railties/lib/rails/generators/app_base.rb | 4 2 + 2 - 0 !
railties/test/generators/app_generator_test.rb | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 be careful with that bundler

activestorage/rollup.config.js | 18 9 + 9 - 0 !
1 file changed, 9 insertions(+), 9 deletions(-)

 rollup-plugin-uglify is not packaged, hence disabling it.

railties/lib/rails/app_updater.rb | 2 1 + 1 - 0 !
railties/lib/rails/generators/rails/app/app_generator.rb | 4 2 + 2 - 0 !
railties/lib/rails/generators/rails/app/templates/bin/setup.tt | 2 1 + 1 - 0 !
railties/lib/rails/tasks/yarn.rake | 2 1 + 1 - 0 !
railties/test/generators/api_app_generator_test.rb | 4 2 + 2 - 0 !
railties/test/generators/app_generator_test.rb | 6 3 + 3 - 0 !
railties/test/generators/shared_generator_tests.rb | 3 1 + 2 - 0 !
railties/test/isolation/abstract_unit.rb | 4 2 + 2 - 0 !
8 files changed, 13 insertions(+), 14 deletions(-)

 use system yarnpkg instead of yarn
 In Debian, yarn is packaged as "yarnpkg".
 .
 This patch will replace all the "bin/yarn" usages to "bin/yarnpkg".

railties/test/isolation/assets/package.json | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 use system webpacker

Gemfile | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 relax dependencies
 This patch will relax the dependencies version, remove useless
 dependencies, or replace the gems to which is already in Debian.
 .
 Relax dependencies version:
  * selenium-webdriver
 .
 Remove/replace dependencies:
  * minitest-bisect
    + Not packaged in Debian
    + Not used (minitest is used)
  * minitest-retry
    + Not packaged in Debian
    + Used only when running on Buildkite CI
  * webdrivers
    + Not packaged in Debian
    + Could be replaced by chromedriver-helper (ruby-chromedriver-helper)

Gemfile | 2 1 + 1 - 0 !
activerecord/lib/active_record/connection_adapters/sqlite3/database_statements.rb | 2 1 + 1 - 0 !
activerecord/lib/active_record/connection_adapters/sqlite3_adapter.rb | 1 0 + 1 - 0 !
3 files changed, 2 insertions(+), 3 deletions(-)

 relax dependency version - ruby-sqlite3
 From Rails 6, it started using `execute_batch2` function [1] which was
 introduced in gem sqlite3 1.4.0. This new function was confirmed at [1]
 that extremely faster than old `execute_batch` function. However, gem
 sqlite3 1.4.0 was not packaged in Debian yet (ruby-sqlite3 is 1.3.13-1+b2
 in Debian), so this function could not be used.
 .
 This patch will rollback the `execute_batch2` usages to `execute_batch`.
 This patch should be removed after the ruby-sqlite3 upgraded to 1.4.0.
 .
 [1] https://github.com/rails/rails/commit/0908184e4c2dca5b941030bbd0d5eb2dfcfed120

Gemfile | 31 0 + 31 - 0 !
rails.gemspec | 1 0 + 1 - 0 !
2 files changed, 32 deletions(-)

 remove ignored dependencies

activesupport/Rakefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 skip the tests which need internet access
 .. due to Debian policy 4.9.

actioncable/Rakefile | 2 1 + 1 - 0 !
activejob/Rakefile | 2 1 + 1 - 0 !
activejob/test/cases/exceptions_test.rb | 4 2 + 2 - 0 !
railties/test/isolation/abstract_unit.rb | 5 0 + 5 - 0 !
4 files changed, 4 insertions(+), 9 deletions(-)

 skip the test due to unpackaged dependencies
  * websocket-client-simple
    + actioncable/client_test.rb
  * sneakers
    + actionjob/Rakefile
    + actionjob/test/cases/exceptions_test.rb
  * que
    + actionjob/Rakefile
  * queue_classic
    + actionjob/Rakefile
  * resque
    + actionjob/Rakefile
  * sucker_punch
    + actionjob/Rakefile
  * backburner
    + actionjob/Rakefile
  * minitest-retry
    + railties/test/isolation/abstract_unit.rb

railties/test/application/bin_setup_test.rb | 2 2 + 0 - 0 !
railties/test/application/rake/dbs_test.rb | 2 2 + 0 - 0 !
2 files changed, 4 insertions(+)

 skip the railties test which needs postgresql instance

railties/test/generators/app_generator_test.rb | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 ignore test which goes stuck
 Ignore the test case which makes test stuck.

activestorage/.babelrc | 8 0 + 8 - 0 !
activestorage/babel.config.json | 8 8 + 0 - 0 !
2 files changed, 8 insertions(+), 8 deletions(-)

 adapt to babel7

railties/lib/rails/generators/rails/app/templates/Gemfile.tt | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 replace webdrivers
 webdrivers can only go to contrib section

activestorage/activestorage.gemspec | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 relax marcel for bullseye.

actionpack/lib/action_dispatch/middleware/host_authorization.rb | 2 1 + 1 - 0 !
railties/test/application/middleware/remote_ip_test.rb | 3 2 + 1 - 0 !
railties/test/isolation/abstract_unit.rb | 2 1 + 1 - 0 !
3 files changed, 4 insertions(+), 3 deletions(-)

 [patch] remove unnessary escape char in regexp

Fix the test by defining a valid host on the mocked requests.

actionpack/lib/action_dispatch/middleware/host_authorization.rb | 20 7 + 13 - 0 !
actionpack/test/dispatch/host_authorization_test.rb | 4 2 + 2 - 0 !
railties/test/application/middleware/remote_ip_test.rb | 1 0 + 1 - 0 !
railties/test/isolation/abstract_unit.rb | 2 1 + 1 - 0 !
4 files changed, 10 insertions(+), 17 deletions(-)

 [patch] refactor cve-2021-22881 fix

Follow-up to 83a6ac3fee8fd538ce7e0088913ff54f0f9bcb6f.

This allows `HTTP_HOST` to be omitted as before, and reduces the number
of object allocations per request.

Benchmark:

```ruby
 # frozen_string_literal: true
require "benchmark/memory"

HOST = "example.com:80"
BEFORE_REGEXP = /\A(?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])(:\d+)?\z/
AFTER_REGEXP = /(?:\A|,[ ]?)([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])(?::\d+)?\z/i

Benchmark.memory do |x|
  x.report("BEFORE (non-nil X-Forwarded-Host)") do
    origin_host = BEFORE_REGEXP.match(HOST.to_s.downcase)[:host]
    forwarded_host = BEFORE_REGEXP.match(HOST.to_s.split(/,\s?/).last)[:host]
  end

  x.report("BEFORE (nil X-Forwarded-Host)") do
    origin_host = BEFORE_REGEXP.match(HOST.to_s.downcase)[:host]
    forwarded_host = BEFORE_REGEXP.match(nil.to_s.split(/,\s?/).last)
  end

  x.report("AFTER (non-nil X-Forwarded-Host)") do
    origin_host = HOST&.slice(AFTER_REGEXP, 1) || ""
    forwarded_host = HOST&.slice(AFTER_REGEXP, 1) || ""
  end

  x.report("AFTER (nil X-Forwarded-Host)") do
    origin_host = HOST&.slice(AFTER_REGEXP, 1) || ""
    forwarded_host = nil&.slice(AFTER_REGEXP, 1) || ""
  end
end
```

Results:

```
BEFORE (non-nil X-Forwarded-Host)
                       616.000  memsize (   208.000  retained)
                         9.000  objects (     2.000  retained)
                         2.000  strings (     1.000  retained)
BEFORE (nil X-Forwarded-Host)
                       328.000  memsize (     0.000  retained)
                         5.000  objects (     0.000  retained)
                         2.000  strings (     0.000  retained)
AFTER (non-nil X-Forwarded-Host)
                       248.000  memsize (   168.000  retained)
                         3.000  objects (     1.000  retained)
                         1.000  strings (     0.000  retained)
AFTER (nil X-Forwarded-Host)
                        40.000  memsize (     0.000  retained)
                         1.000  objects (     0.000  retained)
                         1.000  strings (     0.000  retained)
```

[CVE-2021-22942]

actionpack/lib/action_dispatch/middleware/host_authorization.rb | 10 3 + 7 - 0 !
actionpack/test/dispatch/host_authorization_test.rb | 89 88 + 1 - 0 !
2 files changed, 91 insertions(+), 8 deletions(-)

 [patch] fix invalid forwarded host vulnerability

Prior to this commit, it was possible to pass an unvalidated host
through the `X-Forwarded-Host` header. If the value of the header
was prefixed with a invalid domain character (for example a `/`),
it was always accepted as the actual host of that request.

Since this host is used for all url helpers, an attacker could change
generated links and redirects. If the header is set to
`X-Forwarded-Host: //evil.hacker`, a redirect will be send to
`https:////evil.hacker/`. Browsers will ignore these four slashes
and redirect the user.

[CVE-2021-44528]

actionpack/lib/action_dispatch/middleware/host_authorization.rb | 2 2 + 0 - 0 !
actionpack/test/dispatch/host_authorization_test.rb | 12 12 + 0 - 0 !
railties/lib/rails/application/configuration.rb | 2 1 + 1 - 0 !
3 files changed, 15 insertions(+), 1 deletion(-)

 [patch] merge pull request #43868 from rails/fix-default-hosts

Allow localhost with a port by default in development

actionpack/lib/action_dispatch/middleware/host_authorization.rb | 9 5 + 4 - 0 !
actionpack/test/dispatch/host_authorization_test.rb | 12 12 + 0 - 0 !
railties/lib/rails/application/configuration.rb | 6 5 + 1 - 0 !
3 files changed, 22 insertions(+), 5 deletions(-)

 [patch] merge pull request #43871 from rails/rm-fix-hosts-with-port

Allow any allowed host with port

actionpack/lib/action_dispatch/middleware/host_authorization.rb | 36 27 + 9 - 0 !
actionpack/test/dispatch/host_authorization_test.rb | 96 96 + 0 - 0 !
2 files changed, 123 insertions(+), 9 deletions(-)

 [patch] merge pull request #43882 from rails/rm-allow-ip-with-port

Allow IPs with port in the HostAuthorization middleware

activestorage/lib/active_storage.rb | 10 6 + 4 - 0 !
activestorage/lib/active_storage/engine.rb | 16 16 + 0 - 0 !
activestorage/lib/active_storage/transformers/image_processing_transformer.rb | 358 358 + 0 - 0 !
activestorage/test/models/variant_test.rb | 74 74 + 0 - 0 !
railties/test/application/configuration_test.rb | 29 29 + 0 - 0 !
5 files changed, 483 insertions(+), 4 deletions(-)

 [patch] added image transformation validation via configurable
 allow-list.

ImageProcessingTransformer now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.

[CVE-2022-21831]

actionpack/lib/action_dispatch/http/content_security_policy.rb | 7 0 + 7 - 0 !
actionpack/test/dispatch/content_security_policy_test.rb | 15 15 + 0 - 0 !
2 files changed, 15 insertions(+), 7 deletions(-)

 [patch] merge pull request #44635 from imtayadeway/tjw/api-csp-i

Generate content security policy for non-HTML responses

actionpack/lib/action_dispatch/middleware/executor.rb | 2 1 + 1 - 0 !
actionpack/test/dispatch/executor_test.rb | 21 21 + 0 - 0 !
activesupport/lib/active_support/execution_wrapper.rb | 29 16 + 13 - 0 !
3 files changed, 38 insertions(+), 14 deletions(-)

 [patch] actiondispatch::executor don't fully trust `body#close`

Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request.

[CVE-2022-23633]

activesupport/lib/active_support/reloader.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix reloader to work with new executor signature

This is a follow up to [CVE-2022-23633].

actionview/lib/action_view/helpers/tag_helper.rb | 39 35 + 4 - 0 !
actionview/test/template/tag_helper_test.rb | 91 82 + 9 - 0 !
activesupport/lib/active_support/core_ext/string/output_safety.rb | 28 28 + 0 - 0 !
activesupport/test/core_ext/string_ext_test.rb | 26 26 + 0 - 0 !
4 files changed, 171 insertions(+), 13 deletions(-)

 [patch] fix and add protections for xss in names.

Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of
XML.

Use that method in the tag helpers of ActionView::Helpers. Add a deprecation
warning to the option :escape_attributes mentioning the new behavior and the
transition to :escape, to simplify by applying the option to the whole tag.

[CVE-2022-27777]

actionview/test/template/tag_helper_test.rb | 2 2 + 0 - 0 !
activesupport/lib/active_support/core_ext/string/output_safety.rb | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 1 deletion(-)

 [patch] merge pull request #45027 from
 rails/fix-tag-helper-regression

Fix tag helper regression

actionpack/lib/action_dispatch/middleware/cookies.rb | 48 28 + 20 - 0 !
actionpack/test/dispatch/cookies_test.rb | 26 26 + 0 - 0 !
2 files changed, 54 insertions(+), 20 deletions(-)

 [patch] use string#split instead of regex for domain parts

[CVE-2023-22792]

activerecord/test/cases/adapters/mysql2/annotate_test.rb | 37 0 + 37 - 0 !
activerecord/test/cases/adapters/postgresql/annotate_test.rb | 37 0 + 37 - 0 !
activerecord/test/cases/adapters/sqlite3/annotate_test.rb | 37 0 + 37 - 0 !
activerecord/test/cases/annotate_test.rb | 46 46 + 0 - 0 !
activerecord/test/cases/batches_test.rb | 2 1 + 1 - 0 !
activerecord/test/cases/finder_test.rb | 3 2 + 1 - 0 !
activerecord/test/cases/inheritance_test.rb | 4 2 + 2 - 0 !
7 files changed, 51 insertions(+), 115 deletions(-)

 [patch] should `regexp.escape` quoted table name in regex

It is for agnostic test case, since quoted table name may include `.`
for all adapters, and `[` / `]` for sqlserver adapter.

activerecord/lib/active_record/connection_adapters/abstract/quoting.rb | 11 10 + 1 - 0 !
activerecord/lib/active_record/relation/query_methods.rb | 2 2 + 0 - 0 !
activerecord/test/cases/annotate_test.rb | 11 8 + 3 - 0 !
activerecord/test/cases/relation_test.rb | 10 3 + 7 - 0 !
4 files changed, 23 insertions(+), 11 deletions(-)

 [patch] make sanitize_as_sql_comment more strict

Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.

This commit makes the sanitization more robust by replacing any
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.

This also clarifies in the documentation of annotate that it should not
be provided user input.

[CVE-2023-22794]

actionpack/lib/action_dispatch/http/cache.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] avoid regex backtracking on if-none-match header

[CVE-2023-22795]

activesupport/lib/active_support/inflector/methods.rb | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 [patch] avoid regex backtracking in inflector.underscore

[CVE-2023-22796]

actionview/app/assets/javascripts/rails-ujs/features/disable.coffee | 9 8 + 1 - 0 !
actionview/app/assets/javascripts/rails-ujs/features/method.coffee | 4 4 + 0 - 0 !
actionview/app/assets/javascripts/rails-ujs/features/remote.coffee | 7 6 + 1 - 0 !
actionview/app/assets/javascripts/rails-ujs/utils/dom.coffee | 12 12 + 0 - 0 !
actionview/test/ujs/public/test/data-disable-with.js | 22 22 + 0 - 0 !
actionview/test/ujs/public/test/data-method.js | 19 19 + 0 - 0 !
actionview/test/ujs/public/test/data-remote.js | 20 20 + 0 - 0 !
7 files changed, 91 insertions(+), 2 deletions(-)

 [patch] ignore certain data-* attributes in rails-ujs when element is
 contenteditable

There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to occur
when pasting malicious HTML content from the clipboard that includes
a data-method, data-disable-with or data-remote attribute.

[CVE-2023-23913]

activesupport/lib/active_support/core_ext/string/output_safety.rb | 4 4 + 0 - 0 !
activesupport/test/core_ext/string_ext_test.rb | 30 30 + 0 - 0 !
2 files changed, 34 insertions(+)

 [patch] implement safebuffer#bytesplice