-
Notifications
You must be signed in to change notification settings - Fork 899
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use config.load_defaults for rails 7 with overrides #23176
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -86,6 +86,10 @@ class Application < Rails::Application | |
|
||
# Disable ActionCable's request forgery protection | ||
# This is basically matching a set of allowed origins which is not good for us | ||
# Note, similarly named forgery protections in action controller are set to true | ||
# https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L115C12-L115C69 | ||
# 5.0 sets: action_controller.forgery_protection_origin_check = true | ||
# 5.2 sets: action_controller.default_protect_from_forgery = true | ||
config.action_cable.disable_request_forgery_protection = false | ||
# Matching the origin against the HOST header is much more convenient | ||
config.action_cable.allow_same_origin_as_host = true | ||
|
@@ -110,8 +114,20 @@ class Application < Rails::Application | |
|
||
config.autoload_paths += config.eager_load_paths | ||
|
||
# config.load_defaults 6.1 | ||
# Disable defaults as ActiveRecord::Base.belongs_to_required_by_default = true causes MiqRegion.seed to fail validation on belongs_to maintenance zone | ||
# FYI, this is where load_defaults is defined as of 7.2: | ||
# https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L92 | ||
config.load_defaults 7.0 | ||
|
||
# TODO: Find and fixed any deprecated behavior. Opt in later. | ||
config.active_support.remove_deprecated_time_with_zone_name = false | ||
config.active_support.disable_to_s_conversion = false | ||
|
||
# TODO: If disabled, causes cross repo test failures in content, ui-classic and amazon provider | ||
config.active_record.partial_inserts = true | ||
|
||
# Disable this setting as it causes MiqRegion.seed to fail validation on belongs_to maintenance zone. | ||
# TODO: We should fix this so we don't need to carry this override. | ||
config.active_record.belongs_to_required_by_default = false | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Below are the value before and value with rails 7 default Overrides(seen above):
Using default value from rails 7Note, prior values were either nil or false.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. FYI - cross repo is green but I wanted to review the changes I found between current and going to rails 7 defaults. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'll have to go through them, because I don't really understand each of them. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. FYI, here's the git blame for 7.0 defaults. Note, I've already reviewed the overrides seen above. I think the others we're accepting the rails 7 defaults should either be covered by tests or something we'll find out when others start playing with it. The OpenSSL changes may not be tested in our tests that well so it's on the list of more concerning. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Funny enough, there was an issue where someone was pointing out how these defaults are not universally documented. https://www.github.com/rails/rails/issues/50238 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there a way to just spit out the configuration? (Like a rails CLI command or something?) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Wouldn't that be great? I couldn't find a way. I was walking the configuration and trying to print it and it was a mess. A git diff of the configuration would be great. For now, I think we run the rake task to update our configuration each time we try to do upgrades and check the new defaults. I think it won't impose new defaults on existing apps so you'd have to bring in new configuration changes and then review the new defaults to determine which you want to accept or reject. I think we can accept several of these and make plans to fix the rest. I think the X-XSS-Protection has been proven to be unusable so we can probably just drop that unless we know why we need to keep it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Fun. Redirecting to untrusted URLs was specifically highlighted in a security course I just took. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm going to test with x-xss-protection disabled. It sounds like that is the way going forward for secure headers, rails and even browsers not supporting it. See: https://www.github.com/github/secure_headers/issues/439 |
||
|
||
# NOTE: If you are going to make changes to autoload_paths, please make | ||
# sure they are all strings. Rails will push these paths into the | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm guessing this will not bother inserting default values.
This makes me concerned.
Wonder if defaults setup in
attribute
ordefault_value_for
confuse our implementation.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, I haven't dug into it but did read that defaults are the area that can be broken by this. I would assume our defaulting mechanisms could be adjusted to make the tests and code pass with this disabled.