Merge branch '6-1-sec' into 6-1-stable

siaw23 · Apr 26, 2022 · 3bcb481 · 3bcb481
2 parents d38ff07 + e2efc66
commit 3bcb481
Show file tree

Hide file tree

Showing 39 changed files with 6,202 additions and 5,897 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -30,83 +30,83 @@ GIT
 PATH
   remote: .
   specs:
-    actioncable (6.1.5)
-      actionpack (= 6.1.5)
-      activesupport (= 6.1.5)
+    actioncable (6.1.5.1)
+      actionpack (= 6.1.5.1)
+      activesupport (= 6.1.5.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.1.5)
-      actionpack (= 6.1.5)
-      activejob (= 6.1.5)
-      activerecord (= 6.1.5)
-      activestorage (= 6.1.5)
-      activesupport (= 6.1.5)
+    actionmailbox (6.1.5.1)
+      actionpack (= 6.1.5.1)
+      activejob (= 6.1.5.1)
+      activerecord (= 6.1.5.1)
+      activestorage (= 6.1.5.1)
+      activesupport (= 6.1.5.1)
       mail (>= 2.7.1)
-    actionmailer (6.1.5)
-      actionpack (= 6.1.5)
-      actionview (= 6.1.5)
-      activejob (= 6.1.5)
-      activesupport (= 6.1.5)
+    actionmailer (6.1.5.1)
+      actionpack (= 6.1.5.1)
+      actionview (= 6.1.5.1)
+      activejob (= 6.1.5.1)
+      activesupport (= 6.1.5.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.1.5)
-      actionview (= 6.1.5)
-      activesupport (= 6.1.5)
+    actionpack (6.1.5.1)
+      actionview (= 6.1.5.1)
+      activesupport (= 6.1.5.1)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.1.5)
-      actionpack (= 6.1.5)
-      activerecord (= 6.1.5)
-      activestorage (= 6.1.5)
-      activesupport (= 6.1.5)
+    actiontext (6.1.5.1)
+      actionpack (= 6.1.5.1)
+      activerecord (= 6.1.5.1)
+      activestorage (= 6.1.5.1)
+      activesupport (= 6.1.5.1)
       nokogiri (>= 1.8.5)
-    actionview (6.1.5)
-      activesupport (= 6.1.5)
+    actionview (6.1.5.1)
+      activesupport (= 6.1.5.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.1.5)
-      activesupport (= 6.1.5)
+    activejob (6.1.5.1)
+      activesupport (= 6.1.5.1)
       globalid (>= 0.3.6)
-    activemodel (6.1.5)
-      activesupport (= 6.1.5)
-    activerecord (6.1.5)
-      activemodel (= 6.1.5)
-      activesupport (= 6.1.5)
-    activestorage (6.1.5)
-      actionpack (= 6.1.5)
-      activejob (= 6.1.5)
-      activerecord (= 6.1.5)
-      activesupport (= 6.1.5)
+    activemodel (6.1.5.1)
+      activesupport (= 6.1.5.1)
+    activerecord (6.1.5.1)
+      activemodel (= 6.1.5.1)
+      activesupport (= 6.1.5.1)
+    activestorage (6.1.5.1)
+      actionpack (= 6.1.5.1)
+      activejob (= 6.1.5.1)
+      activerecord (= 6.1.5.1)
+      activesupport (= 6.1.5.1)
       marcel (~> 1.0)
       mini_mime (>= 1.1.0)
-    activesupport (6.1.5)
+    activesupport (6.1.5.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
       zeitwerk (~> 2.3)
-    rails (6.1.5)
-      actioncable (= 6.1.5)
-      actionmailbox (= 6.1.5)
-      actionmailer (= 6.1.5)
-      actionpack (= 6.1.5)
-      actiontext (= 6.1.5)
-      actionview (= 6.1.5)
-      activejob (= 6.1.5)
-      activemodel (= 6.1.5)
-      activerecord (= 6.1.5)
-      activestorage (= 6.1.5)
-      activesupport (= 6.1.5)
+    rails (6.1.5.1)
+      actioncable (= 6.1.5.1)
+      actionmailbox (= 6.1.5.1)
+      actionmailer (= 6.1.5.1)
+      actionpack (= 6.1.5.1)
+      actiontext (= 6.1.5.1)
+      actionview (= 6.1.5.1)
+      activejob (= 6.1.5.1)
+      activemodel (= 6.1.5.1)
+      activerecord (= 6.1.5.1)
+      activestorage (= 6.1.5.1)
+      activesupport (= 6.1.5.1)
       bundler (>= 1.15.0)
-      railties (= 6.1.5)
+      railties (= 6.1.5.1)
       sprockets-rails (>= 2.0.0)
-    railties (6.1.5)
-      actionpack (= 6.1.5)
-      activesupport (= 6.1.5)
+    railties (6.1.5.1)
+      actionpack (= 6.1.5.1)
+      activesupport (= 6.1.5.1)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
@@ -205,7 +205,6 @@ GEM
     delayed_job_active_record (4.1.6)
       activerecord (>= 3.0, < 6.2)
       delayed_job (>= 3.0, < 5)
-    digest (3.1.0)
     digest-crc (0.6.3)
       rake (>= 12.0.0, < 14.0.0)
     em-http-request (1.1.7)
@@ -294,7 +293,6 @@ GEM
     image_processing (1.12.1)
       mini_magick (>= 4.9.5, < 5)
       ruby-vips (>= 2.0.17, < 3)
-    io-wait (0.2.1)
     jmespath (1.4.0)
     json (2.5.1)
     jwt (2.2.3)
@@ -305,13 +303,12 @@ GEM
     listen (3.5.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    loofah (2.14.0)
+    loofah (2.16.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
     marcel (1.0.2)
-    matrix (0.4.2)
     memoist (0.16.2)
     method_source (1.0.0)
     mini_magick (4.11.0)
@@ -339,21 +336,6 @@ GEM
       ruby2_keywords (~> 0.0.1)
     net-http-persistent (4.0.1)
       connection_pool (~> 2.2)
-    net-imap (0.2.3)
-      digest
-      net-protocol
-      strscan
-    net-pop (0.1.1)
-      digest
-      net-protocol
-      timeout
-    net-protocol (0.1.2)
-      io-wait
-      timeout
-    net-smtp (0.3.1)
-      digest
-      net-protocol
-      timeout
     nio4r (2.5.7)
     nokogiri (1.11.3)
       mini_portile2 (~> 2.5.0)
@@ -491,7 +473,6 @@ GEM
       sprockets (>= 3.0.0)
     sqlite3 (1.4.2)
     stackprof (0.2.17)
-    strscan (3.0.1)
     sucker_punch (3.0.1)
       concurrent-ruby (~> 1.0)
     thin (1.8.0)
@@ -500,7 +481,6 @@ GEM
       rack (>= 1, < 3)
     thor (1.1.0)
     tilt (2.0.10)
-    timeout (0.2.0)
     trailblazer-option (0.1.1)
     turbolinks (5.2.1)
       turbolinks-source (~> 5.2)
@@ -563,23 +543,18 @@ DEPENDENCIES
   dalli
   delayed_job
   delayed_job_active_record
-  digest (~> 3.1.0.pre)
   google-cloud-storage (~> 1.11)
   hiredis
   image_processing (~> 1.2)
   json (>= 2.0.0)
   kindlerb (~> 1.2.0)
   libxml-ruby
   listen (~> 3.3)
-  matrix
   minitest (>= 5.15.0)
   minitest-bisect
   minitest-reporters
   minitest-retry
   mysql2 (~> 0.5)!
-  net-imap
-  net-pop
-  net-smtp
   nokogiri (>= 1.8.1)
   pg (>= 1.3.0.rc1)
   psych (~> 3.0)

diff --git a/RAILS_VERSION b/RAILS_VERSION
@@ -1 +1 @@
-6.1.5
+6.1.5.1
diff --git a/actioncable/CHANGELOG.md b/actioncable/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.1.5.1 (April 26, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.5 (March 09, 2022) ##
 
 *   The Action Cable client now ensures successful channel subscriptions:

diff --git a/actioncable/lib/action_cable/gem_version.rb b/actioncable/lib/action_cable/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actioncable/package.json b/actioncable/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/actioncable",
-  "version": "6.1.5",
+  "version": "6.1.5-1",
   "description": "WebSocket framework for Ruby on Rails.",
   "main": "app/assets/javascripts/action_cable.js",
   "files": [

diff --git a/actionmailbox/CHANGELOG.md b/actionmailbox/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.1.5.1 (April 26, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.5 (March 09, 2022) ##
 
 *   Add `attachments` to the list of permitted parameters for inbound emails conductor.

diff --git a/actionmailbox/lib/action_mailbox/gem_version.rb b/actionmailbox/lib/action_mailbox/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.1.5.1 (April 26, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.5 (March 09, 2022) ##
 
 *   No changes.

diff --git a/actionmailer/lib/action_mailer/gem_version.rb b/actionmailer/lib/action_mailer/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,9 @@
+## Rails 6.1.5.1 (April 26, 2022) ##
+
+*   Allow Content Security Policy DSL to generate for API responses.
+
+    *Tim Wade*
+
 ## Rails 6.1.5 (March 09, 2022) ##
 
 *   Fix `content_security_policy` returning invalid directives.

diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -18,7 +18,6 @@ def call(env)
         request = ActionDispatch::Request.new env
         _, headers, _ = response = @app.call(env)
 
-        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
         if policy = request.content_security_policy
@@ -32,12 +31,6 @@ def call(env)
       end
 
       private
-        def html_response?(headers)
-          if content_type = headers[CONTENT_TYPE]
-            /html/.match?(content_type)
-          end
-        end
-
         def header_name(request)
           if request.content_security_policy_report_only
             POLICY_REPORT_ONLY

diff --git a/actionpack/lib/action_pack/gem_version.rb b/actionpack/lib/action_pack/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -385,6 +385,11 @@ class PolicyController < ActionController::Base
 
     content_security_policy_report_only only: :report_only
 
+    content_security_policy only: :api do |p|
+      p.default_src :none
+      p.frame_ancestors :none
+    end
+
     def index
       head :ok
     end
@@ -413,6 +418,10 @@ def no_policy
       head :ok
     end
 
+    def api
+      render json: {}
+    end
+
     private
       def condition?
         params[:condition] == "true"
@@ -429,6 +438,7 @@ def condition?
       get "/script-src", to: "policy#script_src"
       get "/style-src", to: "policy#style_src"
       get "/no-policy", to: "policy#no_policy"
+      get "/api", to: "policy#api"
     end
   end
 
@@ -500,6 +510,11 @@ def test_generates_no_content_security_policy
     assert_nil response.headers["Content-Security-Policy-Report-Only"]
   end
 
+  def test_generates_api_security_policy
+    get "/api"
+    assert_policy "default-src 'none'; frame-ancestors 'none'"
+  end
+
   private
     def assert_policy(expected, report_only: false)
       assert_response :success

diff --git a/actiontext/CHANGELOG.md b/actiontext/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.1.5.1 (April 26, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.5 (March 09, 2022) ##
 
 *   Fix Action Text extra trix content wrapper.

diff --git a/actiontext/lib/action_text/gem_version.rb b/actiontext/lib/action_text/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end