From 36a15fb364d99dc8e5f9c2f7fce5ef81b45c26c7 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 21 Oct 2019 15:40:26 +0200 Subject: [PATCH 1/3] fixes changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ceed2a4a..847ef411a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,7 +37,7 @@ - [TODO DEPLOY] add the `MAX_IMPORT_SIZE` environment variable (see [doc/environment.md](doc/environment.md) for configuration details) - [TODO DEPLOY] add `- ${PWD}/imports:/usr/src/app/imports` in the volumes list of your fabmanager service in [docker-compose.yml](docker/docker-compose.yml) - [TODO DEPLOY] add the `FABLAB_WITHOUT_INVOICES` environment variable (see [doc/environment.md](doc/environment.md) for configuration details) -- [TODO DEPLOY] add the following environment variables: `SMTP_TLS` +- [TODO DEPLOY] add the following `SMTP_TLS` environment variables (see [doc/environment.md](doc/environment.md) for configuration details) ## v4.1.1 2019 September 20 From fdcec06345bf9eaa3f82a91287f0f5b527840420 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 21 Oct 2019 16:11:49 +0200 Subject: [PATCH 2/3] CVE-2019-16892 + #49 - updated rubyzip to fix a security issue - updated axlsx and file writing method as a possible fix for #49 --- CHANGELOG.md | 8 +++- Gemfile | 4 +- Gemfile.lock | 46 ++++++++++------------- app/services/statistics_export_service.rb | 2 +- 4 files changed, 29 insertions(+), 31 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 847ef411a..26d024d08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog Fab Manager +- Updated axlsx gem to caxlsx 3.0 +- Updated axlsx_rails to 0.6.0 +- Fix a security issue: updated rubyzip to 1.3.0 to fix [CVE-2019-16892](https://nvd.nist.gov/vuln/detail/CVE-2019-16892) + ## v4.2.0 2019 October 21 - Upgraded PostgreSQL from 9.4 to 9.6 @@ -12,7 +16,7 @@ - Ability to bulk-import members from a CSV file - Ability to disable invoices generation and interfaces - Added a known issue to the README (#152) -- Ability to fully rebuild the projets index in ElasticSearch with rake fablab:es:build_projects_index +- Ability to fully rebuild the projets index in ElasticSearch with `rake fablab:es:build_projects_index` - Ability to configure SMTP connection to use SMTP/TLS - Updated user's manual for v4.2 (fr) - Fix a bug: invoices with total = 0, are marked as paid on site even if paid by card @@ -24,7 +28,7 @@ - Fix a bug: missing asterisks on some required fields in profile_complete form - Fix a bug: public calendar won't show anything if the current date range include a reserved space availability (#151) - Fix a bug: invoices list is not shown by default in "manage invoices" section -- Fix a bug: unable to run rake fablab:es:* tasks due to an issue with gem faraday 0.16.x (was updated to 0.17) +- Fix a bug: unable to run rake `fablab:es:*` tasks due to an issue with gem faraday 0.16.x (was updated to 0.17) - Fix a bug: unauthorized user can see the edit project form - Fix a bug: do not display each days in invoices for multiple days event reservation - Fix a security issue: fixed [CVE-2015-9284](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284) diff --git a/Gemfile b/Gemfile index 6c9307d87..b69b1c8f9 100644 --- a/Gemfile +++ b/Gemfile @@ -140,9 +140,9 @@ gem 'apipie-rails' gem 'has_secure_token' # XLS files generation -gem 'axlsx', git: 'https://github.com/randym/axlsx', branch: 'master' gem 'axlsx_rails' -gem 'rubyzip', '>= 1.2.2' +gem 'caxlsx' +gem 'rubyzip', '>= 1.3.0' gem 'rack-protection', '1.5.5' diff --git a/Gemfile.lock b/Gemfile.lock index 10797da1b..0c1c06a6b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,14 +1,3 @@ -GIT - remote: https://github.com/randym/axlsx - revision: c593a08b2a929dac7aa8dc418b55e26b4c49dc34 - branch: master - specs: - axlsx (3.0.0.pre) - htmlentities (~> 4.3, >= 4.3.4) - mimemagic (~> 0.3) - nokogiri (~> 1.8, >= 1.8.2) - rubyzip (~> 1.2, >= 1.2.1) - GEM remote: https://rubygems.org/ specs: @@ -67,9 +56,9 @@ GEM descendants_tracker (~> 0.0.4) ice_nine (~> 0.11.0) thread_safe (~> 0.3, >= 0.3.1) - axlsx_rails (0.4.0) - axlsx (>= 2.0.1) - rails (>= 3.1) + axlsx_rails (0.6.0) + actionpack (>= 3.1) + caxlsx (>= 3.0) bcrypt (3.1.13) binding_of_caller (0.7.3) debug_inspector (>= 0.0.1) @@ -85,6 +74,11 @@ GEM activesupport (>= 3.2.0) json (>= 1.7) mime-types (>= 1.16) + caxlsx (3.0.0) + htmlentities (~> 4.3, >= 4.3.4) + mimemagic (~> 0.3) + nokogiri (~> 1.8, >= 1.8.2) + rubyzip (~> 1.2, >= 1.2.1) chroma (0.0.1) chunky_png (1.3.4) cldr-plurals-runtime-rb (1.0.1) @@ -116,7 +110,7 @@ GEM tins (>= 1.6.0, < 2) crack (0.4.3) safe_yaml (~> 1.0.0) - crass (1.0.4) + crass (1.0.5) daemons (1.2.4) database_cleaner (1.4.1) debug_inspector (0.0.3) @@ -214,7 +208,7 @@ GEM actionpack (>= 3.0.0) activesupport (>= 3.0.0) libv8 (3.16.14.19) - loofah (2.2.3) + loofah (2.3.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.1) @@ -232,17 +226,17 @@ GEM message_format (0.0.3) twitter_cldr (~> 3.1) mime-types (2.99.3) - mimemagic (0.3.2) + mimemagic (0.3.3) mini_magick (4.9.4) - mini_mime (1.0.1) + mini_mime (1.0.2) mini_portile2 (2.4.0) - minitest (5.11.3) + minitest (5.12.2) minitest-reporters (1.1.8) ansi builder minitest (>= 5.0) ruby-progressbar - multi_json (1.13.1) + multi_json (1.14.1) multi_xml (0.6.0) multipart-post (2.1.1) naught (1.1.0) @@ -317,8 +311,8 @@ GEM activesupport (>= 4.2.0, < 5.0) nokogiri (~> 1.6) rails-deprecated_sanitizer (>= 1.0.1) - rails-html-sanitizer (1.2.0) - loofah (~> 2.2, >= 2.2.2) + rails-html-sanitizer (1.3.0) + loofah (~> 2.3) rails-observers (0.1.2) activemodel (~> 4.0) rails_12factor (0.0.3) @@ -332,7 +326,7 @@ GEM rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rainbow (3.0.0) - rake (12.3.3) + rake (13.0.0) rb-fsevent (0.9.4) rb-inotify (0.9.5) ffi (>= 0.5.0) @@ -359,7 +353,7 @@ GEM unicode-display_width (~> 1.4.0) ruby-progressbar (1.7.5) ruby-rc4 (0.1.5) - rubyzip (1.2.2) + rubyzip (1.3.0) safe_yaml (1.0.4) sass (3.4.13) sass-rails (5.0.1) @@ -483,11 +477,11 @@ DEPENDENCIES api-pagination apipie-rails awesome_print - axlsx! axlsx_rails bootstrap-sass (>= 3.4.1) byebug carrierwave + caxlsx chroma compass-rails (= 2.0.4) coveralls @@ -536,7 +530,7 @@ DEPENDENCIES responders (~> 2.0) rolify rubocop (~> 0.61.1) - rubyzip (>= 1.2.2) + rubyzip (>= 1.3.0) sass-rails (= 5.0.1) sdoc (~> 0.4.0) seed_dump diff --git a/app/services/statistics_export_service.rb b/app/services/statistics_export_service.rb index 9c51dad29..526135b87 100644 --- a/app/services/statistics_export_service.rb +++ b/app/services/statistics_export_service.rb @@ -76,7 +76,7 @@ class StatisticsExportService content = av.render template: 'exports/statistics_current.xlsx.axlsx' # write content to file - File.open(export.file,"w+b") {|f| f.puts content } + File.open(export.file,"w+b") { |f| f.write content } end }, __FILE__, __LINE__ - 35 end From 11484d2fccf9b53bc235dbf252a4b7ab0867a779 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 21 Oct 2019 16:13:56 +0200 Subject: [PATCH 3/3] Version 4.2.1 --- CHANGELOG.md | 10 ++++++---- package.json | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26d024d08..f7c84d72e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,9 @@ # Changelog Fab Manager +## v4.2.1 2019 October 21 + - Updated axlsx gem to caxlsx 3.0 -- Updated axlsx_rails to 0.6.0 +- Updated axlsx_rails to 0.6.0 - Fix a security issue: updated rubyzip to 1.3.0 to fix [CVE-2019-16892](https://nvd.nist.gov/vuln/detail/CVE-2019-16892) ## v4.2.0 2019 October 21 @@ -25,14 +27,14 @@ - Fix a bug: create a plan does not set its name - Fix a bug: unable to dissociate the last machine from a formation - Fix a bug: in profile_complete form, the user's group is not selected by default -- Fix a bug: missing asterisks on some required fields in profile_complete form +- Fix a bug: missing asterisks on some required fields in profile_complete form - Fix a bug: public calendar won't show anything if the current date range include a reserved space availability (#151) - Fix a bug: invoices list is not shown by default in "manage invoices" section - Fix a bug: unable to run rake `fablab:es:*` tasks due to an issue with gem faraday 0.16.x (was updated to 0.17) - Fix a bug: unauthorized user can see the edit project form -- Fix a bug: do not display each days in invoices for multiple days event reservation +- Fix a bug: do not display each days in invoices for multiple days event reservation - Fix a security issue: fixed [CVE-2015-9284](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284) -- [TODO DEPLOY] **IMPORTANT** Please read [postgres_upgrade.md](doc/postgres_upgrade.md) for instructions on upgrading PostgreSQL. +- [TODO DEPLOY] **IMPORTANT** Please read [postgres_upgrade.md](doc/postgres_upgrade.md) for instructions on upgrading PostgreSQL. - [TODO DEPLOY] `rake db:migrate` - [TODO DEPLOY] -> (only dev) `yarn install` and `bundle install` - [TODO DEPLOY] -> (only dev) configure `DEFAULT_HOST: 'localhost:5000'` and `DEFAULT_PROTOCOL: http` in [application.yml](config/application.yml.default) diff --git a/package.json b/package.json index a23fb851b..48d1a0ca5 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "fab-manager", - "version": "4.2.0", + "version": "4.2.1", "description": "FabManager is the FabLab management solution. It provides a comprehensive, web-based, open-source tool to simplify your administrative tasks and your marker's projects.", "keywords": [ "fablab",