Upgrade Rails to fef11d43f from 60d92e4e

Gemfile.lock

@@ -13,7 +13,7 @@ GIT
 
 GIT
   remote: https://github.com/rails/rails.git
-  revision: 60d92e4e7dfe923528ccdccc18820ccfe841b7b8
+  revision: fef11d43f3ee2f2c185059a97fc27c7f253f1111
   branch: main
   specs:
     actioncable (8.2.0.alpha)
@@ -47,7 +47,7 @@ GIT
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
     actiontext (8.2.0.alpha)
-      action_text-trix (~> 2.1.15)
+      action_text-trix (~> 2.1.16)
       actionpack (= 8.2.0.alpha)
       activerecord (= 8.2.0.alpha)
       activestorage (= 8.2.0.alpha)
@@ -213,15 +213,16 @@ GEM
       activesupport (>= 6.0.0)
       railties (>= 6.0.0)
     io-console (0.8.2)
-    irb (1.16.0)
+    irb (1.17.0)
       pp (>= 0.6.0)
+      prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jbuilder (2.14.1)
       actionview (>= 7.0.0)
       activesupport (>= 7.0.0)
     jmespath (1.6.2)
-    json (2.18.0)
+    json (2.18.1)
     jwt (3.1.2)
       base64
     kamal (2.10.1)
@@ -276,7 +277,7 @@ GEM
     msgpack (1.8.0)
     net-http-persistent (4.0.8)
       connection_pool (>= 2.2.4, < 4)
-    net-imap (0.6.2)
+    net-imap (0.6.3)
       date
       net-protocol
     net-pop (0.1.2)
@@ -291,21 +292,21 @@ GEM
       net-protocol
     net-ssh (7.3.0)
     nio4r (2.7.5)
-    nokogiri (1.19.0-aarch64-linux-gnu)
+    nokogiri (1.19.1-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.19.0-aarch64-linux-musl)
+    nokogiri (1.19.1-aarch64-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.19.0-arm-linux-gnu)
+    nokogiri (1.19.1-arm-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.19.0-arm-linux-musl)
+    nokogiri (1.19.1-arm-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.19.0-arm64-darwin)
+    nokogiri (1.19.1-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.19.0-x86_64-darwin)
+    nokogiri (1.19.1-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.19.0-x86_64-linux-gnu)
+    nokogiri (1.19.1-x86_64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.19.0-x86_64-linux-musl)
+    nokogiri (1.19.1-x86_64-linux-musl)
       racc (~> 1.4)
     openssl (4.0.0)
     ostruct (0.6.3)
@@ -319,7 +320,7 @@ GEM
     pp (0.6.3)
       prettyprint
     prettyprint (0.2.0)
-    prism (1.8.0)
+    prism (1.9.0)
     propshaft (1.3.1)
       actionpack (>= 7.0.0)
       activesupport (>= 7.0.0)
@@ -332,7 +333,7 @@ GEM
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (3.2.4)
+    rack (3.2.5)
     rack-mini-profiler (4.0.1)
       rack (>= 1.2.0)
     rack-session (2.1.1)
@@ -351,7 +352,7 @@ GEM
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     rainbow (3.1.1)
     rake (13.3.1)
-    rdoc (7.0.3)
+    rdoc (7.2.0)
       erb
       psych (>= 4.0.0)
       tsort

Gemfile.saas.lock

@@ -39,9 +39,9 @@ GIT
 
 GIT
   remote: https://github.com/basecamp/rails-structured-logging
-  revision: 76960cb5c15fc2b6b5f7542e05d7dcc031cef9e6
+  revision: f6633fd8fee5906d8affa2329c61de7a3450eb7e
   specs:
-    rails_structured_logging (0.2.1)
+    rails_structured_logging (0.3.0)
       json
       rails (>= 6.0.0)
 
@@ -62,7 +62,7 @@ GIT
 
 GIT
   remote: https://github.com/rails/rails.git
-  revision: 60d92e4e7dfe923528ccdccc18820ccfe841b7b8
+  revision: fef11d43f3ee2f2c185059a97fc27c7f253f1111
   branch: main
   specs:
     actioncable (8.2.0.alpha)
@@ -96,7 +96,7 @@ GIT
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
     actiontext (8.2.0.alpha)
-      action_text-trix (~> 2.1.15)
+      action_text-trix (~> 2.1.16)
       actionpack (= 8.2.0.alpha)
       activerecord (= 8.2.0.alpha)
       activestorage (= 8.2.0.alpha)
@@ -294,15 +294,16 @@ GEM
       activesupport (>= 6.0.0)
       railties (>= 6.0.0)
     io-console (0.8.2)
-    irb (1.16.0)
+    irb (1.17.0)
       pp (>= 0.6.0)
+      prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jbuilder (2.14.1)
       actionview (>= 7.0.0)
       activesupport (>= 7.0.0)
     jmespath (1.6.2)
-    json (2.18.0)
+    json (2.18.1)
     jwt (3.1.2)
       base64
     kamal (2.10.1)
@@ -357,7 +358,7 @@ GEM
     msgpack (1.8.0)
     net-http-persistent (4.0.8)
       connection_pool (>= 2.2.4, < 4)
-    net-imap (0.6.2)
+    net-imap (0.6.3)
       date
       net-protocol
     net-pop (0.1.2)
@@ -372,19 +373,19 @@ GEM
       net-protocol
     net-ssh (7.3.0)
     nio4r (2.7.5)
-    nokogiri (1.19.0-aarch64-linux-gnu)
+    nokogiri (1.19.1-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.19.0-aarch64-linux-musl)
+    nokogiri (1.19.1-aarch64-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.19.0-arm-linux-gnu)
+    nokogiri (1.19.1-arm-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.19.0-arm-linux-musl)
+    nokogiri (1.19.1-arm-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.19.0-arm64-darwin)
+    nokogiri (1.19.1-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.19.0-x86_64-linux-gnu)
+    nokogiri (1.19.1-x86_64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.19.0-x86_64-linux-musl)
+    nokogiri (1.19.1-x86_64-linux-musl)
       racc (~> 1.4)
     openssl (4.0.0)
     ostruct (0.6.3)
@@ -398,7 +399,7 @@ GEM
     pp (0.6.3)
       prettyprint
     prettyprint (0.2.0)
-    prism (1.8.0)
+    prism (1.9.0)
     prometheus-client-mmap (1.4.0)
       base64
       bigdecimal
@@ -441,7 +442,7 @@ GEM
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (3.2.4)
+    rack (3.2.5)
     rack-mini-profiler (4.0.1)
       rack (>= 1.2.0)
     rack-session (2.1.1)
@@ -463,7 +464,7 @@ GEM
     rake-compiler-dock (1.9.1)
     rb_sys (0.9.117)
       rake-compiler-dock (= 1.9.1)
-    rdoc (7.0.3)
+    rdoc (7.2.0)
       erb
       psych (>= 4.0.0)
       tsort

app/controllers/concerns/request_forgery_protection.rb

@@ -7,14 +7,10 @@ module RequestForgeryProtection
 
   private
     def verified_via_header_only?
-      super || allowed_api_request? || allowed_insecure_context_request?
+      super || allowed_api_request?
     end
 
     def allowed_api_request?
       sec_fetch_site_value.nil? && request.format.json?
     end
-
-    def allowed_insecure_context_request?
-      sec_fetch_site_value.nil? && !request.ssl? && !Rails.configuration.force_ssl
-    end
 end

saas/test/integration/rails_structured_logging_test.rb

@@ -0,0 +1,34 @@
+require "test_helper"
+
+class RailsStructuredLoggingTest < ActiveSupport::TestCase
+  test "request serializer filters internal params" do
+    request = ActionDispatch::Request.new(
+      "REQUEST_METHOD" => "GET",
+      "PATH_INFO" => "/test",
+      "QUERY_STRING" => "",
+      "SERVER_NAME" => "localhost",
+      "SERVER_PORT" => "3000",
+      "HTTP_HOST" => "www.example.com",
+      "HTTP_ACCEPT" => "*/*",
+      "rack.url_scheme" => "https"
+    )
+
+    now = Time.now
+    event = ActiveSupport::Notifications::Event.new(
+      "process_action.action_controller", now, now, SecureRandom.hex(10),
+      {
+        request: request,
+        controller: "TestController",
+        action: "index",
+        format: "html",
+        params: { "controller" => "TestController", "action" => "index", "id" => "1" }
+      }
+    )
+
+    json = RailsStructuredLogging::Serializers::Elastic::RequestSerializer.serialize(event, "")
+    data = JSON.parse(json)
+
+    serialized_params = JSON.parse(data.dig("http", "request", "parameters"))
+    assert_equal({ "id" => "1" }, serialized_params)
+  end
+end

test/controllers/concerns/request_forgery_protection_test.rb

@@ -8,11 +8,13 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest
     ActionController::Base.allow_forgery_protection = true
 
     @original_force_ssl = Rails.configuration.force_ssl
+    @original_secure_protocol = ActionDispatch::Http::URL.secure_protocol
   end
 
   teardown do
     ActionController::Base.allow_forgery_protection = @original_allow_forgery_protection
     Rails.configuration.force_ssl = @original_force_ssl
+    ActionDispatch::Http::URL.secure_protocol = @original_secure_protocol
   end
 
   test "JSON request succeeds with missing Sec-Fetch-Site header" do
@@ -38,6 +40,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest
 
   test "HTTP request fails with missing Sec-Fetch-Site header when force_ssl is enabled" do
     Rails.configuration.force_ssl = true
+    ActionDispatch::Http::URL.secure_protocol = true
 
     assert_no_difference -> { Board.count } do
       post boards_path,