Update actionpack-page_caching to 1.2.2

Description

We use this gem for caching the RSS tag feeds, and we need to update it to fix a vulnerability:

There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.

How to test: Dependabot updated a bunch of gems. We're testing the ones with a major or minor version change, skipping the patch version changes.

  • actionpack-page_caching:

    1. Log in.

    2. Pick a fandom/character/relationship tag, check its RSS feed.

    3. Post a new work with that tag, check that the feed now has the new work.

  • erubi: This is used for literally every template/view. So if the site loads and looks normal, we're good.

  • loofah/rails-html-sanitizer: Post a new work and make sure the work summary has all HTML stripped out of it in the subscription email (HTML version of the email). We could test more (like ), but nah.

Also of note: we have plans to stop using this gem altogether. See .

Assignee

Unassigned

Reporter

redsummernight

Roadmap

Tags
Works

Priority

Medium

Affects versions

Fix versions

Components

Gems

Difficulty

Medium

Milestone

Internal 0.9
Configure