Upgrade to Rails 5.2

Description

In order to stay current with Rails, we want to upgrade to Rails 5.2. A lot of the work here involves upgrades to associated gems and fixes for deprecated features that will be removed in Rails 6.

Upgrading to the most recent version of Rails 5.2 (later than 5.2.4.3) will fix the following vulnerabilities:

  • CVE-2020-5267: Possible XSS vulnerability in ActionView; we can remove the monkey-patch added in

  • CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

  • CVE-2020-8167: CSRF Vulnerability in rails-ujs

  • CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack

  • CVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token

  • CVE-2020-15169: Potential Cross-Site Scripting (XSS) vulnerability in Action View’s translation helpers.

Testing a significant Rails upgrade usually involves a full regression.

Deploy notes

We will need to completely clear the cache (Rails.cache.clear) because 5.1 and 5.2 caches are incompatible (https://github.com/rails/rails/issues/34853).

Activity

Show:
Sarken
March 24, 2020, 1:36 PM

We’ll also want to remove the monkey patch introduced in

Sarken
July 15, 2020, 8:43 AM

Credit for this should go to Elz and Enigel.

Sarken
August 30, 2020, 5:12 PM

Spoke too soon! According to GitHub, the co-authors are Elz, Enigel, james_, redsummernight, Sarken, and ticking instant.

redsummernight
September 15, 2020, 1:07 PM

CVE-2020-15169 was disclosed on 2020-09-09 and we need to update Rails from 5.2.4.3 to at least 5.2.4.4.

Sarken
September 21, 2020, 12:22 PM

Still loads following 5.2.4.4 update, so we're good

DeployedToBeta

Assignee

enigel lj

Reporter

Elz J

Roadmap

Misc

Priority

Medium

Affects versions

Fix versions

Components

BackEnd

Difficulty

Medium

Milestone

Internal 0.9

Epic Name

Rails 5.2