From cf2182ab4b145429fb314c0cb7bffc2e605cd55b Mon Sep 17 00:00:00 2001 From: oleghasjanov Date: Thu, 14 Mar 2024 11:03:30 +0200 Subject: [PATCH] valnurable fixes --- Dockerfile.dev | 5 +- Gemfile | 4 +- Gemfile.lock | 140 ++++++++++++++++++++--------------------- config/brakeman.ignore | 16 ++--- 4 files changed, 82 insertions(+), 83 deletions(-) diff --git a/Dockerfile.dev b/Dockerfile.dev index 9583127..c9fca2a 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -31,15 +31,14 @@ WORKDIR $APP_PATH COPY Gemfile Gemfile.lock ./ RUN gem install bundler -v $BUNDLER_VERSION -RUN bundle config --global frozen 1 && \ - bundle install && \ +RUN bundle install && \ rm -rf /usr/local/bundle/cache/*.gem && \ find /usr/local/bundle/gems/ -name "*.c" -delete && \ find /usr/local/bundle/gems/ -name "*.o" -delete COPY package.json yarn.lock ./ -RUN yarn install --frozen-lockfile --non-interactive --production +RUN yarn install --non-interactive ADD . $APP_PATH diff --git a/Gemfile b/Gemfile index aad64c2..bd98b18 100644 --- a/Gemfile +++ b/Gemfile @@ -24,8 +24,8 @@ gem 'pagy', '~> 6.0' gem 'pg', '~> 1.1' gem 'phonelib' gem 'propshaft' -gem 'puma', '>= 6.3.1' -gem 'rails', '~> 7.0.5', '>= 7.0.7.1' +gem 'puma', '>= 6.4.2' +gem 'rails', '~> 7.0.5', '>= 7.0.8.1' gem 'redis', '~> 4.0' gem 'redis-namespace' gem 'sidekiq', '>=7' diff --git a/Gemfile.lock b/Gemfile.lock index a98c41b..fdaf7d3 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -29,67 +29,67 @@ GEM specs: aasm (5.5.0) concurrent-ruby (~> 1.0) - actioncable (7.0.8) - actionpack (= 7.0.8) - activesupport (= 7.0.8) + actioncable (7.0.8.1) + actionpack (= 7.0.8.1) + activesupport (= 7.0.8.1) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (7.0.8) - actionpack (= 7.0.8) - activejob (= 7.0.8) - activerecord (= 7.0.8) - activestorage (= 7.0.8) - activesupport (= 7.0.8) + actionmailbox (7.0.8.1) + actionpack (= 7.0.8.1) + activejob (= 7.0.8.1) + activerecord (= 7.0.8.1) + activestorage (= 7.0.8.1) + activesupport (= 7.0.8.1) mail (>= 2.7.1) net-imap net-pop net-smtp - actionmailer (7.0.8) - actionpack (= 7.0.8) - actionview (= 7.0.8) - activejob (= 7.0.8) - activesupport (= 7.0.8) + actionmailer (7.0.8.1) + actionpack (= 7.0.8.1) + actionview (= 7.0.8.1) + activejob (= 7.0.8.1) + activesupport (= 7.0.8.1) mail (~> 2.5, >= 2.5.4) net-imap net-pop net-smtp rails-dom-testing (~> 2.0) - actionpack (7.0.8) - actionview (= 7.0.8) - activesupport (= 7.0.8) + actionpack (7.0.8.1) + actionview (= 7.0.8.1) + activesupport (= 7.0.8.1) rack (~> 2.0, >= 2.2.4) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (7.0.8) - actionpack (= 7.0.8) - activerecord (= 7.0.8) - activestorage (= 7.0.8) - activesupport (= 7.0.8) + actiontext (7.0.8.1) + actionpack (= 7.0.8.1) + activerecord (= 7.0.8.1) + activestorage (= 7.0.8.1) + activesupport (= 7.0.8.1) globalid (>= 0.6.0) nokogiri (>= 1.8.5) - actionview (7.0.8) - activesupport (= 7.0.8) + actionview (7.0.8.1) + activesupport (= 7.0.8.1) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (7.0.8) - activesupport (= 7.0.8) + activejob (7.0.8.1) + activesupport (= 7.0.8.1) globalid (>= 0.3.6) - activemodel (7.0.8) - activesupport (= 7.0.8) - activerecord (7.0.8) - activemodel (= 7.0.8) - activesupport (= 7.0.8) - activestorage (7.0.8) - actionpack (= 7.0.8) - activejob (= 7.0.8) - activerecord (= 7.0.8) - activesupport (= 7.0.8) + activemodel (7.0.8.1) + activesupport (= 7.0.8.1) + activerecord (7.0.8.1) + activemodel (= 7.0.8.1) + activesupport (= 7.0.8.1) + activestorage (7.0.8.1) + actionpack (= 7.0.8.1) + activejob (= 7.0.8.1) + activerecord (= 7.0.8.1) + activesupport (= 7.0.8.1) marcel (~> 1.0) mini_mime (>= 1.1.0) - activesupport (7.0.8) + activesupport (7.0.8.1) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) @@ -134,7 +134,7 @@ GEM regexp_parser (>= 1.5, < 3.0) xpath (~> 3.2) coderay (1.1.3) - concurrent-ruby (1.2.2) + concurrent-ruby (1.2.3) connection_pool (2.4.1) countries (5.4.0) unaccent (~> 0.3) @@ -182,7 +182,7 @@ GEM rails (>= 5.2) highline (2.1.0) hpricot (0.8.6) - i18n (1.14.1) + i18n (1.14.4) concurrent-ruby (~> 1.0) i18n-debug (1.2.0) i18n (< 2) @@ -222,11 +222,11 @@ GEM net-imap net-pop net-smtp - marcel (1.0.2) + marcel (1.0.4) matrix (0.4.2) method_source (1.0.0) mini_mime (1.1.5) - minitest (5.20.0) + minitest (5.22.3) msgpack (1.6.1) net-imap (0.4.2) date @@ -238,11 +238,11 @@ GEM net-smtp (0.4.0) net-protocol nio4r (2.5.9) - nokogiri (1.15.4-aarch64-linux) + nokogiri (1.16.2-aarch64-linux) racc (~> 1.4) - nokogiri (1.15.4-arm64-darwin) + nokogiri (1.16.2-arm64-darwin) racc (~> 1.4) - nokogiri (1.15.4-x86_64-linux) + nokogiri (1.16.2-x86_64-linux) racc (~> 1.4) omniauth (2.1.1) hashie (>= 3.4.6) @@ -280,9 +280,9 @@ GEM coderay (~> 1.1) method_source (~> 1.0) public_suffix (5.0.3) - puma (6.3.1) + puma (6.4.2) nio4r (~> 2.0) - racc (1.7.1) + racc (1.7.3) rack (2.2.8) rack-oauth2 (2.2.0) activesupport @@ -295,20 +295,20 @@ GEM rack (~> 2.2, >= 2.2.4) rack-test (2.1.0) rack (>= 1.3) - rails (7.0.8) - actioncable (= 7.0.8) - actionmailbox (= 7.0.8) - actionmailer (= 7.0.8) - actionpack (= 7.0.8) - actiontext (= 7.0.8) - actionview (= 7.0.8) - activejob (= 7.0.8) - activemodel (= 7.0.8) - activerecord (= 7.0.8) - activestorage (= 7.0.8) - activesupport (= 7.0.8) + rails (7.0.8.1) + actioncable (= 7.0.8.1) + actionmailbox (= 7.0.8.1) + actionmailer (= 7.0.8.1) + actionpack (= 7.0.8.1) + actiontext (= 7.0.8.1) + actionview (= 7.0.8.1) + activejob (= 7.0.8.1) + activemodel (= 7.0.8.1) + activerecord (= 7.0.8.1) + activestorage (= 7.0.8.1) + activesupport (= 7.0.8.1) bundler (>= 1.15.0) - railties (= 7.0.8) + railties (= 7.0.8.1) rails-dom-testing (2.2.0) activesupport (>= 5.0.0) minitest @@ -319,9 +319,9 @@ GEM rails-i18n (7.0.6) i18n (>= 0.7, < 2) railties (>= 6.0.0, < 8) - railties (7.0.8) - actionpack (= 7.0.8) - activesupport (= 7.0.8) + railties (7.0.8.1) + actionpack (= 7.0.8.1) + activesupport (= 7.0.8.1) method_source rake (>= 12.2) thor (~> 1.0) @@ -336,7 +336,7 @@ GEM regexp_parser (2.7.0) reline (0.3.3) io-console (~> 0.5) - rexml (3.2.5) + rexml (3.2.6) rspec-core (3.12.2) rspec-support (~> 3.12.0) rspec-expectations (3.12.3) @@ -380,7 +380,7 @@ GEM ruby-progressbar (1.13.0) ruby2_keywords (0.0.5) rubyzip (2.3.2) - selenium-webdriver (4.8.5) + selenium-webdriver (4.10.0) rexml (~> 3.2, >= 3.2.5) rubyzip (>= 1.2.2, < 3.0) websocket (~> 1.0) @@ -426,7 +426,7 @@ GEM activemodel (>= 3.0.0) public_suffix vcr (6.1.0) - view_component (3.1.0) + view_component (3.11.0) activesupport (>= 5.2.0, < 8.0) concurrent-ruby (~> 1.0) method_source (~> 1.0) @@ -435,10 +435,10 @@ GEM activemodel (>= 6.0.0) bindex (>= 0.4.0) railties (>= 6.0.0) - webdrivers (5.2.0) + webdrivers (5.3.1) nokogiri (~> 1.6) rubyzip (>= 1.3.0) - selenium-webdriver (~> 4.0) + selenium-webdriver (~> 4.0, < 4.11) webfinger (2.1.2) activesupport faraday (~> 2.0) @@ -447,7 +447,7 @@ GEM addressable (>= 2.8.0) crack (>= 0.3.2) hashdiff (>= 0.4.0, < 2.0.0) - websocket (1.2.9) + websocket (1.2.10) websocket-driver (0.7.6) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) @@ -493,8 +493,8 @@ DEPENDENCIES phonelib propshaft pry - puma (>= 6.3.1) - rails (~> 7.0.5, >= 7.0.7.1) + puma (>= 6.4.2) + rails (~> 7.0.5, >= 7.0.8.1) redis (~> 4.0) redis-namespace rspec-rails diff --git a/config/brakeman.ignore b/config/brakeman.ignore index 01ba54e..bbb3755 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -3,18 +3,18 @@ { "warning_type": "Mass Assignment", "warning_code": 105, - "fingerprint": "458e30dfa251915a965c9e7a38877df97dc540ffcce35a5f1d8aabe1432a97dd", + "fingerprint": "488a585e2c03fd0e68e34c696305012c5731c79785cabbf3efa500cae778a3c2", "check_name": "PermitAttributes", "message": "Potentially dangerous key allowed for mass assignment", - "file": "app/controllers/registrar/contacts_controller.rb", - "line": 61, + "file": "app/controllers/registrant/profiles_controller.rb", + "line": 19, "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", - "code": "params.require(:contact).permit(:code, :country_code, :ident, :role, :name, :email, :phone, :address_country_code, :city, :street, :state, :zip, :legal_document)", + "code": "params.require(:user).permit(:name, :email, :phone, :phone_code, :ident, :role, :country_code, :city, :street, :zip, :state, :legal_document, :code)", "render_path": null, "location": { "type": "method", - "class": "Registrar::ContactsController", - "method": "contact_params" + "class": "Registrant::ProfilesController", + "method": "user_params" }, "user_input": ":role", "confidence": "Medium", @@ -30,7 +30,7 @@ "check_name": "PermitAttributes", "message": "Potentially dangerous key allowed for mass assignment", "file": "app/controllers/registrar/contacts_controller.rb", - "line": 61, + "line": 69, "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", "code": "params.require(:contact).permit(:code, :country_code, :ident, :phone_code, :role, :name, :email, :phone, :address_country_code, :city, :street, :state, :zip, :legal_document)", "render_path": null, @@ -47,6 +47,6 @@ "note": "" } ], - "updated": "2023-10-25 11:42:50 +0000", + "updated": "2024-03-14 08:57:44 +0000", "brakeman_version": "6.0.0" }