We use this gem for caching the RSS tag feeds, and we need to update it to fix a vulnerability:
There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.
How to test: Dependabot updated a bunch of gems. We're testing the ones with a major or minor version change, skipping the patch version changes.
Pick a fandom/character/relationship tag, check its RSS feed.
Post a new work with that tag, check that the feed now has the new work.
erubi: This is used for literally every template/view. So if the site loads and looks normal, we're good.
loofah/rails-html-sanitizer: Post a new work and make sure the work summary has all HTML stripped out of it in the subscription email (HTML version of the email). We could test more (like ), but nah.
Also of note: we have plans to stop using this gem altogether. See .
actionpack-page_caching: Checked the RSS feed for the Panic! at the Disco tag and then posted a new work to that tag. Rechecked the feed and the work wasn’t there. Tried again a few minutes later, still no joy. Posted another new work, nope. But when I checked it an hour and 20 minutes later, the new works were both there.
erubi: I’ve been testing and all the pages exist and stuff, so I think we’re good.
loofah/rails-html-sanitizer: Posted a work with bold, em, and paragraphs in the summary. 'Twas removed in the email, as expected.
actionpack-page_caching: checked the RSS feed of "Bleach" then posted a new work in the tag. The RSS feed did not update immediately to show the new work because of nginx caching. The RSS feed updated ~30m later to include the new work.
loofah/rails-html-sanitizer: post a new work with bold, em, and paragraphs in the summary, which all got stripped in the subscription email as expected. Note that we will include in the same release so this test step will not be valid from now on.