Merge branch 'dev' into monthly-payment

.github/workflows/brakeman-analysis.yml

@@ -0,0 +1,44 @@
+# This workflow integrates Brakeman with GitHub's Code Scanning feature
+# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
+
+name: Brakeman Scan
+
+# This section configures the trigger for the workflow. Feel free to customize depending on your convention
+on:
+  push:
+    branches: [ dev ]
+  pull_request:
+    branches: [ dev ]
+
+jobs:
+  brakeman-scan:
+    name: Brakeman Scan
+    runs-on: ubuntu-latest
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    # Customize the ruby version depending on your needs
+    - name: Setup Ruby
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: '2.6'
+
+    - name: Setup Brakeman
+      env:
+        BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
+      run: |
+        gem install brakeman --version $BRAKEMAN_VERSION
+
+    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
+    - name: Scan
+      continue-on-error: true
+      run: |
+        brakeman -f sarif -o output.sarif.json .
+
+    # Upload the SARIF file generated in the previous step
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: output.sarif.json

.ruby-version

@@ -1 +1 @@
-ruby-2.6.5
+ruby-2.6.6

CHANGELOG.md

@@ -1,7 +1,9 @@
 # Changelog Fab-manager
 
+## Next release
+
 - Refactored theme builder to use scss files
-- Fix a bug: unable to build homepage custom stylesheet
+- Updated stripe gem to 5.21.0
 - Fix a bug: unable to access embedded plan views
 - Fix a bug: warning message overflow in credit wallet modal
 - Fix a bug: when using a cash coupon, the amount shown in the statistics is invalid
@@ -12,6 +14,12 @@
 - [TODO DEPLOY] add the `INTL_LOCALE` environment variable (see [doc/environment.md](doc/environment.md#INTL_LOCALE) for configuration details)
 - [TODO DEPLOY] add the `INTL_CURRENCY` environment variable (see [doc/environment.md](doc/environment.md#INTL_CURRENCY) for configuration details)
 
+- Updated ruby version to 2.6.6
+- Add configuration of the postgreSQL username in environment variables
+- Fix a bug: unable to build homepage custom stylesheet
+- Fix some security issues: [CVE-2020-10663](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663) and [CVE-2020-10933](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10933)
+- [TODO DEPLOY] add `POSTGRES_USERNAME=postgres` to the environment variables (see [doc/environment.md](doc/environment.md#POSTGRES_USERNAME) for configuration details)
+
 ## v4.6.3 2020 October 28
 
 - Enabled Typescript
@@ -23,7 +31,6 @@
 - Fix a bug: in the settings area, boolean switches are always shown as false
 - Fix a bug: public cards presenting the plans in the public area, have bogus style
 - Fix a bug: theme primary color is ignored on links
-- Updated stripe gem to 5.21.0
 - [TODO DEPLOY] `rails fablab:maintenance:rebuild_stylesheet`
 
 ## v4.6.2 2020 October 23

Dockerfile

@@ -1,5 +1,5 @@
-FROM ruby:2.6.5-alpine
-MAINTAINER peng@sleede.com
+FROM ruby:2.6.6-alpine
+MAINTAINER contact@fab-manager.com
 
 # Install upgrade system packages
 RUN apk update && apk upgrade && \

doc/environment.md

@@ -26,11 +26,11 @@ If you run the application in production with docker, the settings are localized
 DNS name or IP address of the server hosting the PostgreSQL database of the application (see [PostgreSQL](../README.md#postgresql)).
 This value is only used when deploying in production, otherwise this is configured in [config/database.yml](../config/database.yml.default).
 When using docker-compose, you should provide the name of the service in your [docker-compose.yml](../docker/docker-compose.yml) file (`postgres` by default).
-<a name="POSTGRES_PASSWORD"></a>
+<a name="POSTGRES_PASSWORD"></a><a name="POSTGRES_USERNAME"></a>
 
-    POSTGRES_PASSWORD
+    POSTGRES_USERNAME, POSTGRES_PASSWORD
 
-Password for the PostgreSQL user, as specified in `database.yml` (default: `postgres`).
+Username and password for the connection to the PostgreSQL database.
 This value is only used when deploying in production, otherwise this is configured in [config/database.yml](../config/database.yml.default).
 When using docker-compose, the default configuration (with `postgres` user) does not uses any password as it is confined in the docker container.
 <a name="REDIS_HOST"></a>

docker/database.yml

@@ -5,7 +5,7 @@ default: &default
   adapter: postgresql
   encoding: unicode
   pool: 25
-  username: postgres
+  username: <%= ENV["POSTGRES_USERNAME"] %>
   password: <%= ENV["POSTGRES_PASSWORD"] %>
   host: <%= ENV["POSTGRES_HOST"] %>
 

setup/env.example

@@ -1,4 +1,5 @@
 POSTGRES_HOST=postgres
+POSTGRES_USERNAME=postgres
 REDIS_HOST=redis
 ELASTICSEARCH_HOST=elasticsearch