A CVE, two new Rails releases in a week, config.autoload_lib, and more!

Friday, June 30, 2023

A CVE, two new Rails releases in a week, config.autoload_lib, and more!

Posted by vipulnsward

Happy Friday Everyone! This is Vipul, bringing you the latest changes in the Rails codebase.

[CVE-2023-28362] Possible XSS via User Supplied Values to redirect_to
If you haven’t already, its time to upgrade your Rails application to the latest version! Rails versions 7.0.5.1, 6.1.7.4 have been released with a security fix for a possible XSS vulnerability in redirect_to when using user-supplied values. It fixes the redirect_to method in Rails that allowed provided values to contain characters which are not legal in an HTTP header value. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Rails 7.0.6 has been released!
Rails 7.0.6 has also been released. This release contains many backported bug-fixes in the last few months since 7.0.4 release.

Introduce config.autoload_lib
The new method config.autoload_lib(ignore:) provides a simple way to autoload from lib folder:

 # config/application.rb
 config.autoload_lib(ignore: %w(assets tasks))

Normally, the lib directory has subdirectories that should not be autoloaded or eager loaded. This new method allows you to specify which subdirectories to be autoloaded as needed.

Read more about this new feature in the autoloading guide.

Introduce config.autoload_lib_once

The method config.autoload_lib_once(ignore:) is similar to config.autoload_lib introduced above, except that it adds lib to config.autoload_once_paths instead.

By calling config.autoload_lib_once, classes and modules in lib can be autoloaded, even from application initializers, but won’t be reloaded.

Bounce emails can now be sent with deliver_now
This change adds bounce_now_with to ActionMailbox. This is useful when you want to send the bounce email immediately, instead of going through the mailer queue-

 # Enqueues the bounce email
MyMailbox.bounce_with MyMailer.my_method(args)

# Delivers the email immediately
MyMailbox.bounce_now_with MyMailer.my_method(args)

DATABASE option for railties:install:migrations
This change adds a new DATABASE option to railties:install:migrations task.

This allows us to specify which database the migrations should be copied to when running rails railties:install:migrations in engines-

$ rails railties:install:migrations DATABASE=animals

Active Record encryption support for decrypting data previously encrypted non-deterministically
This change adds support to decrypting data encrypted non-deterministically with a SHA1 hash digest.

It adds a new Active Record encryption option to support decrypting data encrypted non-deterministically with a SHA1 hash digest:

Rails.application.config.active_record.encryption.support_sha1_for_non_deterministic_encryption = true

It addresses a problem when upgrading from 7.0 to 7.1 where SHA-1 was being used as its digest class instead of global one.

Add :report behavior to ActiveSupport::Deprecation
This change adds a :report behavior for ActiveSupport::Deprecation.

Setting config.active_support.deprecation = :report uses the error reporter to report deprecation warnings to ActiveSupport::ErrorReporter.

This is useful to report deprecations happening in production to bug trackers, instead of them being logged silently.

You can view the complete list of changes here.
We had 25 contributors to the Rails codebase this past week!

Happy Friday again! Until next time :-)

Subscribe to get these updates mailed to you.