In order to stay current with Rails, we want to upgrade to Rails 5.2. A lot of the work here involves upgrades to associated gems and fixes for deprecated features that will be removed in Rails 6.
Upgrading to the most recent version of Rails 5.2 (later than 126.96.36.199) will fix the following vulnerabilities:
CVE-2020-5267: Possible XSS vulnerability in ActionView; we can remove the monkey-patch added in
CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
CVE-2020-8167: CSRF Vulnerability in rails-ujs
CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack
CVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token
CVE-2020-15169: Potential Cross-Site Scripting (XSS) vulnerability in Action View’s translation helpers.
Testing a significant Rails upgrade usually involves a full regression.
We will need to completely clear the cache (Rails.cache.clear) because 5.1 and 5.2 caches are incompatible (https://github.com/rails/rails/issues/34853).
We’ll also want to remove the monkey patch introduced in
Credit for this should go to Elz and Enigel.
Spoke too soon! According to GitHub, the co-authors are Elz, Enigel, james_, redsummernight, Sarken, and ticking instant.
Still loads following 188.8.131.52 update, so we're good