In order to stay current with Rails, we want to upgrade to Rails 5.2. A lot of the work here involves upgrades to associated gems and fixes for deprecated features that will be removed in Rails 6.
Upgrading to the most recent version of Rails 5.2 (later than 5.2.4.3) will fix the following vulnerabilities:
CVE-2020-5267: Possible XSS vulnerability in ActionView; we can remove the monkey-patch added in
CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
CVE-2020-8167: CSRF Vulnerability in rails-ujs
CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack
CVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token
CVE-2020-15169: Potential Cross-Site Scripting (XSS) vulnerability in Action View’s translation helpers.
Testing a significant Rails upgrade usually involves a full regression.
Deploy notes
We will need to completely clear the cache (Rails.cache.clear) because 5.1 and 5.2 caches are incompatible (https://github.com/rails/rails/issues/34853).
We’ll also want to remove the monkey patch introduced in
Credit for this should go to Elz and Enigel.
Spoke too soon! According to GitHub, the co-authors are Elz, Enigel, james_, redsummernight, Sarken, and ticking instant.
CVE-2020-15169 was disclosed on 2020-09-09 and we need to update Rails from 5.2.4.3 to at least 5.2.4.4.
Still loads following 5.2.4.4 update, so we're good