview.gemspec
@@ -26,6 +26,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionview/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
 
   s.add_dependency "builder",       "~> 3.1"
diff --git a/activejob/activejob.gemspec b/activejob/activejob.gemspec
index 40ca33dbfd..c3c0447d8e 100644
--- a/activejob/activejob.gemspec
+++ b/activejob/activejob.gemspec
@@ -25,6 +25,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activejob/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
   s.add_dependency "globalid", ">= 0.3.6"
 end
diff --git a/activemodel/activemodel.gemspec b/activemodel/activemodel.gemspec
index 24e5e838dd..4deb76814b 100644
--- a/activemodel/activemodel.gemspec
+++ b/activemodel/activemodel.gemspec
@@ -25,5 +25,8 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activemodel/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
 end
diff --git a/activerecord/activerecord.gemspec b/activerecord/activerecord.gemspec
index a8c2cc76a6..1e198c3a55 100644
--- a/activerecord/activerecord.gemspec
+++ b/activerecord/activerecord.gemspec
@@ -28,6 +28,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activerecord/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
   s.add_dependency "activemodel",   version
 end
diff --git a/activestorage/activestorage.gemspec b/activestorage/activestorage.gemspec
index 244065837c..dfada7054a 100644
--- a/activestorage/activestorage.gemspec
+++ b/activestorage/activestorage.gemspec
@@ -25,6 +25,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activestorage/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "actionpack", version
   s.add_dependency "activerecord", version
 
diff --git a/activesupport/activesupport.gemspec b/activesupport/activesupport.gemspec
index b5fa510bb3..bdd7bc70a0 100644
--- a/activesupport/activesupport.gemspec
+++ b/activesupport/activesupport.gemspec
@@ -27,6 +27,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activesupport/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "i18n",       ">= 0.7", "< 2"
   s.add_dependency "tzinfo",     "~> 1.1"
   s.add_dependency "minitest",   "~> 5.1"
diff --git a/guides/source/security.md b/guides/source/security.md
index bb996cc39c..dbec3cdd2d 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1235,6 +1235,11 @@ version:
 Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
 ```
 
+Dependency Management and CVEs
+------------------------------
+
+We don’t bump dependencies just to encourage use of new versions, including for security issues. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
+
 Additional Resources
 --------------------
 
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
index d3bcaa5ec8..c517b0f96b 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
@@ -11,6 +11,10 @@
 #   policy.object_src  :none
 #   policy.script_src  :self, :https
 #   policy.style_src   :self, :https
+<%- unless options[:skip_javascript] -%>
+#   # If you are using webpack-dev-server then specify webpack-dev-server host
+#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
+<%- end -%>
 
 #   # Specify URI for violation reports
 #   # policy.report_uri "/csp-violation-report-endpoint"
diff --git a/railties/railties.gemspec b/railties/railties.gemspec
index e7de51f52a..1bfb0dfe48 100644
--- a/railties/railties.gemspec
+++ b/railties/railties.gemspec
@@ -30,6 +30,9 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/railties/CHANGELOG.md"
   }
 
+  # NOTE: Please read our dependency guidelines before updating versions:
+  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
   s.add_dependency "activesupport", version
   s.add_dependency "actionpack",    version
 
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
index a421ac326d..47e401c34f 100644
--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@@ -230,6 +230,14 @@ class AppGeneratorTest < Rails::Generators::TestCase
     assert_equal "false\n", output
   end
 
+  def test_csp_initializer_include_connect_src_example
+    run_generator
+
+    assert_file "config/initializers/content_security_policy.rb" do |content|
+      assert_match(/#   policy\.connect_src/, content)
+    end
+  end
+
   def test_app_update_keep_the_cookie_serializer_if_it_is_already_configured
     app_root = File.join(destination_root, "myapp")
     run_generator [app_root]
@@ -837,6 +845,9 @@ class AppGeneratorTest < Rails::Generators::TestCase
     end
 
     assert_no_gem "webpacker"
+    assert_file "config/initializers/content_security_policy.rb" do |content|
+      assert_no_match(/policy\.connect_src/, content)
+    end
   end
 
   def test_webpack_option_with_js_framework