Commit 829cac03 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Merge branch 'revert-d9652a83' into 'master'

Rails 6.0.3.1 Take 2

See merge request gitlab-org/gitlab!33454
parents 62d4de74 86ef86b5
source 'https://rubygems.org' source 'https://rubygems.org'
gem 'rails', '~> 6.0.3' gem 'rails', '~> 6.0.3.1'
gem 'bootsnap', '~> 1.4.6' gem 'bootsnap', '~> 1.4.6'
......
...@@ -6,59 +6,59 @@ GEM ...@@ -6,59 +6,59 @@ GEM
ace-rails-ap (4.1.2) ace-rails-ap (4.1.2)
acme-client (2.0.5) acme-client (2.0.5)
faraday (~> 0.9, >= 0.9.1) faraday (~> 0.9, >= 0.9.1)
actioncable (6.0.3) actioncable (6.0.3.1)
actionpack (= 6.0.3) actionpack (= 6.0.3.1)
nio4r (~> 2.0) nio4r (~> 2.0)
websocket-driver (>= 0.6.1) websocket-driver (>= 0.6.1)
actionmailbox (6.0.3) actionmailbox (6.0.3.1)
actionpack (= 6.0.3) actionpack (= 6.0.3.1)
activejob (= 6.0.3) activejob (= 6.0.3.1)
activerecord (= 6.0.3) activerecord (= 6.0.3.1)
activestorage (= 6.0.3) activestorage (= 6.0.3.1)
activesupport (= 6.0.3) activesupport (= 6.0.3.1)
mail (>= 2.7.1) mail (>= 2.7.1)
actionmailer (6.0.3) actionmailer (6.0.3.1)
actionpack (= 6.0.3) actionpack (= 6.0.3.1)
actionview (= 6.0.3) actionview (= 6.0.3.1)
activejob (= 6.0.3) activejob (= 6.0.3.1)
mail (~> 2.5, >= 2.5.4) mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0) rails-dom-testing (~> 2.0)
actionpack (6.0.3) actionpack (6.0.3.1)
actionview (= 6.0.3) actionview (= 6.0.3.1)
activesupport (= 6.0.3) activesupport (= 6.0.3.1)
rack (~> 2.0, >= 2.0.8) rack (~> 2.0, >= 2.0.8)
rack-test (>= 0.6.3) rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0) rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0)
actiontext (6.0.3) actiontext (6.0.3.1)
actionpack (= 6.0.3) actionpack (= 6.0.3.1)
activerecord (= 6.0.3) activerecord (= 6.0.3.1)
activestorage (= 6.0.3) activestorage (= 6.0.3.1)
activesupport (= 6.0.3) activesupport (= 6.0.3.1)
nokogiri (>= 1.8.5) nokogiri (>= 1.8.5)
actionview (6.0.3) actionview (6.0.3.1)
activesupport (= 6.0.3) activesupport (= 6.0.3.1)
builder (~> 3.1) builder (~> 3.1)
erubi (~> 1.4) erubi (~> 1.4)
rails-dom-testing (~> 2.0) rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.1, >= 1.2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0)
activejob (6.0.3) activejob (6.0.3.1)
activesupport (= 6.0.3) activesupport (= 6.0.3.1)
globalid (>= 0.3.6) globalid (>= 0.3.6)
activemodel (6.0.3) activemodel (6.0.3.1)
activesupport (= 6.0.3) activesupport (= 6.0.3.1)
activerecord (6.0.3) activerecord (6.0.3.1)
activemodel (= 6.0.3) activemodel (= 6.0.3.1)
activesupport (= 6.0.3) activesupport (= 6.0.3.1)
activerecord-explain-analyze (0.1.0) activerecord-explain-analyze (0.1.0)
activerecord (>= 4) activerecord (>= 4)
pg pg
activestorage (6.0.3) activestorage (6.0.3.1)
actionpack (= 6.0.3) actionpack (= 6.0.3.1)
activejob (= 6.0.3) activejob (= 6.0.3.1)
activerecord (= 6.0.3) activerecord (= 6.0.3.1)
marcel (~> 0.3.1) marcel (~> 0.3.1)
activesupport (6.0.3) activesupport (6.0.3.1)
concurrent-ruby (~> 1.0, >= 1.0.2) concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2) i18n (>= 0.7, < 2)
minitest (~> 5.1) minitest (~> 5.1)
...@@ -801,20 +801,20 @@ GEM ...@@ -801,20 +801,20 @@ GEM
rack-test (1.1.0) rack-test (1.1.0)
rack (>= 1.0, < 3) rack (>= 1.0, < 3)
rack-timeout (0.5.1) rack-timeout (0.5.1)
rails (6.0.3) rails (6.0.3.1)
actioncable (= 6.0.3) actioncable (= 6.0.3.1)
actionmailbox (= 6.0.3) actionmailbox (= 6.0.3.1)
actionmailer (= 6.0.3) actionmailer (= 6.0.3.1)
actionpack (= 6.0.3) actionpack (= 6.0.3.1)
actiontext (= 6.0.3) actiontext (= 6.0.3.1)
actionview (= 6.0.3) actionview (= 6.0.3.1)
activejob (= 6.0.3) activejob (= 6.0.3.1)
activemodel (= 6.0.3) activemodel (= 6.0.3.1)
activerecord (= 6.0.3) activerecord (= 6.0.3.1)
activestorage (= 6.0.3) activestorage (= 6.0.3.1)
activesupport (= 6.0.3) activesupport (= 6.0.3.1)
bundler (>= 1.3.0) bundler (>= 1.3.0)
railties (= 6.0.3) railties (= 6.0.3.1)
sprockets-rails (>= 2.0.0) sprockets-rails (>= 2.0.0)
rails-controller-testing (1.0.4) rails-controller-testing (1.0.4)
actionpack (>= 5.0.1.x) actionpack (>= 5.0.1.x)
...@@ -828,9 +828,9 @@ GEM ...@@ -828,9 +828,9 @@ GEM
rails-i18n (6.0.0) rails-i18n (6.0.0)
i18n (>= 0.7, < 2) i18n (>= 0.7, < 2)
railties (>= 6.0.0, < 7) railties (>= 6.0.0, < 7)
railties (6.0.3) railties (6.0.3.1)
actionpack (= 6.0.3) actionpack (= 6.0.3.1)
activesupport (= 6.0.3) activesupport (= 6.0.3.1)
method_source method_source
rake (>= 0.8.7) rake (>= 0.8.7)
thor (>= 0.20.3, < 2.0) thor (>= 0.20.3, < 2.0)
...@@ -1335,7 +1335,7 @@ DEPENDENCIES ...@@ -1335,7 +1335,7 @@ DEPENDENCIES
rack-oauth2 (~> 1.9.3) rack-oauth2 (~> 1.9.3)
rack-proxy (~> 0.6.0) rack-proxy (~> 0.6.0)
rack-timeout rack-timeout
rails (~> 6.0.3) rails (~> 6.0.3.1)
rails-controller-testing rails-controller-testing
rails-i18n (~> 6.0) rails-i18n (~> 6.0)
rainbow (~> 3.0) rainbow (~> 3.0)
......
# frozen_string_literal: true
module Gitlab
module RequestForgeryProtectionPatch
private
# Patch to generate 6.0.3 tokens so that we do not have CSRF errors while
# rolling out 6.0.3.1. This enables GitLab to have a mix of 6.0.3 and
# 6.0.3.1 Rails servers
#
# 1. Deploy this patch with :global_csrf_token FF disabled.
# 2. Once all Rails servers are on 6.0.3.1, enable :global_csrf_token FF.
# 3. On GitLab 13.2, remove this patch
def masked_authenticity_token(session, form_options: {})
action, method = form_options.values_at(:action, :method)
raw_token = if per_form_csrf_tokens && action && method
action_path = normalize_action_path(action)
per_form_csrf_token(session, action_path, method)
else
if Feature.enabled?(:global_csrf_token)
global_csrf_token(session)
else
real_csrf_token(session)
end
end
mask_token(raw_token)
end
end
end
ActionController::Base.include Gitlab::RequestForgeryProtectionPatch
source 'https://rubygems.org' source 'https://rubygems.org'
gem 'gitlab-qa' gem 'gitlab-qa'
gem 'activesupport', '~> 6.0.3' # This should stay in sync with the root's Gemfile gem 'activesupport', '~> 6.0.3.1' # This should stay in sync with the root's Gemfile
gem 'capybara', '~> 3.29.0' gem 'capybara', '~> 3.29.0'
gem 'capybara-screenshot', '~> 1.0.23' gem 'capybara-screenshot', '~> 1.0.23'
gem 'rake', '~> 12.3.0' gem 'rake', '~> 12.3.0'
......
GEM GEM
remote: https://rubygems.org/ remote: https://rubygems.org/
specs: specs:
activesupport (6.0.3) activesupport (6.0.3.1)
concurrent-ruby (~> 1.0, >= 1.0.2) concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2) i18n (>= 0.7, < 2)
minitest (~> 5.1) minitest (~> 5.1)
...@@ -54,7 +54,7 @@ GEM ...@@ -54,7 +54,7 @@ GEM
mime-types-data (3.2020.0425) mime-types-data (3.2020.0425)
mini_mime (1.0.2) mini_mime (1.0.2)
mini_portile2 (2.4.0) mini_portile2 (2.4.0)
minitest (5.14.0) minitest (5.14.1)
netrc (0.11.0) netrc (0.11.0)
nokogiri (1.10.9) nokogiri (1.10.9)
mini_portile2 (~> 2.4.0) mini_portile2 (~> 2.4.0)
...@@ -116,7 +116,7 @@ PLATFORMS ...@@ -116,7 +116,7 @@ PLATFORMS
ruby ruby
DEPENDENCIES DEPENDENCIES
activesupport (~> 6.0.3) activesupport (~> 6.0.3.1)
airborne (~> 0.3.4) airborne (~> 0.3.4)
capybara (~> 3.29.0) capybara (~> 3.29.0)
capybara-screenshot (~> 1.0.23) capybara-screenshot (~> 1.0.23)
......
# frozen_string_literal: true
require 'spec_helper'
describe ActionController::Base, 'CSRF token generation patch', type: :controller do # rubocop:disable RSpec/FilePath
let(:fixed_seed) { SecureRandom.random_bytes(described_class::AUTHENTICITY_TOKEN_LENGTH) }
context 'global_csrf_token feature flag is enabled' do
it 'generates 6.0.3.1 style CSRF token', :aggregate_failures do
generated_token = controller.send(:form_authenticity_token)
expect(valid_authenticity_token?(generated_token)).to be_truthy
expect(compare_with_real_token(generated_token)).to be_falsey
expect(compare_with_global_token(generated_token)).to be_truthy
end
end
context 'global_csrf_token feature flag is disabled' do
before do
stub_feature_flags(global_csrf_token: false)
end
it 'generates 6.0.3 style CSRF token', :aggregate_failures do
generated_token = controller.send(:form_authenticity_token)
expect(valid_authenticity_token?(generated_token)).to be_truthy
expect(compare_with_real_token(generated_token)).to be_truthy
expect(compare_with_global_token(generated_token)).to be_falsey
end
end
def compare_with_global_token(token)
unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
controller.send(:compare_with_global_token, unmasked_token, session)
end
def compare_with_real_token(token)
unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
controller.send(:compare_with_real_token, unmasked_token, session)
end
def valid_authenticity_token?(token)
controller.send(:valid_authenticity_token?, session, token)
end
end
...@@ -983,10 +983,10 @@ ...@@ -983,10 +983,10 @@
consola "^2.10.1" consola "^2.10.1"
node-fetch "^2.6.0" node-fetch "^2.6.0"
"@rails/actioncable@^6.0.3": "@rails/actioncable@^6.0.3-1":
version "6.0.3" version "6.0.3-1"
resolved "https://registry.yarnpkg.com/@rails/actioncable/-/actioncable-6.0.3.tgz#722b4b639936129307ddbab3a390f6bcacf3e7bc" resolved "https://registry.yarnpkg.com/@rails/actioncable/-/actioncable-6.0.3-1.tgz#9b9eb8858a6507162911007d355d9a206e1c5caa"
integrity sha512-I01hgqxxnOgOtJTGlq0ZsGJYiTEEiSGVEGQn3vimZSqEP1HqzyFNbzGTq14Xdyeow2yGJjygjoFF1pmtE+SQaw== integrity sha512-szFhWD+V5TAxVNVIG16klgq+ypqA5k5AecLarTTrXgOG8cawVbQdOAwLbCmzkwiQ60rGSxAFoC1u2LrzxSK2Aw==
"@sentry/browser@^5.10.2": "@sentry/browser@^5.10.2":
version "5.10.2" version "5.10.2"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment