!21 Fix CVE-2023-38037

From: @wk333 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

CVE-2023-38037.patch

@@ -0,0 +1,59 @@
+From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 22 Aug 2023 09:58:43 -0700
+Subject: [PATCH] Use a temporary file for storing unencrypted files while
+ editing
+
+Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
+
+When we're editing the contents of encrypted files, we should use the
+`Tempfile` class because it creates temporary files with restrictive
+permissions.  This prevents other users on the same system from reading
+the contents of those files while the user is editing them.
+
+[CVE-2023-38037]
+---
+ .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
+ activesupport/test/encrypted_file_test.rb      |  8 ++++++++
+ railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
+ 3 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb
+index 54ba53c03b981..913d5e57c1bfb 100644
+--- a/railties/lib/rails/secrets.rb
++++ b/railties/lib/rails/secrets.rb
+@@ -1,6 +1,7 @@
+ # frozen_string_literal: true
+ 
+ require "yaml"
++require "tempfile"
+ require "active_support/message_encryptor"
+ 
+ module Rails
+@@ -87,17 +88,18 @@ def preprocess(path)
+         end
+ 
+         def writing(contents)
+-          tmp_file = "#{File.basename(path)}.#{Process.pid}"
+-          tmp_path = File.join(Dir.tmpdir, tmp_file)
+-          IO.binwrite(tmp_path, contents)
++          file_name = "#{File.basename(path)}.#{Process.pid}"
+ 
+-          yield tmp_path
++          Tempfile.create(["", "-" + file_name]) do |tmp_file|
++            tmp_path = Pathname.new(tmp_file)
++            tmp_path.binwrite contents
+ 
+-          updated_contents = IO.binread(tmp_path)
++            yield tmp_path
+ 
+-          write(updated_contents) if updated_contents != contents
+-        ensure
+-          FileUtils.rm(tmp_path) if File.exist?(tmp_path)
++            updated_contents = tmp_path.binread
++
++            write(updated_contents) if updated_contents != contents
++          end
+         end
+ 
+         def encryptor

rubygem-railties-5.1.5-check-value-of-result-source-location.patch

@@ -1,33 +0,0 @@
-From b25471833462b769df5d20fb4019aee46881489e Mon Sep 17 00:00:00 2001
-From: Pavel Valena <pvalena@redhat.com>
-Date: Fri, 16 Mar 2018 21:40:58 +0100
-Subject: [PATCH] Check value of result.source_location in
- test_unit/reporter.rb#format_rerun_snippet
-
-With Ruby 2.5 format_rerun_snippet can return nil, which crashes the test
-suite, F.e.:
-
-  TestUnitReporterTest#test_outputs_failures_inline:
-  NoMethodError: undefined method `sub' for nil:NilClass
-      test/test_unit/reporter_test.rb:62:in `block in <class:TestUnitReporterTest>'
-  bin/rails test test/test_unit/reporter_test.rb:61
----
- railties/lib/rails/test_unit/reporter.rb | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/railties/lib/rails/test_unit/reporter.rb b/railties/lib/rails/test_unit/reporter.rb
-index 28b93ce..86d769d 100644
---- a/railties/lib/rails/test_unit/reporter.rb
-+++ b/railties/lib/rails/test_unit/reporter.rb
-@@ -68,7 +68,7 @@ def format_line(result)
-       end
- 
-       def format_rerun_snippet(result)
--        location, line = if result.respond_to?(:source_location)
-+        location, line = if result.respond_to?(:source_location) && result.source_location
-           result.source_location
-         else
-           result.method(result.name).source_location
--- 
-1.8.3.1
-

rubygem-railties-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with.patch

@@ -0,0 +1,48 @@
+From df0de681dc1873534ecd2fc8371e1f2562984b68 Mon Sep 17 00:00:00 2001
+From: John Crepezzi <john.crepezzi@gmail.com>
+Date: Thu, 16 Jun 2022 08:34:05 -0400
+Subject: [PATCH] Remove the multi-call form of assert_called_with
+
+The `assert_called_with` helper allows passing a multi-dimensional array to
+mock multiple calls to the same method for a given block. This works
+fine now, but when adding support for real kwargs arguments to line up with
+recent upgrades in Minitest, this approach is no longer workable because
+we can't pass multiple sets of differing kwargs.
+
+Rather than complicated this method further, this commit removes the
+multi-call form of `assert_called_with` and modifies the tests that
+currently make use of that functionality to just use the underlying
+`Minitest::Mock` calls.
+
+Co-authored-by: Eileen M. Uchitelle <eileencodes@gmail.com>
+---
+ railties/test/generators/actions_test.rb      | 14 ++--
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/railties/test/generators/actions_test.rb b/railties/test/generators/actions_test.rb
+index f62754fe0813e..6b5cdcf781922 100644
+--- a/railties/test/generators/actions_test.rb
++++ b/railties/test/generators/actions_test.rb
+@@ -734,11 +734,17 @@ def assert_runs(commands, config = {}, &block)
+       config_matcher = ->(actual_config) do
+         assert_equal config, actual_config.slice(*config.keys)
+       end if config
+-      args = Array(commands).map { |command| [command, *config_matcher] }
+-
+-      assert_called_with(generator, :run, args) do
+-        block.call
+-      end
++
++      mock = Minitest::Mock.new
++
++      Array(commands).each do |command|
++        args = [command, *config_matcher]
++        mock.expect(:call, nil, args)
++      end
++
++      generator.stub(:run, mock, &block)
++
++      assert_mock(mock)
+     end
+ 
+     def assert_routes(*route_commands)

rubygem-railties.spec

@@ -1,31 +1,44 @@
 %global gem_name railties
-%bcond_with  test
-%{?_with_bootstrap: %global bootstrap 1}
-%global bootstrap 1
+%bcond_with bootstrap
+%bcond_with webpacker
+
 Name:                rubygem-%{gem_name}
-Version:             5.2.4.4
-Release:             3
+Version:             7.0.7
+Release:             2
 Summary:             Tools for creating, working with, and running Rails applications
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
-Source1:             https://github.com/rails/rails/archive/v%{version}.tar.gz
-# Check value of result.source_location in
-# test_unit/reporter.rb#format_rerun_snippet
-# https://github.com/rails/rails/pull/32297
-Patch0:              rubygem-railties-5.1.5-check-value-of-result-source-location.patch
+# Get the test suite:
+# git clone http://github.com/rails/rails.git
+# cd rails/railties && git archive -v -o railties-7.0.7-tests.txz v7.0.7 test/
+Source1:             %{gem_name}-%{version}-tests.txz
+# The tools are needed for the test suite, are however unpackaged in gem file.
+# You may check it out like so
+# git clone http://github.com/rails/rails.git --no-checkout
+# cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
+Source2:             rails-%{version}-tools.txz
+# Fixes for Minitest 5.16+
+# https://github.com/rails/rails/pull/45380
+Patch1:              rubygem-railties-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with.patch
+Patch2:              CVE-2023-38037.patch
+
+Recommends: ruby(irb)
 Suggests:            %{_bindir}/sqlite3
-BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(actioncable) = %{version}
+BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(did_you_mean)
+%if %{without bootstrap}
 BuildRequires:       rubygem(actionmailer) = %{version} rubygem(actionpack) = %{version}
 BuildRequires:       rubygem(activerecord) = %{version} rubygem(activesupport) = %{version}
 BuildRequires:       rubygem(activestorage) = %{version} rubygem(bundler) rubygem(method_source)
 BuildRequires:       rubygem(rake) >= 0.8.7 rubygem(rack-cache) rubygem(sqlite3) rubygem(puma)
 BuildRequires:       rubygem(bootsnap) rubygem(capybara) sqlite rubygem(sprockets-rails)
 BuildRequires:       rubygem(thor) >= 0.18.1 rubygem(turbolinks) git
-%if ! 0%{?bootstrap}
-BuildRequires:       rubygem(jquery-rails) rubygem(uglifier) rubygem(rails) %{_bindir}/node
+BuildRequires:       rubygem(jquery-rails) rubygem(uglifier) rubygem(rails) nodejs
+BuildRequires:       rubygem(actioncable) = %{version} ruby(irb) rubygem(importmap-rails)
+%if %{with webpacker}
+BuildRequires:       %{_bindir}/webpacker
+%endif
 %endif
-Requires:            rubygem(bundler)
 BuildArch:           noarch
 %description
 Rails internals: application bootup, plugins, generators, and rake tasks.
@@ -42,13 +55,15 @@ BuildArch:           noarch
 Documentation for %{name}.
 
 %prep
-%setup -q -c -T
-%gem_install -n %{SOURCE0}
-pushd .%{gem_instdir}
-%patch0 -p2
-popd
+%setup -q -n %{gem_name}-%{version} -b1 -b2
+%patch2 -p2
 
+pushd %{_builddir}
+%patch1 -p2
+popd
 %build
+gem build ../%{gem_name}-%{version}.gemspec
+%gem_install
 
 %install
 mkdir -p %{buildroot}%{gem_dir}
@@ -59,7 +74,7 @@ cp -p .%{_bindir}/* \
         %{buildroot}%{_bindir}/
 find %{buildroot}%{gem_instdir}/exe -type f | xargs chmod a+x
 
-%if %{with test}
+%if %{without bootstrap}
 %check
 ln -s %{gem_dir}/specifications/rails-%{version}.gemspec .%{gem_dir}/gems/rails.gemspec
 ln -s %{gem_dir}/gems/activesupport-%{version}/ .%{gem_dir}/gems/activesupport
@@ -69,9 +84,10 @@ ln -s %{gem_dir}/gems/activerecord-%{version}/ .%{gem_dir}/gems/activerecord
 ln -s %{gem_dir}/gems/actionview-%{version}/ .%{gem_dir}/gems/actionview
 ln -s %{gem_dir}/gems/actioncable-%{version}/ .%{gem_dir}/gems/actioncable
 ln -s ${PWD}%{gem_instdir} .%{gem_dir}/gems/railties
+mkdir -p .%{gem_dir}/gems/tmp/templates/app_template
 pushd .%{gem_dir}/gems/railties
-tar xzf %{SOURCE1}
-ln -s rails-%{version}/railties/test test
+ln -s %{_builddir}/tools ..
+mv %{_builddir}/test .
 echo '%{version}' > ../RAILS_VERSION
 touch ../Gemfile
 echo 'gem "actioncable"' >> ../Gemfile
@@ -93,49 +109,85 @@ echo 'gem "puma"' >> ../Gemfile
 echo 'gem "bootsnap"' >> ../Gemfile
 echo 'gem "capybara"' >> ../Gemfile
 echo 'gem "irb"' >> ../Gemfile
-%if ! 0%{?bootstrap}
+echo 'gem "importmap-rails"' >> ../Gemfile
 echo 'gem "jquery-rails"' >> ../Gemfile
 echo 'gem "rails"' >> ../Gemfile
 echo 'gem "uglifier", require: false' >> ../Gemfile
-%else
-mv test/application/assets_test.rb{,.disable}
-mv test/application/asset_debugging_test.rb{,.disable}
-sed -i '/def test_scaffold_.*tests_pass_by_default$/,/^    end$/ s/^/#/' test/application/rake_test.rb
-sed -i '/def test_rake_routes_with_rake_options$/,/^    end$/ s/^/#/' test/application/rake_test.rb
-sed -i '/def test_rails_routes_displays_message_when_no_routes_are_defined$/,/^    end$/ s/^/#/' test/application/rake_test.rb
-sed -i '/def test_rails_routes_calls_the_route_inspector$/,/^    end$/ s/^/#/' test/application/rake_test.rb
-sed -i '/def test_generated_controller_works_with_rails_test$/,/^    end$/ s/^/#/' test/application/test_runner_test.rb
-sed -i '/def test_generated_scaffold_works_with_rails_test$/,/^    end$/ s/^/#/' test/application/test_runner_test.rb
-mv test/application/bin_setup_test.rb{,.disable}
-mv test/test_unit/reporter_test.rb{,.disable}
-mv test/application/configuration/custom_test.rb{,.disable}
-sed -i '/def test_generation_runs_bundle_install_with_full_and_mountable$/,/^  end$/ s/^/#/' test/generators/plugin_generator_test.rb
-sed -i '/def test_generate_application_.*_when_does_not_exist_in_mountable_engine$/,/^  end$/ s/^/#/' test/generators/plugin_generator_test.rb
-sed -i '/def test_controller_tests_pass_by_default_inside_mountable_engine$/,/^  end$/ s/^/#/' test/generators/scaffold_controller_generator_test.rb
-sed -i '/def test_controller_tests_pass_by_default_inside_full_engine$/,/^  end$/ s/^/#/' test/generators/scaffold_controller_generator_test.rb
-sed -i '/def test_application_new_exits_with_message_and_non_zero_code_when_generating_inside_existing_rails_directory$/,/^  end$/ s/^/#/' test/generators/app_generator_test.rb
-sed -i '/def test_application_new_show_help_message_inside_existing_rails_directory$/,/^  end$/ s/^/#/' test/generators/app_generator_test.rb
-%endif
-sed -i '/^  def test_sqlite3_db_without_defined_rails_root$/,/^  end$/ s/^/#/' test/commands/dbconsole_test.rb
-sed -i '/test "database middleware doesn.t initialize when activerecord is not in frameworks" do$/,/^    end$/ s/^/#/' \
-  test/application/initializers/frameworks_test.rb
-sed -i '/test "i18n files have lower priority than application ones" do$/,/^    end$/ s/^/#/' \
-  test/railties/engine_test.rb
 sed -i '/def test_system_tests_are_run_through_rake_test_when_given_in_TEST$/,/^    end$/ s/^/#/' \
   test/application/test_runner_test.rb
 sed -i '/def test_reset_sessions_before_rollback_on_system_tests$/,/^    end$/ s/^/#/' \
   test/application/test_runner_test.rb
-sed -i '/def test_output_inline_by_default$/,/^  end$/ s/^/#/' \
-  test/generators/plugin_test_runner_test.rb
+sed -i '/test "database middleware doesn.t initialize when activerecord is not in frameworks" do$/,/^    end$/ s/^/#/' \
+  test/application/initializers/frameworks_test.rb
 mv test/application/rake/dbs_test.rb{,.disable}
-mv test/commands/dbconsole_test.rb{,.disable}
-sed -i '/^  def test_new_application_load_defaults$/,/^  end$/ s/^/#/' \
-  test/generators/app_generator_test.rb
-sed -i 's/^\(\s*secrets\.secret_\)token/\1key_base/' \
-  test/path_generation_test.rb
+sed -i '/test "i18n files have lower priority than application ones" do$/,/^    end$/ s/^/#/' \
+  test/railties/engine_test.rb
+sed -i -e '/require..minitest.retry./ s/^/#/' \
+  test/isolation/abstract_unit.rb
 export RUBYOPT="-I${PWD}/../railties/lib"
 export PATH="${PWD}/../railties/exe:$PATH"
 export BUNDLE_GEMFILE=${PWD}/../Gemfile
+
+# Uses Bundler.require(...)
+mv test/generators/test_runner_in_engine_test.rb{,.disable}
+mv test/generators/plugin_generator_test.rb{,.disable}
+
+# yarn requires network access
+sed -i -e '/^\s*sh .yarn/ s/^/#/g' \
+  test/isolation/abstract_unit.rb
+
+%if %{without webpacker}
+sed -i -e '/^\s*sh .bin.rails webpacker/ s/^/#/g' \
+  test/isolation/abstract_unit.rb
+mv -v test/app_loader_test.rb{,.disable}
+mv -v test/engine/test_test.rb{,.disable}
+mv -v test/secrets_test.rb{,.disable}
+for tname in \
+  railtie \
+  engine \
+  mounted_engine \
+;do
+  mv -v test/railties/${tname}_test.rb{,.disable}
+done
+for tname in \
+  credentials \
+  encrypted \
+  initializers \
+  notes \
+  routes \
+  secrets \
+  server \
+;do
+  mv -v test/commands/${tname}_test.rb{,.disable}
+done
+rm -rf test/application/
+
+sed -i -e '/^\s*def test_scaffold_tests_pass_by_default_inside_mountable_engine/ a \  skip' \
+       -e '/^\s*def test_scaffold_tests_pass_by_default_inside_namespaced_mountable_engine/ a \  skip' \
+       -e '/^\s*def test_scaffold_tests_pass_by_default_inside_full_engine/ a \  skip' \
+       -e '/^\s*def test_scaffold_tests_pass_by_default_inside_api_full_engine/ a \  skip' \
+       -e '/^\s*def test_scaffold_tests_pass_by_default_inside_api_mountable_engine/ a \  skip' \
+  test/generators/scaffold_generator_test.rb
+
+%endif
+
+# Tests does not seem to work with importmap-rails now
+# Error: Don't know how to build task 'turbo:install'
+mv test/generators/app_generator_test.rb{,.disable}
+
+sed -i -e '/^\s*test "outputs errors inline" do/ a \  skip' \
+       -e '/^\s*test "outputs colored failed results" do/ a \  skip' \
+  test/test_unit/reporter_test.rb
+
+sed -i -e '/^\s*test "outputs colored failed results" do/ a \  skip' \
+       -e '/^\s*test "outputs errors inline" do/ a \  skip' \
+  test/test_unit/reporter_test.rb
+sed -i '/^\s*def test_template_is_executed_when_supplied_an_https_path/ a \  skip' \
+  test/generators/shared_generator_tests.rb
+# Disable malfunctioning test
+sed -i '/^\s*def test_create_migrations/ a \  skip' \
+  test/generators/action_mailbox_install_generator_test.rb
+git config --global init.defaultBranch master
 find test -type f -name '*_test.rb' -print0 | \
   sort -z | \
   xargs -0 -n1 -i sh -c "echo '* Test file: {}'; ruby -Itest -- '{}' || exit 255"
@@ -158,6 +210,21 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Mon Sep 11 2023 wangkai <13474090681@163.com> - 7.0.7-2
+- Fix CVE-2023-38037
+
+* Thu Aug 17 2023 Ge Wang <wang__ge@126.com> - 7.0.7-1
+- Upgrade to version 7.0.7
+
+* Thu Jan 19 2023 wangkai <wangkai385@h-partners.com> - 7.0.4-1
+- Upgrade to version 7.0.4
+
+* Fri Mar 04 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 6.1.4.1-1
+- update to 6.1.4.1
+
+* Tue Apr  6 2021 lingsheng <lingsheng@huawei.com> - 5.2.4.4-4
+- Add requires ruby-devel sqlite-devel
+
 * Tue Apr  6 2021 lingsheng <lingsheng@huawei.com> - 5.2.4.4-3
 - Add requires rubygem(bundler)