Commit Graph

669 Commits

Author SHA1 Message Date
Alan Guo Xiang Tan 01c5f9337a
DEV: Upgrade Rails to 6.1.4.7. (#16143)
There was a security release in 6.1.4.6 to fix: https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

It doesn't affect us as Discourse doesn't use thread local variables
but we should still upgrade as a matter of caution.
2022-03-09 10:10:51 +08:00
Jarek Radosz aaf432df86
DEV: Remove mock_redis (#15985)
Was used just in one spec file. And we prefer to run specs against a real redis server.
2022-02-18 01:14:38 +01:00
Noah Gibbs 3dbb3d09dc
DEV: Use non-builtin net-pop, net-imap and net-smtp for Ruby 3.1+ (#15692) 2022-02-03 16:25:29 +11:00
Jarek Radosz fb25333b7f
DEV: Update oj gem (#15713)
https://github.com/ohler55/oj/issues/699 was fixed back in September 2021.
2022-02-01 09:45:52 +11:00
Vinoth Kannan 44b3b614bd
Revert "DEV: Avoid duplication of gems in gemfile." (#14784)
This reverts commit 2818ebd19f.
2021-11-01 17:58:24 +05:30
Osama Sayegh 228264d17c
Revert "DEV: add routes_lazy_route to boost boot-up time (#14545)" (#14581)
This reverts commit f5cf647e57.

The gem breaks usage of Rails URL helpers when used outside views and
controllers, for example in
88ecb83382/app/models/upload.rb (L239-L242)
the `upload_short_path` method call fails with an undefined method
exception when this gem is enabled.
2021-10-12 17:30:38 +03:00
Sam f5cf647e57
DEV: add routes_lazy_route to boost boot-up time (#14545)
The lazy route initialization cuts down boot time of rails.

On my local system it cuts out 200ms of boot time taking me from 3.2 to 3 seconds.

This is not a radically enormous amount of time, but paper cuts add up, and a faster boot in dev will make everyone happy.

TBD if we want to also include this in production.

Gem is heavily maintained by @amatsuda, last commit 3 days ago.
2021-10-11 13:22:13 +11:00
Yasuo Honda a29a6522d0
FIX: rss gem is bundled gem since Ruby 3 (#14350)
* FIX: rss gem is bundled gem since Ruby 3

Refer https://github.com/ruby/ruby/pull/2832
2021-09-20 11:51:47 +08:00
Alan Guo Xiang Tan 6a5b44be53
DEV: Pin oj gem to 3.13.2. (#14219)
Follow-up to 0183d51070
2021-09-02 11:01:54 +08:00
Alan Guo Xiang Tan 16cfbed89d
DEV: Upgrade Rails to 6.1.4.1. (#14098)
This pulls in a fix for CVE-2021-22942 but we're not tagging it as a
security fix because Discourse is not affected by it in production.
2021-08-20 10:20:08 +08:00
Alan Guo Xiang Tan 2818ebd19f DEV: Avoid duplication of gems in gemfile.
Follow-up to 08c6a7679d
2021-07-28 21:23:15 +08:00
Vinoth Kannan 08c6a7679d
DEV: allow `dev:populate` rake task in production environment. (#13777)
To use this rake task in production `ALLOW_DEV_POPULATE` environment variable should be set to "1".
2021-07-20 12:25:59 +05:30
David Taylor 8c370c3fe3 DEV: Add `annotate` rake tasks, and enforce via GitHub actions
`bin/rake annotate` is an alias of `bin/annotate --models`
`bin/rake annotate:clean` generates annotations by using a temporary, freshly migrated database. This should help us to produce more consistent annotations, even if development databases have been polluted by plugin migrations.

A GitHub actions task is also added which generates annotations on a clean database, and raises an error if they differ from the committed annotations.
2021-07-06 10:11:06 +01:00
Vinoth Kannan 6abc45e57b
DEV: move `discourse_dev` gem to the core. (#13360)
And get avatar images from `discourse_dev_assets` gem.
2021-06-14 20:34:44 +05:30
Arpit Jalan 283b08d45f
DEV: Absorb onebox gem into core (#12979)
* Move onebox gem in core library

* Update template file path

* Remove warning for onebox gem caching

* Remove onebox version file

* Remove onebox gem

* Add sanitize gem

* Require onebox library in lazy-yt plugin

* Remove onebox web specific code

This code was used in standalone onebox Sinatra application

* Merge Discourse specific AllowlistedGenericOnebox engine in core

* Fix onebox engine filenames to match class name casing

* Move onebox specs from gem into core

* DEV: Rename `response` helper to `onebox_response`

Fixes a naming collision.

* Require rails_helper

* Don't use `before/after(:all)`

* Whitespace

* Remove fakeweb

* Remove poor unit tests

* DEV: Re-add fakeweb, plugins are using it

* Move onebox helpers

* Stub Instagram API

* FIX: Follow additional redirect status codes (#476)

Don’t throw errors if we encounter 303, 307 or 308 HTTP status codes in responses

* Remove an empty file

* DEV: Update the license file

Using the copy from https://choosealicense.com/licenses/gpl-2.0/#

Hopefully this will enable GitHub to show the license UI?

* DEV: Update embedded copyrights

* DEV: Add Onebox copyright notice

* DEV: Add MIT license, convert COPYRIGHT.txt to md

* DEV: Remove an incorrect copyright claim

Co-authored-by: Jarek Radosz <jradosz@gmail.com>
Co-authored-by: jbrw <jamie@goatforce5.org>
2021-05-26 15:11:35 +05:30
Blake Erickson fccf4d4375
DEV: Switch off of our image_optim fork (#13124)
The main image_optim gem now includes the timeout feature
that we had in our fork. So it is now safe to switch off of our fork and
back to the image_optim gem.

This is the link to the commit in the image_optim repo that adds the
timeout option:

ec3767dde0

One difference with the new timeout implementation is that image_optim
now handles the timeout exceptions instead of bubbling them up:

1ed0328587/lib/image_optim.rb (L128-L129)

```
 rescue Errors::TimeoutExceeded
   handler.result
```

So a timeout will just return `nil`, which is the same response if it
couldn't optimize an image. I don't think we were really watching for
or doing anything about these timeout warnings in our logs so I think
this is an okay change to have and we will have less warnings in our
logs now too.
2021-05-24 19:27:20 -06:00
David Taylor c456e31d26
SECURITY: Bump Rails to 6.1.3.2 (#12963)
Includes fixes for

- CVE-2021-22902
- CVE-2021-22903
- CVE-2021-22904
- CVE-2021-22885

https://github.com/rails/rails/blob/v6.1.3.2/actionpack/CHANGELOG.md
2021-05-06 12:41:45 +01:00
Osama Sayegh 45ccadeeeb
DEV: Upgrade Rails to 6.1.3.1 (#12688)
Rails 6.1.3.1 deprecates a few API and has some internal changes that break our tests suite, so this commit fixes all the deprecations and errors and now Discourse should be fully compatible with Rails 6.1.3.1. We also have a new release of the rails_failover gem that's compatible with Rails 6.1.3.1.
2021-04-21 12:36:32 +03:00
Roman Rizzi 5e4c0e2caa
FEATURE: Treat site settings as plain text and add a new HTML type. (#12618)
To add an extra layer of security, we sanitize settings before shipping them to the client. We don't sanitize those that have the "html" type.

The CookedPostProcessor already uses Loofah for sanitization, so I chose to also use it for this. I added it to our gemfile since we installed it as a transitive dependency.
2021-04-07 12:51:19 -03:00
Penar Musaraj 0cd4da51c7
FIX: Include `json_schemer` in prod (#12351) 2021-03-10 21:32:23 -05:00
Sam 9e79f8321a
DEV: Update Rails to latest patch level (#12281)
This contains 3 security fixes that do not impact us, see:

https://discuss.rubyonrails.org/c/security-announcements/9
2021-03-05 12:07:55 +11:00
Vinoth Kannan 8d96713aa0
DEV: add `discourse_dev` gem in development dependencies. (#12285)
For more details visit https://github.com/discourse/discourse_dev
2021-03-04 23:04:51 +05:30
Bianca Nenciu 3246c3cc92
DEV: Update mail and use fork (#10639)
Version 2.8 brings some changes to how address fields are handled and
this commits updates that and should also include a fix which handles
encoded attachment filenames.

The fork contains a bugfix to correctly decode mail attachments.
2021-02-18 20:15:02 +02:00
Blake Erickson 7434116933
DEV: Add schema checking to api doc testing (#11721)
* DEV: Add schema checking to api doc testing

This commit improves upon rswag which lacks schema checking. rswag
really only checks that the https status matches, but this change adds
in the json-schema_builder gem which also has schema validation.

Now we can define schemas for each of our requests/responses in the
`spec/requests/api/schemas` directory which will make our documentation
specs a lot cleaner.

If we update a serializer by either adding or removing an attribute the
tests will now fail (this is a good thing!). Also if you change the type
of an attribute say from an array to a string the tests will now fail.
This will help significantly with keeping the docs in sync with actual
code changes! Now if you change how an endpoint will respond you will
have to update the docs too in order for the tests to pass. :D

This PR is inspired by:

 https://www.tealhq.com/post/how-teal-keeps-their-api-tests-and-documentation-in-sync

* Swap out json schema validator gem

Swapped out the outdated json-schema_builder gem with the json_schemer
gem.

* Add validation fields to schema

In order to have "strict" validation we need to add
`additionalProperties: false` to the schema, and we need to specify
which attributes are required.

Updated the debugging test output to print out the error details if
there are any.
2021-01-21 16:28:08 -07:00
Sam c3fedae73a
DEV: update rack-mini-profiler (#11597)
Included support for flamegraphs using speedscope!
2020-12-29 13:54:41 +11:00
Vinoth Kannan 347423007a
DEV: remove instagram login site settings and auth classes. (#11073)
Instagram removed the support for login and should use Facebook login instead.
2020-10-30 09:09:56 +05:30
Guo Xiang Tan 122cf8d3fb
Update Rails to 6.0.3.3. 2020-09-10 15:41:06 +08:00
Blake Erickson b16915d166 DEV: Switch over to a fork of ember-rails
We are switching over to a fork because we are currently on a pinned
version of ember-rails 0.18.5 which is pretty old. Upgrading to the
latest version causes many things to break which isn't really worth the
time to debug while we plan to completely switch over to ember-cli
somewhat soonish. Our fork contains a single cherry-pick commit

https://github.com/emberjs/ember-rails/pull/534

which will fix an issue when running the `rails g migration` command and
it spits out a bunch of deprecation warnings.
2020-09-04 14:47:56 -06:00
Blake Erickson d79f50a3c6 DEV: Remove rb-inotify gem from Gemfile
We are no longer directly referencing the rb-inotify gem directly in
code. This was just a spec level dependency anyways.

Using `git log -S "Inotify"` resulted in these two commits as usages of
`Inotify`:

- b56b11d96a
- 9cf03b352c

both from 2013, but we no longer are using inotify in

https://github.com/discourse/discourse/blob/master/lib/tasks/autospec.rake

which appears to be the only file that was using it.

Based on this info we can safely remove rb-inotify from the Gemfile.

Just as a side note we still do have a couple of gems that do have
rb-inotify as a dependency: listen, and lru_redux.
2020-09-02 11:21:40 +08:00
Blake Erickson 43ffd4d28f
DEV: Switch our fast_xor gem for xorcist (#10565)
* DEV: Switch our fast_xor gem for xorcist

We use the `xor` function as part of password hashing and we want to use
a faster version than the native ruby xor'ing feature so we use a gem
for this.

fast_xor has been abandoned, and xorcist fixed our initial holdup for
switching in https://github.com/fny/xorcist/issues/4

xorcist also has jruby support so we can remove our jruby fallback
logic.

* Move using statement inside of class
2020-08-31 13:20:44 -06:00
Bianca Nenciu f2e14a3946
FEATURE: Add site setting and wizard step to set base font (#10250)
Co-authored-by: Neil Lalonde <neillalonde@gmail.com>
2020-08-31 13:14:09 +03:00
romanrizzi 0f63a61fa4
Revert "DEV: upgrades sassc to 2.4.0 (#10447)"
We suspect it could be the cause of some issues with themes.

This reverts commit 2fac77cc48.
2020-08-21 13:23:01 -03:00
Joffrey JAFFEUX 2fac77cc48
DEV: upgrades sassc to 2.4.0 (#10447)
We were stuck on 2.0.1 but multiple reports on the original issue shows that the issue has been fixed since 2.3 and 2.4:

https://github.com/sass/sassc-ruby/issues/146#issuecomment-654522157
https://github.com/sass/sassc-ruby/issues/146#issuecomment-654522157

There's one report show it was not fixed in 2.3.0, but that's the only one, it's probably worth trying: https://github.com/sass/sassc-ruby/issues/146#issuecomment-639073736
2020-08-21 13:46:46 +02:00
Blake Erickson ea2e58e622
DEV: Bump rotp gem to latest version (#10472)
The rotp gem is currently pinned to version 5.1.0 and this will bump it
up to version 6.0.1.

Follow up to: 85d4370f79

because this issue we were waiting on is now closed:

https://github.com/mdp/rotp/issues/98

Because version 6 is now encoding the params I needed to update the
tests as well.
2020-08-19 09:16:33 -06:00
Blake Erickson c767fb1ed3
DEV: Upgrade highline gem to latest (#10471)
Currently we have pinned highline to version 1.7.0. This is the gem that
we use to have an interactive command line for tasks like `rake
admin:create`.

Upgrading to the latest version 2.0.3 will remove ruby 2.7 deprecation
warnings.

I'm not sure why *this* gem was pinned. I manually executed a couple of
our rake tasks that use this and everything seems fine.
2020-08-19 09:15:23 -06:00
Sam Saffron 620c223d50
DEV: change platform mri to platform ruby on some gems
This assists with truffleruby testing which needs to be able to install
these gems
2020-07-29 17:10:38 +10:00
Sam Saffron 85d4370f79
DEV: pin the rotp gem
Not ready for an upgrade due to: https://github.com/mdp/rotp/issues/98

The policy here is that for cases like this we pin the version and add
a comment explaining why it is pinned.

We can revisit in a few months depending on upstream.
2020-07-14 17:05:12 +10:00
Sam Saffron bac25e6dd7
DEV: upgrade rack to version 2.2.3
This is very minor, see: https://github.com/advisories/GHSA-j6w9-fv6q-3q52

An attacker can elevate own cookie usage to bypass server cookie restrictions

Technically this is a security commit, but the surface area is extremely
low, we do not expect any real world impact.
2020-07-08 16:42:31 +10:00
Sam Saffron 8af5194e39
DEV: upgrade rails to version 6.0.3.2
This includes a fix for CVE-2020-8185 we are not vulnerable as we do not use
the impacted middleware. However it still makes sense to stay upgraded, other
small fixes exist in this release.
2020-07-08 16:34:29 +10:00
Guo Xiang Tan 58e52c0e4f
DEV: Use rails_failover gem for ActiveRecord and Redis failover handling 2020-06-15 15:47:07 +08:00
Guo Xiang Tan 2e2dcb7d93
DEV: Disable better_errors by default.
It adds a somewhat unnecessary middleware before `ActionDispatch::DebugExceptions` and totally bypasses it. Apps that register exception interceptors with `ActionDispatch::DebugExceptions` would therefore stop working if better_errors is used.
2020-06-12 09:22:40 +08:00
Martin Brennan e84ffb4861
DEV: Add pry-byebug and optionally require pry behind a ENV var for better spec debugging (#9984)
We removed pry-nav a while back because it is not up to date with pry but it is super useful. Luckily pry-byebug is here to save us all from Satan's power.

To get this to work you need to add the following to your $HOME/.pryrc file.

```
if defined?(PryByebug)
  Pry.commands.alias_command 'c', 'continue'
  Pry.commands.alias_command 's', 'step'
  Pry.commands.alias_command 'n', 'next'
  Pry.commands.alias_command 'f', 'finish'
end

Pry::Commands.command /^$/, "repeat last command" do
  pry_instance.run_command Pry.history.to_a.last
end
```

The require-ing of pry, pry-rails, and pry-byebug in specs is controlled by the IMPROVED_SPEC_DEBUGGING flag (disabled by default).
2020-06-05 12:30:34 +10:00
Robin Ward cae839ca96
DEV: Update gems to latest versions (#9909) 2020-05-28 13:13:10 -04:00
Guo Xiang Tan 8c86a109bb
DEV: Add ENV flag to test out `ActiveRecord::Failover`. 2020-05-28 16:24:22 +08:00
Michael Brown d9a02d1336
Revert "Revert "Merge branch 'master' of https://github.com/discourse/discourse""
This reverts commit 20780a1eee.

* SECURITY: re-adds accidentally reverted commit:
  03d26cd6: ensure embed_url contains valid http(s) uri
* when the merge commit e62a85cf was reverted, git chose the 2660c2e2 parent to land on
  instead of the 03d26cd6 parent (which contains security fixes)
2020-05-23 00:56:13 -04:00
Jeff Atwood 20780a1eee Revert "Merge branch 'master' of https://github.com/discourse/discourse"
This reverts commit e62a85cf6f, reversing
changes made to 2660c2e21d.
2020-05-22 20:25:56 -07:00
Guo Xiang Tan f7f436e536
DEV: Install `rails_failover` gem to test our Redis changes. 2020-05-20 15:40:27 +08:00
Sam Saffron 30bbc485d0
DEV: remove superfluous comment 2020-05-20 16:53:48 +10:00
Krzysztof Kotlarek 16f6240782
FIX: Bump rack version from 2.0.8 to 2.2.2 (#9811)
Version 2.1.1 was not working with our Sidekiq but version 2.2.2 is fine
2020-05-19 08:43:45 +10:00
Sam Saffron 609e929186
Revert "Revert "DEV: upgrade to Rails 6.0.3""
This reverts commit 2ff8b4f5d9.

Attempt #2 at a Rails update this time we also update the
rails_multisite gem to allow for cleaner reordering
2020-05-08 11:49:22 +10:00