From a9f3d27dfa54b726800a749194b19e6a0faafa15 Mon Sep 17 00:00:00 2001 From: Ashok Dongare Date: Wed, 2 Sep 2020 11:50:35 -0400 Subject: [PATCH 1/5] Integrated BONNIEMAT-623 & BONNIEMAT-629 cql-execution change --- Gemfile | 5 +++-- Gemfile.lock | 15 ++++++++++----- package.json | 2 +- yarn.lock | 19 ++++++++----------- 4 files changed, 22 insertions(+), 19 deletions(-) diff --git a/Gemfile b/Gemfile index ebcca8db9..025821597 100644 --- a/Gemfile +++ b/Gemfile @@ -12,10 +12,11 @@ gem 'less-rails' # We want non-digest versions of our assets for font-awesome gem "non-stupid-digest-assets" -gem 'cqm-models', '~> 3.0.3' +# gem 'cqm-models', '~> 3.0.3' gem 'cqm-reports', '~> 3.1.2' -gem 'cqm-parsers', :git => 'https://github.com/projecttacoma/cqm-parsers.git', :branch => 'bonnie_version' +gem 'cqm-models', :git => 'https://github.com/projecttacoma/cqm-models.git', :branch => 'MAT-1708' +gem 'cqm-parsers', :git => 'https://github.com/projecttacoma/cqm-parsers.git', :branch => 'MAT-1708' # needed for HDS gem 'rubyzip', '>= 1.3.0' diff --git a/Gemfile.lock b/Gemfile.lock index bb9fdacb6..3f9c5dcc0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,12 +1,18 @@ +GIT + remote: https://github.com/projecttacoma/cqm-models.git + revision: 522905ca497627b9f8ebe929df5235805e88571b + branch: MAT-1708 + specs: + cqm-models (3.0.3) + GIT remote: https://github.com/projecttacoma/cqm-parsers.git - revision: 916f63f98beea308928bf64057597a50503df2ea - branch: bonnie_version + revision: 3f7ac575898123e2a509053f539aaa6405e73b40 + branch: MAT-1708 specs: cqm-parsers (0.2.1.1) activesupport (~> 5.2.1) builder (~> 3.1) - cqm-models (~> 3.0.3) erubis (~> 2.7.0) highline (~> 1.7.0) log4r (~> 1.1.10) @@ -131,7 +137,6 @@ GEM colorize (0.8.1) commonjs (0.2.7) concurrent-ruby (1.1.7) - cqm-models (3.0.3) cqm-reports (3.1.2) cqm-models (~> 3.0.3) cqm-validators (~> 3.0.0) @@ -400,7 +405,7 @@ DEPENDENCIES codecov coffee-rails colorize - cqm-models (~> 3.0.3) + cqm-models! cqm-parsers! cqm-reports (~> 3.1.2) devise diff --git a/package.json b/package.json index c877bb0e7..a5b050310 100644 --- a/package.json +++ b/package.json @@ -108,7 +108,7 @@ "scripts": {}, "dependencies": { "browserify": "^16.5.1", - "cqm-execution": "^3.0.2", + "cqm-execution": "projecttacoma/cqm-execution#MAT-1708", "tinymce": "^5.4.2" } } diff --git a/yarn.lock b/yarn.lock index 31beff9b6..03ec7735d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -313,29 +313,26 @@ core-util-is@~1.0.0: resolved "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.2.tgz#b5fd54220aa2bc5ab57aab7140c940754503c1a7" integrity sha1-tf1UIgqivFq1eqtxQMlAdUUDwac= -cql-execution@~1.4.4: +cql-execution@adongare/cql-execution#bonniemat-629_623: version "1.4.4" - resolved "https://registry.yarnpkg.com/cql-execution/-/cql-execution-1.4.4.tgz#13b1587a7d8739150f25e5c54473d50bf8ab3e81" - integrity sha512-nQQopJ+c6aGcwBvZe9j6Sv1tBK6ZZyn/Ql+jWr4a+y4h59Qbsu1nd+y4+kxVkH75J9d/g/hLxw0IZl9vapTn+Q== + resolved "https://codeload.github.com/adongare/cql-execution/tar.gz/86f1e923cbb814ce80caddf22425b1e386e1e8ec" dependencies: moment "^2.20.1" ucum "0.0.7" -cqm-execution@^3.0.2: +cqm-execution@projecttacoma/cqm-execution#MAT-1708: version "3.0.2" - resolved "https://registry.yarnpkg.com/cqm-execution/-/cqm-execution-3.0.2.tgz#c6cfee9e05656aa33edf217989dfc53306c3c0d6" - integrity sha512-PH835J//mYhtuJ3zpclCH8irhaSNqa26986BAl5w1LNFYGUBXA8PFi29QyI2NaRAeshUHnd++JBxjS110hzjwg== + resolved "https://codeload.github.com/projecttacoma/cqm-execution/tar.gz/dd4f5b947c6e8095cba7f744fa60d8fae4d93759" dependencies: - cqm-models "~3.0.3" + cqm-models projecttacoma/cqm-models#MAT-1708 lodash "^4.17.19" moment "^2.21.0" -cqm-models@~3.0.3: +cqm-models@projecttacoma/cqm-models#MAT-1708: version "3.0.3" - resolved "https://registry.yarnpkg.com/cqm-models/-/cqm-models-3.0.3.tgz#7dfd77ab0a9345b33bfbf5e742b8ac488e70597d" - integrity sha512-soel+GkUFdOX3S9uQb3UY2hLavawCebcdIvSkveFIRyPwatdB5UUWCpWwYZ8j0JsIZGGx7TAHlvjAM0U6Wrl7Q== + resolved "https://codeload.github.com/projecttacoma/cqm-models/tar.gz/522905ca497627b9f8ebe929df5235805e88571b" dependencies: - cql-execution "~1.4.4" + cql-execution adongare/cql-execution#bonniemat-629_623 mongoose "^5.7.5" create-ecdh@^4.0.0: From 4b2a5e9a39f7920b5d34c1d52cbc32f7417fa09c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 3 Sep 2020 19:51:42 +0000 Subject: [PATCH 2/5] Bump bl from 2.2.0 to 2.2.1 Bumps [bl](https://github.com/rvagg/bl) from 2.2.0 to 2.2.1. - [Release notes](https://github.com/rvagg/bl/releases) - [Commits](https://github.com/rvagg/bl/compare/v2.2.0...v2.2.1) Signed-off-by: dependabot[bot] --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index 31beff9b6..18caa5968 100644 --- a/yarn.lock +++ b/yarn.lock @@ -58,9 +58,9 @@ base64-js@^1.0.2: integrity sha512-mLQ4i2QO1ytvGWFWmcngKO//JXAQueZvwEKtjgQFM4jIK0kU+ytMfplL8j+n5mspOfjHwoAg+9yhb7BwAHm36g== bl@^2.2.0: - version "2.2.0" - resolved "https://registry.yarnpkg.com/bl/-/bl-2.2.0.tgz#e1a574cdf528e4053019bb800b041c0ac88da493" - integrity sha512-wbgvOpqopSr7uq6fJrLH8EsvYMJf9gzfo2jCsL2eTy75qXPukA4pCgHamOQkZtY5vmfVtjB+P3LNlMHW5CEZXA== + version "2.2.1" + resolved "https://registry.yarnpkg.com/bl/-/bl-2.2.1.tgz#8c11a7b730655c5d56898cdc871224f40fd901d5" + integrity sha512-6Pesp1w0DEX1N550i/uGV/TqucVL4AM/pgThFSN/Qq9si1/DF9aIHs1BxD8V/QU0HoeHO6cQRTAuYnLPKq1e4g== dependencies: readable-stream "^2.3.5" safe-buffer "^5.1.1" From ed32482aa5e971876691bcbc776b91ca7cb2ad4c Mon Sep 17 00:00:00 2001 From: Ashok Dongare Date: Fri, 11 Sep 2020 08:38:18 -0400 Subject: [PATCH 3/5] MAT-1708 Set Up All Bonnie Repos to Test for QDM Release - Updated cqm-models, cqm-execution & cqm-parsers versions - Security vulnerability fix related to bl --- Gemfile | 6 +++--- Gemfile.lock | 15 +++++---------- package.json | 2 +- yarn.lock | 25 ++++++++++++++----------- 4 files changed, 23 insertions(+), 25 deletions(-) diff --git a/Gemfile b/Gemfile index 025821597..f40360d56 100644 --- a/Gemfile +++ b/Gemfile @@ -12,11 +12,11 @@ gem 'less-rails' # We want non-digest versions of our assets for font-awesome gem "non-stupid-digest-assets" -# gem 'cqm-models', '~> 3.0.3' +gem 'cqm-models', '~> 3.0.3' gem 'cqm-reports', '~> 3.1.2' -gem 'cqm-models', :git => 'https://github.com/projecttacoma/cqm-models.git', :branch => 'MAT-1708' -gem 'cqm-parsers', :git => 'https://github.com/projecttacoma/cqm-parsers.git', :branch => 'MAT-1708' +# gem 'cqm-models', :git => 'https://github.com/projecttacoma/cqm-models.git', :branch => 'MAT-1708' +gem 'cqm-parsers', :git => 'https://github.com/projecttacoma/cqm-parsers.git', :branch => 'bonnie_version' # needed for HDS gem 'rubyzip', '>= 1.3.0' diff --git a/Gemfile.lock b/Gemfile.lock index 3f9c5dcc0..33d206404 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,18 +1,12 @@ -GIT - remote: https://github.com/projecttacoma/cqm-models.git - revision: 522905ca497627b9f8ebe929df5235805e88571b - branch: MAT-1708 - specs: - cqm-models (3.0.3) - GIT remote: https://github.com/projecttacoma/cqm-parsers.git - revision: 3f7ac575898123e2a509053f539aaa6405e73b40 - branch: MAT-1708 + revision: 5b6d682e925e096443a0379609db995169c00382 + branch: bonnie_version specs: cqm-parsers (0.2.1.1) activesupport (~> 5.2.1) builder (~> 3.1) + cqm-models (~> 3.0.4) erubis (~> 2.7.0) highline (~> 1.7.0) log4r (~> 1.1.10) @@ -137,6 +131,7 @@ GEM colorize (0.8.1) commonjs (0.2.7) concurrent-ruby (1.1.7) + cqm-models (3.0.4) cqm-reports (3.1.2) cqm-models (~> 3.0.3) cqm-validators (~> 3.0.0) @@ -405,7 +400,7 @@ DEPENDENCIES codecov coffee-rails colorize - cqm-models! + cqm-models (~> 3.0.3) cqm-parsers! cqm-reports (~> 3.1.2) devise diff --git a/package.json b/package.json index a5b050310..53535cbb0 100644 --- a/package.json +++ b/package.json @@ -108,7 +108,7 @@ "scripts": {}, "dependencies": { "browserify": "^16.5.1", - "cqm-execution": "projecttacoma/cqm-execution#MAT-1708", + "cqm-execution": "^3.0.3", "tinymce": "^5.4.2" } } diff --git a/yarn.lock b/yarn.lock index 03ec7735d..8eb354be8 100644 --- a/yarn.lock +++ b/yarn.lock @@ -313,26 +313,29 @@ core-util-is@~1.0.0: resolved "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.2.tgz#b5fd54220aa2bc5ab57aab7140c940754503c1a7" integrity sha1-tf1UIgqivFq1eqtxQMlAdUUDwac= -cql-execution@adongare/cql-execution#bonniemat-629_623: - version "1.4.4" - resolved "https://codeload.github.com/adongare/cql-execution/tar.gz/86f1e923cbb814ce80caddf22425b1e386e1e8ec" +cql-execution@~1.4.5: + version "1.4.5" + resolved "https://registry.yarnpkg.com/cql-execution/-/cql-execution-1.4.5.tgz#e17364d916cbc78a37994aa4033a95802bd4ab8f" + integrity sha512-ulji08Pl5MzlvTJOUXd0OYlKRfgdOFApdAilvN4FpkcXhk9gwjy4M08jydyqJ8EIH+peSpGuZ3ubRhBUrNEFBQ== dependencies: moment "^2.20.1" ucum "0.0.7" -cqm-execution@projecttacoma/cqm-execution#MAT-1708: - version "3.0.2" - resolved "https://codeload.github.com/projecttacoma/cqm-execution/tar.gz/dd4f5b947c6e8095cba7f744fa60d8fae4d93759" +cqm-execution@^3.0.3: + version "3.0.3" + resolved "https://registry.yarnpkg.com/cqm-execution/-/cqm-execution-3.0.3.tgz#6fd9838c5a88e177018166b80bdc0ac1ddccdba0" + integrity sha512-rBAMrFUE83irYkp13nmbMzZ3aPOgBC8JEBfPdalAz34P9VTl+jCuhwI8YBUT22RlvtPiDE3PmbxBBGDWpH38hg== dependencies: - cqm-models projecttacoma/cqm-models#MAT-1708 + cqm-models "~3.0.4" lodash "^4.17.19" moment "^2.21.0" -cqm-models@projecttacoma/cqm-models#MAT-1708: - version "3.0.3" - resolved "https://codeload.github.com/projecttacoma/cqm-models/tar.gz/522905ca497627b9f8ebe929df5235805e88571b" +cqm-models@~3.0.4: + version "3.0.4" + resolved "https://registry.yarnpkg.com/cqm-models/-/cqm-models-3.0.4.tgz#c1b84977f65a953d2640285581eb73b31094f97c" + integrity sha512-MHYS45iSdOiH7t+F4cz3xOvkI2/G4AyhrLQPg0IPRATB3b4uGqB9oBq88Limkq6LljmUjF3gbyn3a7CV5YjbiA== dependencies: - cql-execution adongare/cql-execution#bonniemat-629_623 + cql-execution "~1.4.5" mongoose "^5.7.5" create-ecdh@^4.0.0: From 3e8dd6196452b6f5f01bd804f6c496e004c24fc5 Mon Sep 17 00:00:00 2001 From: Ashok Dongare Date: Fri, 11 Sep 2020 08:44:56 -0400 Subject: [PATCH 4/5] Removed commented line --- Gemfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Gemfile b/Gemfile index f40360d56..ebcca8db9 100644 --- a/Gemfile +++ b/Gemfile @@ -15,7 +15,6 @@ gem "non-stupid-digest-assets" gem 'cqm-models', '~> 3.0.3' gem 'cqm-reports', '~> 3.1.2' -# gem 'cqm-models', :git => 'https://github.com/projecttacoma/cqm-models.git', :branch => 'MAT-1708' gem 'cqm-parsers', :git => 'https://github.com/projecttacoma/cqm-parsers.git', :branch => 'bonnie_version' # needed for HDS From 332e4366c53d9194cfdcef9d80a353aa211118e0 Mon Sep 17 00:00:00 2001 From: Ashok Dongare Date: Fri, 11 Sep 2020 09:26:24 -0400 Subject: [PATCH 5/5] Upgraded rails version to v5.2.4.4 to address: - CVE-2020-15169- https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc?pli=1 - Remved unwanted security patch that was necessary for old rails v4.x --- .travis.yml | 2 +- Gemfile | 2 +- Gemfile.lock | 80 ++++++++++++++-------------- config/application.rb | 1 - config/security_patch_cve20205267.rb | 39 -------------- 5 files changed, 42 insertions(+), 82 deletions(-) delete mode 100644 config/security_patch_cve20205267.rb diff --git a/.travis.yml b/.travis.yml index 14aecafe3..c16575b66 100644 --- a/.travis.yml +++ b/.travis.yml @@ -45,7 +45,7 @@ script: - bundle exec rake teaspoon DIR='javascripts' - bash <(curl -s https://codecov.io/bash) -f ./coverage-frontend/default/lcov.info - bundle exec brakeman -qAzw1 - - bundle exec bundle-audit check --update --ignore CVE-2020-5267 + - bundle exec bundle-audit check --update - bundle exec overcommit --sign - bundle exec overcommit --run - bundle exec rake test diff --git a/Gemfile b/Gemfile index ebcca8db9..d177c8bd3 100644 --- a/Gemfile +++ b/Gemfile @@ -1,6 +1,6 @@ source 'https://rubygems.org' -gem 'rails', '5.2.4.3' +gem 'rails', '5.2.4.4' gem 'sprockets' diff --git a/Gemfile.lock b/Gemfile.lock index 33d206404..9d688a9a4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -43,43 +43,43 @@ GIT GEM remote: https://rubygems.org/ specs: - actioncable (5.2.4.3) - actionpack (= 5.2.4.3) + actioncable (5.2.4.4) + actionpack (= 5.2.4.4) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailer (5.2.4.3) - actionpack (= 5.2.4.3) - actionview (= 5.2.4.3) - activejob (= 5.2.4.3) + actionmailer (5.2.4.4) + actionpack (= 5.2.4.4) + actionview (= 5.2.4.4) + activejob (= 5.2.4.4) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.2.4.3) - actionview (= 5.2.4.3) - activesupport (= 5.2.4.3) + actionpack (5.2.4.4) + actionview (= 5.2.4.4) + activesupport (= 5.2.4.4) rack (~> 2.0, >= 2.0.8) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.2.4.3) - activesupport (= 5.2.4.3) + actionview (5.2.4.4) + activesupport (= 5.2.4.4) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.3) - activejob (5.2.4.3) - activesupport (= 5.2.4.3) + activejob (5.2.4.4) + activesupport (= 5.2.4.4) globalid (>= 0.3.6) - activemodel (5.2.4.3) - activesupport (= 5.2.4.3) - activerecord (5.2.4.3) - activemodel (= 5.2.4.3) - activesupport (= 5.2.4.3) + activemodel (5.2.4.4) + activesupport (= 5.2.4.4) + activerecord (5.2.4.4) + activemodel (= 5.2.4.4) + activesupport (= 5.2.4.4) arel (>= 9.0) - activestorage (5.2.4.3) - actionpack (= 5.2.4.3) - activerecord (= 5.2.4.3) + activestorage (5.2.4.4) + actionpack (= 5.2.4.4) + activerecord (= 5.2.4.4) marcel (~> 0.3.1) - activesupport (5.2.4.3) + activesupport (5.2.4.4) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) @@ -199,7 +199,7 @@ GEM sprockets (~> 3.0) libv8 (3.16.14.19) log4r (1.1.10) - loofah (2.6.0) + loofah (2.7.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) macaddr (1.7.2) @@ -217,7 +217,7 @@ GEM mimemagic (0.3.5) mini_mime (1.0.2) mini_portile2 (2.4.0) - minitest (5.14.1) + minitest (5.14.2) mongo (2.13.0) bson (>= 4.8.2, < 5.0.0) mongoid (6.4.5) @@ -232,7 +232,7 @@ GEM net-ssh (6.1.0) netrc (0.11.0) newrelic_rpm (6.12.0.367) - nio4r (2.5.2) + nio4r (2.5.3) nokogiri (1.10.10) mini_portile2 (~> 2.4.0) non-stupid-digest-assets (1.0.9) @@ -256,18 +256,18 @@ GEM rack (2.2.3) rack-test (1.1.0) rack (>= 1.0, < 3) - rails (5.2.4.3) - actioncable (= 5.2.4.3) - actionmailer (= 5.2.4.3) - actionpack (= 5.2.4.3) - actionview (= 5.2.4.3) - activejob (= 5.2.4.3) - activemodel (= 5.2.4.3) - activerecord (= 5.2.4.3) - activestorage (= 5.2.4.3) - activesupport (= 5.2.4.3) + rails (5.2.4.4) + actioncable (= 5.2.4.4) + actionmailer (= 5.2.4.4) + actionpack (= 5.2.4.4) + actionview (= 5.2.4.4) + activejob (= 5.2.4.4) + activemodel (= 5.2.4.4) + activerecord (= 5.2.4.4) + activestorage (= 5.2.4.4) + activesupport (= 5.2.4.4) bundler (>= 1.3.0) - railties (= 5.2.4.3) + railties (= 5.2.4.4) sprockets-rails (>= 2.0.0) rails-controller-testing (1.0.5) actionpack (>= 5.0.1.rc1) @@ -286,9 +286,9 @@ GEM json require_all (~> 3.0) ruby-progressbar - railties (5.2.4.3) - actionpack (= 5.2.4.3) - activesupport (= 5.2.4.3) + railties (5.2.4.4) + actionpack (= 5.2.4.4) + activesupport (= 5.2.4.4) method_source rake (>= 0.8.7) thor (>= 0.19.0, < 2.0) @@ -421,7 +421,7 @@ DEPENDENCIES overcommit pry pry-byebug - rails (= 5.2.4.3) + rails (= 5.2.4.4) rails-controller-testing rails_best_practices rest-client diff --git a/config/application.rb b/config/application.rb index 31ee0c78a..8562651c2 100644 --- a/config/application.rb +++ b/config/application.rb @@ -5,7 +5,6 @@ require "action_controller/railtie" require "action_mailer/railtie" require "rails/test_unit/railtie" -require_relative './security_patch_cve20205267' if defined?(Bundler) # If you precompile assets before deploying to production, use this line diff --git a/config/security_patch_cve20205267.rb b/config/security_patch_cve20205267.rb deleted file mode 100644 index 1b79ceb50..000000000 --- a/config/security_patch_cve20205267.rb +++ /dev/null @@ -1,39 +0,0 @@ -# Name: actionview -# Version: 4.2.11.1 -# Advisory: CVE-2020-5267 -# Criticality: Unknown -# URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 -# Title: Possible XSS vulnerability in ActionView -# Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 - -ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!( - { - "`" => "\\`", - "$" => "\\$" - } -) - -module ActionView - module Helpers - module JavaScriptHelper - alias old_ej escape_javascript - alias old_j j - - def escape_javascript(javascript) - javascript = javascript.to_s - result = if javascript.empty? - "" - else - javascript.gsub(%r{(\\|