Update Rails to v6.1.6.1
What does this MR do and why?
This fixes a number of bugs and CVEs. v6.1.6.1 made a breaking change to disallow loading any YAML classes from a serialized database column.
This commit upgrades Rails and makes a number of changes:
- Add permitted classes that can be safely loaded via YAML:
- Symbol: https://gitlab.com/gitlab-org/gitlab/-/jobs/2719858129
- Date
- Time
- Gitlab::Diff::Position: https://gitlab.com/gitlab-org/gitlab/-/jobs/2719858132
- ActiveSupport::HashWithIndifferentAccess: https://gitlab.com/gitlab-org/gitlab/-/jobs/2720429134
- DeployToken: https://gitlab.com/gitlab-org/gitlab/-/jobs/2730346973
- ActiveModel::Attribute::FromDatabase: https://gitlab.com/gitlab-org/gitlab/-/jobs/2730720028
- ActiveSupport::TimeWithZone: https://gitlab.com/gitlab-org/gitlab/-/jobs/2730347050
- ActiveSupport::TimeZone: https://gitlab.com/gitlab-org/gitlab/-/jobs/2730720098
Some types, such as Gitlab::Diff::Position
are only loaded after the
code has loaded, so we need to set this after the application has
initialized. HashWithIndifferentAccesss
was also used in diff
positions and legacy serialized diffs.
- Monkey patch Rails YAML deserialization code.
We might not catch every class used in our serialization columns in tests, so let's log them and recover from them gracefully in production.
- Fix tests to include autocomplete="off"
Rails v6.1.5 added autocomplete="off" to all hidden fields: https://github.com/rails/rails/pull/43280
Changes: https://github.com/rails/rails/compare/v6.1.4.7..v6.1.6.1
Announcement: https://rubyonrails.org/2022/7/12/Rails-Versions-7-0-3-1-6-1-6-1-6-0-5-1-and-5-2-8-1-have-been-released
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.