🚨 [security] Update better_errors: 2.5.1 → 2.10.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ better_errors (2.5.1 → 2.10.0) · Repo · Changelog

Security Advisories 🚨

🚨 Older releases of better_errors open to Cross-Site Request Forgery attack

Impact

better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks.

As a developer tool, better_errors documentation strongly recommends addition only to the development bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the development group (or the non-Rails equivalent).

Patches

Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3".

Workarounds

There are no known workarounds to mitigate the risk of using older releases of better_errors.

References

• Chris Moberly provided an example attack that uses a now-patched vulnerability of webpack-dev-server in conjunction with Better Errors

For more information

If you have any questions or comments about this advisory, please

• Add to the discussion in better_errors
• Open an issue in better_errors

Release Notes

2.10.0

• fix typo (@wonda-tea-coffee) #504
• Switch to Rouge for syntax highlighting and add dark syntax-highlighting theme (@RobinDaugherty) #500
• Syntax highlighter uses classes, style-src locked down (@RobinDaugherty) #499
• Use SASS to build CSS (@RobinDaugherty) #498
• Add Content Security Policy (@RobinDaugherty) #497
• Add Rails 6.1 to CI matrix (@RobinDaugherty) #493

2.9.1

• Fix setting editor with symbol #492

2.9.0

• Mention path in text response #487
• Use Github Actions for CI #489
• Exception Hints #302
• Hide "live shell" hint after console has been used #490
• Improve editor support for virtual environments #488
• Fix "live shell" hint reappearing when frame changed #491

2.8.3

• Fix 'uninitialized constant BetterErrors::Middleware::VERSION' #480
• Fix CSRF_TOKEN_COOKIE_NAME wrong reference to VERSION constant #481

2.8.2

• Fix path of CSRF Token cookie #478

2.8.1

• Show real cause of ActionView::Template::Error with Rails 6 #477
• Add TruffleRuby to CI builds #473

2.8.0

• Support for Rails ActionableError #465
• Allow editor links to work inside an iframe or with CSP that prohibits other protocols #440
• Add CSRF protection to internal requests #474
• Validate internal request method names #475

2.7.1

• Show location of error in ActionView template error #463

2.7.0

• Fix various specs that were passing incorrectly #453 (@RobinDaugherty)
• CI tests for Ruby 2.6, 2.7; Rails 6.0 #452 (@RobinDaugherty)
• CI: Drop unused sudo: false directive #457 (@olleolleolle)
• Add editor preset for VSCodium #456 (@jaredmoody)
• Show the last-raised error, not its "cause" #459 (@RobinDaugherty)
• Fix warning: FILE in eval may not return location in binding #458 (@yuuu)
• Allow skipping variable inspection by class name #449 (@felixbuenemann)

2.6.0

• Specify older kramdown and i18n for older ruby versions #437
• Fix NoMethodError when variables cannot be retrieved from the stack frame #430
• Allow passing IPAddrs to allow_ip #444
• Update CI Ruby to fix Travis CI failures #450

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ coderay (indirect, 1.1.2 → 1.1.3) · Repo · Changelog

Release Notes

1.1.3

Diff: v1.1.2...v1.1.3

• Tokens: Ensure Ruby 2.6 compatibility. [#233, thanks to Jun Aruga]
• SQL scanner: Add numeric data type. [#223, thanks to m16a1]
• Java scanner: Add var as type. [#229, thanks to Davide Angelocola]
• Gem: Fix deprecation warning. [#246, thanks to David Rodríguez]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 56 commits:

• bump version
• like this?
• trying to fix tests for 1.9.3
• add changelog
• Merge pull request #246 from deivid-rodriguez/fix_rubygems_deprecation
• Fix rubygems deprecation
• don't load simplecov on Ruby 1.8.7
• Merge branch 'extend-specs'
• merge coverage
• Merge pull request #243 from rubychan/extend-specs
• add simple spec for CodeRay.scan
• disable specs for Ruby 1.8.7
• maybe like this?
• reorder gems
• also test with 2.7.0-preview3
• also disable for Ruby 1.8.7
• actually, we only need to disable SimpleCov
• fix tests for Ruby 2.3
• add spec for CodeRay.coderay_path
• fix tests for Ruby Enterprise Edition?
• add SimpleCov
• still not loaded?
• fix load path
• run specs on rake test
• add RSpec
• enforce UselessAccessModifier
• fix spaces around operators (RuboCop)
• fix spaces in JSONEncoderTest
• tunr off maintainability checks
• enforce RuboCop version
• tweaks to RuboCop config
• enfore SpaceAroundOperators
• try setting up code climate test coverage
• Update README.markdown
• not available on CodeClimate
• start using RuboCop
• reorder gems
• fix heredoc indentation
• remove .codeclimate.yml
• add CodeClimate config
• apparently, 1.8.7 fails on Travis?
• update changelog
• Merge branch 'master' of github.com:rubychan/coderay
• Merge pull request #229 from dfa1/java10-support
• remove defunct Gemnasium badge
• add numeric to SQL types
• Merge pull request #227 from junaruga/hotfix/not-reached-statement
• Merge pull request #233 from junaruga/hotfix/ruby26-expression-enumerator
• Add Ruby 2.6 fixing issues
• support for special type 'var'
• Remove the statement that is not always reached.
• tweak list of rubies to test
• test with ruby 2.5, too
• trying to fix tests for Ruby 2.4
• backport .gitignore from dsl branch
• port a few tweaks from dsl branch

↗️ erubi (indirect, 1.8.0 → 1.12.0) · Repo · Changelog

Release Notes

1.12.0 (from changelog)

* Use erb/escape for faster html escaping if available (jeremyevans)

Default :freeze_template_literals option to false if running with --enable-frozen-string-literal (casperisfine) (#35)

1.11.0 (from changelog)

* Support :freeze_template_literals option for configuring whether to add .freeze to template literal strings (casperisfine) (#33)


Support :chain_appends option for chaining appends to the buffer variable (casperisfine, jeremyevans) (#32)


Avoid unnecessary defined? usage on Ruby 3+ when using the :ensure option (jeremyevans)

1.10.0 (from changelog)

* Improve template parsing, mostly by reducing allocations (jeremyevans)


Do not ship tests in the gem, reducing gem size about 20% (jeremyevans)


Support :literal_prefix and :literal_postfix options for how to output literal tags (e.g. <%% code %>) (jaredcwhite) (#26, #27)

1.9.0 (from changelog)

* Change default :bufvar from 'String.new' to '::String.new' to work with BasicObject (jeremyevans)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 56 commits:

• Bump version to 1.12.0
• Add nocov markings around use of erb/escape
• Add mailing_list_uri to the gem metadata
• Use erb/escape for faster html escaping if available
• Avoid unused variable verbose warning on JRuby in test
• Test JRuby 9.4 in CI
• Update memory footprint comparison
• Update CHANGELOG
• Disable freeze_template_literals if `--enable-frozen-string-literal`
• Bump version to 1.11.0
• Fix tests, update documentation and CHANGELOG
• Add `freeze_template_literals` option to avoid String#freeze
• Add chain_appends option to simplify VM instructions (Fixes #32)
• Add space after semicolon in generated output
• Avoid unnecessary defined? usage on Ruby 3+ when using the :ensure option
• Add a test for no tags with frozen source
• Tighten CI permissions
• Test Ruby 3.1 in CI
• Run specs in verbose mode on Ruby 3+
• Try Ruby 1.9.3, 2.0, and JRuby 9.3 on GitHub Actions
• Extract default regexp to Constant
• Stop using Travis
• Bump copyright year
• Start testing on truffleruby, and simplify ci.yml
• Test on ruby 3.0
• RANGE_ALL is not in use since 4dc81c210664bfa244c6015bb3aa034b29f5a66f
• Use GitHub Actions CI for supported Ruby versions
• Bump version to 1.10.0
• Enable branch coverage when testing
• Move <% case above <%# and <%% cases as it is more common
• Cover some rspace/lspace branches in CaptureEndEngine
• Test <%= tailch rspace branch and src ending with newline branch
• Remove unnecessary line
• Remove unnecessary branch
• Adjust nocov markings
• Don't call add_text with nil
• Fix regression where only first backslash/apostrophe was escaped
• Improve template parsing, mostly by reducing allocations
• Do not ship tests in the gem, reducing gem size about 20%
• Start testing Ruby 2.7 on Travis
• Update copyright year
• Add nocov markers
• Make spec_w task use warning gem instead of egrep for filtering
• Improve rdoc formatting
• Update CHANGELOG
• Allow the literal prefix/postfix to be configured (Fixes #26, #27)
• Refactor and simplify internals
• Reduce memory usage when escaping text
• Fix documentation of options bufval, bufvar in Erubi::Engine's initializer
• Bump version to 1.9.0
• Change default :bufvar from 'String.new' to '::String.new' to work with BasicObject
• Try to get Travis passing
• Use minitest-global_expecations in tests to avoid deprecation issues with minitest 5.12
• Test JRuby 9.2 on Travis
• Test on TruffleRuby on Travis
• CI: Add Ruby 2.6 to the matrix

↗️ rack (indirect, 1.6.11 → 1.6.13) · Repo · Changelog

Security Advisories 🚨

🚨 Possible information leak / session hijack vulnerability

There's a possible information leak / session hijack vulnerability in Rack.

Attackers may be able to find and hijack sessions by using timing attacks
targeting the session id. Session ids are usually stored and indexed in a
database that uses some kind of scheme for speeding up lookups of that
session id. By carefully measuring the amount of time it takes to look up
a session, an attacker may be able to find a valid session id and hijack
the session.

The session id itself may be generated randomly, but the way the session is
indexed by the backing store does not use a secure comparison.

Impact:

The session id stored in a cookie is the same id that is used when querying
the backing session storage engine. Most storage mechanisms (for example a
database) use some sort of indexing in order to speed up the lookup of that
id. By carefully timing requests and session lookup failures, an attacker
may be able to perform a timing attack to determine an existing session id
and hijack that session.

Release Notes

1.6.12 (from changelog)

• [CVE-2019-16782] Prevent timing attacks targeted at session ID lookup. (@tenderlove, @rafaelfranca)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

• bump version
• Handle case where session id key is requested but it is missing
• Merge pull request #1462 from jeremyevans/sessionid-to_s
• Merge branch '1-6-sec' into 1-6-stable
• Bump version
• making diff smaller
• fix memcache tests on 1.6
• fix tests on 1.6
• Introduce a new base class to avoid breaking when upgrading
• Add a version prefix to the private id to make easier to migrate old values
• Fallback to the public id when reading the session in the pool adapter
• Also drop the session with the public id when destroying sessions
• Fallback to the legacy id when the new id is not found
• Add the private id
• revert conditionals to master
• remove NullSession
• remove || raise and get closer to master
• store hashed id, send public id
• use session id objects
• remove more nils
• try to ensure we always have some kind of object
• Fix assertion on bacon

🆕 rouge (added, 4.1.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #223.