Merge tag 'v7.0.8.7' into 7-0-stable

byroot · byroot · commit c69f3676bd7b · 2024-12-11T13:13:15.000+01:00
v7.0.8.7 release
diff --git a/RAILS_VERSION b/RAILS_VERSION
@@ -1 +1 @@
-7.0.8.6
+7.0.8.7
diff --git a/actioncable/CHANGELOG.md b/actioncable/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/actioncable/lib/action_cable/gem_version.rb b/actioncable/lib/action_cable/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/actioncable/package.json b/actioncable/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/actioncable",
-  "version": "7.0.806",
+  "version": "7.0.807",
   "description": "WebSocket framework for Ruby on Rails.",
   "module": "app/assets/javascripts/actioncable.esm.js",
   "main": "app/assets/javascripts/actioncable.js",
diff --git a/actionmailbox/CHANGELOG.md b/actionmailbox/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/actionmailbox/lib/action_mailbox/gem_version.rb b/actionmailbox/lib/action_mailbox/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   Fix NoMethodError in `block_format` helper
diff --git a/actionmailer/lib/action_mailer/gem_version.rb b/actionmailer/lib/action_mailer/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -10,6 +10,17 @@
 
     *Hartley McGuire*
 
+
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
+
+    [CVE-2024-54133]
+
+    *Gannon McGibbon*
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -22,6 +22,9 @@ module ActionDispatch # :nodoc:
   #     policy.report_uri "/csp-violation-report-endpoint"
   #   end
   class ContentSecurityPolicy
+    class InvalidDirectiveError < StandardError
+    end
+
     class Middleware
       CONTENT_TYPE = "Content-Type"
       POLICY = "Content-Security-Policy"
@@ -316,9 +319,9 @@ def build_directives(context, nonce, nonce_directives)
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -328,8 +331,22 @@ def build_directives(context, nonce, nonce_directives)
         end
       end
 
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+
+        validate(directive, resolved_sources)
       end
 
       def resolve_source(source, context)
diff --git a/actionpack/lib/action_pack/gem_version.rb b/actionpack/lib/action_pack/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -23,6 +23,33 @@ def test_dup
     assert_equal copied.build, @policy.build
   end
 
+  def test_whitespace_validation
+    @policy.base_uri "https://some.url https://other.url"
+
+    error = assert_raises(ActionDispatch::ContentSecurityPolicy::InvalidDirectiveError) do
+      @policy.build
+    end
+    assert_equal(<<~MSG.squish, error.message)
+      Invalid Content Security Policy base-uri: "https://some.url https://other.url".
+      Directive values must not contain whitespace or semicolons.
+      Please use multiple arguments or other directive methods instead.
+    MSG
+  end
+
+
+  def test_semicolon_validation
+    @policy.base_uri "https://some.url; script-src https://other.url"
+
+    error = assert_raises(ActionDispatch::ContentSecurityPolicy::InvalidDirectiveError) do
+      @policy.build
+    end
+    assert_equal(<<~MSG.squish, error.message)
+      Invalid Content Security Policy base-uri: "https://some.url; script-src https://other.url".
+      Directive values must not contain whitespace or semicolons.
+      Please use multiple arguments or other directive methods instead.
+    MSG
+  end
+
   def test_mappings
     @policy.script_src :data
     assert_equal "script-src data:", @policy.build
diff --git a/actiontext/CHANGELOG.md b/actiontext/CHANGELOG.md
@@ -1,3 +1,10 @@
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   Update vendored trix version to 1.3.4
+
+    *John Hawthorn*
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/actiontext/app/assets/javascripts/trix.js b/actiontext/app/assets/javascripts/trix.js
diff --git a/actiontext/lib/action_text/gem_version.rb b/actiontext/lib/action_text/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/actiontext/package.json b/actiontext/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "7.0.806",
+  "version": "7.0.807",
   "description": "Edit and display rich text in Rails applications",
   "main": "app/assets/javascripts/actiontext.js",
   "type": "module",
diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
@@ -3,6 +3,11 @@
     *Earlopain*
 
 
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/actionview/lib/action_view/gem_version.rb b/actionview/lib/action_view/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/actionview/package.json b/actionview/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/ujs",
-  "version": "7.0.806",
+  "version": "7.0.807",
   "description": "Ruby on Rails unobtrusive scripting adapter",
   "main": "lib/assets/compiled/rails-ujs.js",
   "files": [
diff --git a/activejob/CHANGELOG.md b/activejob/CHANGELOG.md
@@ -3,6 +3,11 @@
     *Joshua Young*
 
 
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/activejob/lib/active_job/gem_version.rb b/activejob/lib/active_job/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/activemodel/lib/active_model/gem_version.rb b/activemodel/lib/active_model/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
@@ -73,6 +73,11 @@
     *Felix Tscheulin*
 
 
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/activerecord/lib/active_record/gem_version.rb b/activerecord/lib/active_record/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/activestorage/CHANGELOG.md b/activestorage/CHANGELOG.md
@@ -26,6 +26,11 @@
     *Russell Porter*
 
 
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/activestorage/lib/active_storage/gem_version.rb b/activestorage/lib/active_storage/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/activestorage/package.json b/activestorage/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/activestorage",
-  "version": "7.0.806",
+  "version": "7.0.807",
   "description": "Attach cloud and local files in Rails applications",
   "module": "app/assets/javascripts/activestorage.esm.js",
   "main": "app/assets/javascripts/activestorage.js",
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
@@ -45,6 +45,11 @@
     *Nobuyoshi Nakada*, *Shouichi Kamiya*, *Hartley McGuire*
 
 
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/activesupport/lib/active_support/gem_version.rb b/activesupport/lib/active_support/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/guides/CHANGELOG.md b/guides/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 7.0.8.7 (December 10, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8.6 (October 23, 2024) ##
 
 *   No changes.
diff --git a/railties/lib/rails/gem_version.rb b/railties/lib/rails/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@rails/actioncable",`
`3`		`- "version": "7.0.806",`
	`3`	`+ "version": "7.0.807",`
`4`	`4`	`"description": "WebSocket framework for Ruby on Rails.",`
`5`	`5`	`"module": "app/assets/javascripts/actioncable.esm.js",`
`6`	`6`	`"main": "app/assets/javascripts/actioncable.js",`