Skip to content

Commit ab94461

Browse files
jtoliver-quoinpnabutovsky
jtoliver-quoin
authored and
pnabutovsky
committed
Merged in r2-3199-security (pull request #7058)
R2-3199: Updating rails to version 6.1.7.10, addressing cve vulnerabilities in nginx docker image
2 parents 2d2b07b + a50d188 commit ab94461

File tree

4 files changed

+75
-66
lines changed

4 files changed

+75
-66
lines changed

Gemfile

+2-1
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ gem 'prawn-table', '~> 0.2' # PDF generation
3434
gem 'puma', '~> 6.4' # Ruby Rack server
3535
gem 'rack', '~> 2.2'
3636
gem 'rack-attack', '>= 6.6' # Rack middleware to rate limit sensetive routes, such as those used for auth
37-
gem 'rails', '6.1.7.9'
37+
gem 'rails', '6.1.7.10'
3838
gem 'rake', '~> 13.0'
3939
gem 'rbnacl', '>= 7.1.1' # Libsodium Ruby binding. Used for encrypting export file passwords.
4040
gem 'rubyzip', '~> 2.3', # Zip and encrypt exported files
@@ -55,6 +55,7 @@ gem 'will_paginate', '~> 4.0' # Paginates ActiveRecord models TODO: Th
5555
gem 'write_xlsx', '~> 1.11' # Exports XLSX
5656

5757
group :development, :test do
58+
gem 'brakeman', require: false
5859
gem 'bundler-audit', '~> 0.9'
5960
gem 'ci_reporter', '~> 2.0'
6061
gem 'factory_bot', '~> 5.0'

Gemfile.lock

+62-58
Original file line numberDiff line numberDiff line change
@@ -1,62 +1,62 @@
11
GEM
22
remote: https://rubygems.org/
33
specs:
4-
actioncable (6.1.7.9)
5-
actionpack (= 6.1.7.9)
6-
activesupport (= 6.1.7.9)
4+
actioncable (6.1.7.10)
5+
actionpack (= 6.1.7.10)
6+
activesupport (= 6.1.7.10)
77
nio4r (~> 2.0)
88
websocket-driver (>= 0.6.1)
9-
actionmailbox (6.1.7.9)
10-
actionpack (= 6.1.7.9)
11-
activejob (= 6.1.7.9)
12-
activerecord (= 6.1.7.9)
13-
activestorage (= 6.1.7.9)
14-
activesupport (= 6.1.7.9)
9+
actionmailbox (6.1.7.10)
10+
actionpack (= 6.1.7.10)
11+
activejob (= 6.1.7.10)
12+
activerecord (= 6.1.7.10)
13+
activestorage (= 6.1.7.10)
14+
activesupport (= 6.1.7.10)
1515
mail (>= 2.7.1)
16-
actionmailer (6.1.7.9)
17-
actionpack (= 6.1.7.9)
18-
actionview (= 6.1.7.9)
19-
activejob (= 6.1.7.9)
20-
activesupport (= 6.1.7.9)
16+
actionmailer (6.1.7.10)
17+
actionpack (= 6.1.7.10)
18+
actionview (= 6.1.7.10)
19+
activejob (= 6.1.7.10)
20+
activesupport (= 6.1.7.10)
2121
mail (~> 2.5, >= 2.5.4)
2222
rails-dom-testing (~> 2.0)
23-
actionpack (6.1.7.9)
24-
actionview (= 6.1.7.9)
25-
activesupport (= 6.1.7.9)
23+
actionpack (6.1.7.10)
24+
actionview (= 6.1.7.10)
25+
activesupport (= 6.1.7.10)
2626
rack (~> 2.0, >= 2.0.9)
2727
rack-test (>= 0.6.3)
2828
rails-dom-testing (~> 2.0)
2929
rails-html-sanitizer (~> 1.0, >= 1.2.0)
30-
actiontext (6.1.7.9)
31-
actionpack (= 6.1.7.9)
32-
activerecord (= 6.1.7.9)
33-
activestorage (= 6.1.7.9)
34-
activesupport (= 6.1.7.9)
30+
actiontext (6.1.7.10)
31+
actionpack (= 6.1.7.10)
32+
activerecord (= 6.1.7.10)
33+
activestorage (= 6.1.7.10)
34+
activesupport (= 6.1.7.10)
3535
nokogiri (>= 1.8.5)
36-
actionview (6.1.7.9)
37-
activesupport (= 6.1.7.9)
36+
actionview (6.1.7.10)
37+
activesupport (= 6.1.7.10)
3838
builder (~> 3.1)
3939
erubi (~> 1.4)
4040
rails-dom-testing (~> 2.0)
4141
rails-html-sanitizer (~> 1.1, >= 1.2.0)
42-
activejob (6.1.7.9)
43-
activesupport (= 6.1.7.9)
42+
activejob (6.1.7.10)
43+
activesupport (= 6.1.7.10)
4444
globalid (>= 0.3.6)
45-
activemodel (6.1.7.9)
46-
activesupport (= 6.1.7.9)
47-
activerecord (6.1.7.9)
48-
activemodel (= 6.1.7.9)
49-
activesupport (= 6.1.7.9)
45+
activemodel (6.1.7.10)
46+
activesupport (= 6.1.7.10)
47+
activerecord (6.1.7.10)
48+
activemodel (= 6.1.7.10)
49+
activesupport (= 6.1.7.10)
5050
activerecord-nulldb-adapter (0.9.0)
5151
activerecord (>= 5.2.0, < 7.1)
52-
activestorage (6.1.7.9)
53-
actionpack (= 6.1.7.9)
54-
activejob (= 6.1.7.9)
55-
activerecord (= 6.1.7.9)
56-
activesupport (= 6.1.7.9)
52+
activestorage (6.1.7.10)
53+
actionpack (= 6.1.7.10)
54+
activejob (= 6.1.7.10)
55+
activerecord (= 6.1.7.10)
56+
activesupport (= 6.1.7.10)
5757
marcel (~> 1.0)
5858
mini_mime (>= 1.1.0)
59-
activesupport (6.1.7.9)
59+
activesupport (6.1.7.10)
6060
concurrent-ruby (~> 1.0, >= 1.0.2)
6161
i18n (>= 1.6, < 2)
6262
minitest (>= 5.1)
@@ -94,6 +94,8 @@ GEM
9494
nokogiri (~> 1.6, >= 1.6.8)
9595
base64 (0.1.1)
9696
bcrypt (3.1.20)
97+
brakeman (7.0.0)
98+
racc
9799
builder (3.2.4)
98100
bundler-audit (0.9.1)
99101
bundler (>= 1.2.0, < 3)
@@ -209,14 +211,14 @@ GEM
209211
multipart-post (2.3.0)
210212
net-http-persistent (4.0.2)
211213
connection_pool (~> 2.2)
212-
net-imap (0.5.1)
214+
net-imap (0.5.6)
213215
date
214216
net-protocol
215217
net-pop (0.1.2)
216218
net-protocol
217219
net-protocol (0.2.2)
218220
timeout
219-
net-smtp (0.5.0)
221+
net-smtp (0.5.1)
220222
net-protocol
221223
nio4r (2.7.4)
222224
nokogiri (1.16.8)
@@ -257,20 +259,20 @@ GEM
257259
rack_session_access (0.2.0)
258260
builder (>= 2.0.0)
259261
rack (>= 1.0.0)
260-
rails (6.1.7.9)
261-
actioncable (= 6.1.7.9)
262-
actionmailbox (= 6.1.7.9)
263-
actionmailer (= 6.1.7.9)
264-
actionpack (= 6.1.7.9)
265-
actiontext (= 6.1.7.9)
266-
actionview (= 6.1.7.9)
267-
activejob (= 6.1.7.9)
268-
activemodel (= 6.1.7.9)
269-
activerecord (= 6.1.7.9)
270-
activestorage (= 6.1.7.9)
271-
activesupport (= 6.1.7.9)
262+
rails (6.1.7.10)
263+
actioncable (= 6.1.7.10)
264+
actionmailbox (= 6.1.7.10)
265+
actionmailer (= 6.1.7.10)
266+
actionpack (= 6.1.7.10)
267+
actiontext (= 6.1.7.10)
268+
actionview (= 6.1.7.10)
269+
activejob (= 6.1.7.10)
270+
activemodel (= 6.1.7.10)
271+
activerecord (= 6.1.7.10)
272+
activestorage (= 6.1.7.10)
273+
activesupport (= 6.1.7.10)
272274
bundler (>= 1.15.0)
273-
railties (= 6.1.7.9)
275+
railties (= 6.1.7.10)
274276
sprockets-rails (>= 2.0.0)
275277
rails-controller-testing (1.0.5)
276278
actionpack (>= 5.0.1.rc1)
@@ -286,9 +288,9 @@ GEM
286288
rails-i18n (7.0.8)
287289
i18n (>= 0.7, < 2)
288290
railties (>= 6.0.0, < 8)
289-
railties (6.1.7.9)
290-
actionpack (= 6.1.7.9)
291-
activesupport (= 6.1.7.9)
291+
railties (6.1.7.10)
292+
actionpack (= 6.1.7.10)
293+
activesupport (= 6.1.7.10)
292294
method_source
293295
rake (>= 12.2)
294296
thor (~> 1.0)
@@ -401,7 +403,7 @@ GEM
401403
unicode-display_width (>= 1.1.1, < 3)
402404
text (1.3.1)
403405
thor (1.3.1)
404-
timeout (0.4.2)
406+
timeout (0.4.3)
405407
ttfunk (1.7.0)
406408
twitter_cldr (4.4.5)
407409
camertron-eprun
@@ -422,7 +424,8 @@ GEM
422424
hkdf (~> 1.0)
423425
jwt (~> 2.0)
424426
openssl (~> 3.0)
425-
websocket-driver (0.7.6)
427+
websocket-driver (0.7.7)
428+
base64
426429
websocket-extensions (>= 0.1.0)
427430
websocket-extensions (0.1.5)
428431
will_paginate (4.0.0)
@@ -437,6 +440,7 @@ DEPENDENCIES
437440
activerecord-nulldb-adapter
438441
aws-sdk-s3 (~> 1.130)
439442
azure-storage-blob (~> 1.1)
443+
brakeman
440444
bundler-audit (~> 0.9)
441445
cancancan (~> 3.5)
442446
ci_reporter (~> 2.0)
@@ -474,7 +478,7 @@ DEPENDENCIES
474478
rack-mini-profiler (>= 1.0.0)
475479
rack-test (~> 1.1)
476480
rack_session_access (~> 0.2)
477-
rails (= 6.1.7.9)
481+
rails (= 6.1.7.10)
478482
rails-controller-testing (~> 1.0)
479483
rake (~> 13.0)
480484
rbnacl (>= 7.1.1)

app/services/search/search_query.rb

+8-4
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,11 @@ def phonetic(value)
3232
return self unless value.present?
3333

3434
tokens = LanguageService.tokenize(value)
35+
order_query = ActiveRecord::Base.sanitize_sql_for_order(
36+
"#{phonetic_score_query(tokens)} #{similarity_score_query(value)}"
37+
)
3538
@query = @query.where("phonetic_data ->'tokens' ?| array[:values]", values: tokens)
36-
.order(Arel.sql("#{phonetic_score_query(tokens)} #{similarity_score_query(value)}"))
39+
.order(Arel.sql(order_query))
3740
self
3841
end
3942

@@ -71,9 +74,10 @@ def with_sort(sort)
7174
return self unless sort.present?
7275

7376
sort.each do |sort_field, direction|
74-
@query = @query.order(
75-
ActiveRecord::Base.sanitize_sql_for_order([Arel.sql("data->? #{order_direction(direction)}"), [sort_field]])
76-
)
77+
field = ActiveRecord::Base.sanitize_sql_array(['data->?', sort_field])
78+
direction = order_direction(direction)
79+
order_query = ActiveRecord::Base.sanitize_sql_for_order("#{field} #{direction}")
80+
@query = @query.order(Arel.sql(order_query))
7781
end
7882

7983
self

docker/nginx/Dockerfile

+3-3
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,9 @@
33
# ------------------------------------------------------------------ BUILD STAGE
44

55
ARG BUILD_REGISTRY
6-
ARG version=1.27.1
6+
ARG version=1.27.4
77
# TODO: Although the rest of Primero uses Alpine 3.20 base images, Nginx doesn't have one.
8-
ARG ALPINE_VERSION=3.20
8+
ARG ALPINE_VERSION=3.21
99

1010
FROM ${BUILD_REGISTRY}nginx:${version}-alpine${ALPINE_VERSION} AS builder
1111
ARG version
@@ -43,7 +43,7 @@ ENV GROUP_ID=${NGINX_GID}
4343
# If you are updating `version` or `ALPINE_VERSION`,
4444
# run: `docker scout cves primero/nginx:my-tag` to verify whether the versions of the security packages
4545
# listed in SECURITY_UPDATED_PACKAGES are still necessary.
46-
ENV SECURITY_UPDATED_PACKAGES="libexpat>2.6.3-r0 curl>8.10"
46+
ENV SECURITY_UPDATED_PACKAGES="libexpat>2.6.3-r0 curl>8.12.0-r0 musl=1.2.5-r9 musl-utils=1.2.5-r9"
4747

4848
COPY [ "nginx/root/", "/" ]
4949

0 commit comments

Comments
 (0)