Merge branch 'fix-activesupport-security-bug' into 'master'

蔡耀賢 · 蔡耀賢 · commit 4eec2d681f49 · 2026-03-30T17:03:10.000+08:00
Patch 1.2.0

See merge request kdanmobile/shared-code-base/gems/error_response!45
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -6,23 +6,37 @@ include:
 stages:
   - test
   - sast_upload
+  - lint
   - rspec
   - publish
 
+rubocop:
+  stage: lint
+  image: ruby:3.4.8
+  tags:
+    - arm64
+  script:
+    - bundle install
+    - bundle exec rubocop
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == "master"
+
 rspec:
   stage: rspec
-  image: ruby:3.4.5
+  image: ruby:3.4.8
   tags:
     - arm64
   script:
     - bundle install
     - rspec spec
-  only:
-    - master
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == "master"
 
 to_gem:
   stage: publish
-  image: ruby:3.4.5
+  image: ruby:3.4.8
   tags:
     - arm64
   script:
@@ -34,5 +48,5 @@ to_gem:
     - GEM_NAME=error_response-$RELEASE_VERSION.gem
     - gem build error_response.gemspec
     - gem push $GEM_NAME
-  only:
-    - /release-\d+\.\d+\.\d+(\.\d+)?/
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^release-\d+\.\d+\.\d+(\.\d+)?$/'
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -0,0 +1,42 @@
+plugins:
+  - rubocop-performance
+
+AllCops:
+  NewCops: enable
+  TargetRubyVersion: 3.0
+  Exclude:
+    - 'bin/**/*'
+    - 'pkg/**/*'
+    - 'vendor/**/*'
+
+Layout/LineLength:
+  Max: 200
+
+Style/Documentation:
+  Enabled: false
+
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+Metrics/MethodLength:
+  Max: 25
+
+Metrics/AbcSize:
+  Max: 25
+
+Metrics/CyclomaticComplexity:
+  Max: 10
+
+Metrics/PerceivedComplexity:
+  Max: 10
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*'
+
+Metrics/ParameterLists:
+  Max: 10
+
+Naming/VariableNumber:
+  Enabled: false
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-3.4.5
+3.4.8
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,12 @@
+## [1.2.0] - 2026-03-24
+- Patch activesupport to 7.2.3.1.
+  - Fix possible ReDoS vulnerability in `number_to_delimited`.
+  - Fix possible XSS vulnerability in `ActiveSupport::SafeBuffer#%`.
+- Add SECURITY.md.
+- Add README.md link to the security policy.
+- Add RSpec coverage for loading remote error definitions.
+- Add RuboCop configuration and clean up lint issues.
+- Improve remote YAML loading safety.
 ## [1.1.6] - 2025-07-18
 - Fix readme typo.
 ## [1.1.5] - 2025-07-16
diff --git a/Gemfile b/Gemfile
@@ -1,6 +1,12 @@
-source 'https://rubygems.org'
+# frozen_string_literal: true
+
+source "https://rubygems.org"
 
 gemspec
 
-gem 'irb', '~> 1.15.2'
-gem 'rspec', '~> 3.13.1'
+group :development, :test do
+  gem "irb", "~> 1.17.0"
+  gem "rspec", "~> 3.13.2"
+  gem "rubocop", "~> 1.85.1"
+  gem "rubocop-performance", "~> 1.26.1"
+end
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,24 +1,27 @@
 PATH
   remote: .
   specs:
-    error_response (1.1.6)
+    error_response (1.2.0)
+      activesupport (~> 7.2.3.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.1.5.1)
+    activesupport (7.2.3.1)
       base64
       benchmark (>= 0.3)
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
       logger (>= 1.4.2)
-      minitest (>= 5.1)
-      mutex_m
+      minitest (>= 5.1, < 6)
       securerandom (>= 0.3)
-      tzinfo (~> 2.0)
+      tzinfo (~> 2.0, >= 2.0.5)
+    addressable (2.8.9)
+      public_suffix (>= 2.0.2, < 8.0)
+    ast (2.4.3)
     base64 (0.3.0)
     benchmark (0.4.1)
     bigdecimal (3.2.2)
@@ -29,20 +32,37 @@ GEM
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
     io-console (0.8.1)
-    irb (1.15.2)
+    irb (1.17.0)
       pp (>= 0.6.0)
+      prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
+    json (2.19.2)
+    json-schema (6.2.0)
+      addressable (~> 2.8)
+      bigdecimal (>= 3.1, < 5)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
     logger (1.7.0)
+    mcp (0.9.2)
+      json-schema (>= 4.1)
     minitest (5.25.5)
-    mutex_m (0.3.0)
+    parallel (1.27.0)
+    parser (3.3.10.2)
+      ast (~> 2.4.1)
+      racc
     pp (0.6.2)
       prettyprint
     prettyprint (0.2.0)
+    prism (1.9.0)
+    public_suffix (7.0.5)
+    racc (1.8.1)
+    rainbow (3.1.1)
     rdoc (6.3.4.1)
+    regexp_parser (2.11.3)
     reline (0.6.1)
       io-console (~> 0.5)
-    rspec (3.13.1)
+    rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
@@ -55,18 +75,42 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.4)
+    rubocop (1.85.1)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      mcp (~> 0.6)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    rubocop-performance (1.26.1)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
+    ruby-progressbar (1.13.0)
     securerandom (0.4.1)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  activesupport (~> 7.1.5.1)
   error_response!
-  irb (~> 1.15.2)
-  rspec (~> 3.13.1, ~> 3.0)
+  irb (~> 1.17.0)
+  rspec (~> 3.13.2)
+  rubocop (~> 1.85.1)
+  rubocop-performance (~> 1.26.1)
 
 BUNDLED WITH
-   2.7.0
+   2.7.2
diff --git a/README.md b/README.md
@@ -1,5 +1,7 @@
 # Error Response
 
+[![Gem Version](https://badge.fury.io/rb/error_response.svg?icon=si%3Arubygems)](https://badge.fury.io/rb/error_response)
+
 `Error Response` is a json response gem to help you easily manage all your custom error statuses in your Rails application.
 
 ## Installation
@@ -158,6 +160,10 @@ gives you
 }
 ```
 
+## Security
+
+If you would like to report a security issue, please review the [Security Policy](SECURITY.md).
+
 ## License
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,41 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are provided for the latest released version of `error_response`.
+
+If you report a vulnerability, please verify whether it can still be reproduced on the latest release before submitting the report.
+
+## Reporting a Vulnerability
+
+Please report security issues privately by email:
+
+- `dev@kdanmobile.com`
+
+To help us investigate quickly, please include:
+
+- A clear description of the issue
+- The affected `error_response` version
+- Your Ruby and Rails versions, if applicable
+- Steps to reproduce the issue
+- A proof of concept or sample payload, if available
+- The expected impact and any known workarounds
+
+Please do not open public issues for suspected security vulnerabilities.
+
+## Response Process
+
+After receiving a report, we will:
+
+- Confirm whether the issue can be reproduced
+- Assess the impact and affected versions
+- Prepare and release a fix when necessary
+- Publish the relevant update through the normal project release process
+
+Response time may vary depending on severity and reproduction complexity.
+
+## Disclosure Policy
+
+Please allow time for investigation and remediation before making any public disclosure.
+
+We appreciate responsible disclosure and coordinated reporting.
diff --git a/VERSION.md b/VERSION.md
@@ -1 +1 @@
-1.1.6
+1.2.0
diff --git a/error_response.gemspec b/error_response.gemspec
@@ -1,21 +1,22 @@
+# frozen_string_literal: true
+
 Gem::Specification.new do |s|
-  s.name        = 'error_response'
+  s.name        = "error_response"
   s.version     = File.read("./VERSION.md")
-  s.date        = Time.now.strftime('%F')
   s.summary     = "A tool for API error response"
   s.description = "use for error_response"
   s.authors     = ["Kdan Mobile Software Developer"]
-  s.email       = 'dev@kdanmobile.com'
-  s.homepage    = 'https://github.com/kdan-mobile-software-ltd/error_response'
-  s.license     = 'MIT'
+  s.email       = "dev@kdanmobile.com"
+  s.homepage    = "https://github.com/kdan-mobile-software-ltd/error_response"
+  s.license     = "MIT"
   s.files       = Dir["lib/**/*"]
-  s.require_path     = ["lib"]
-  s.required_ruby_version = '>= 2.7'
+  s.require_path = ["lib"]
+  s.required_ruby_version = ">= 3.0"
   s.metadata = {
     "source_code_uri" => "https://github.com/kdan-mobile-software-ltd/error_response",
-    "changelog_uri" => "https://github.com/kdan-mobile-software-ltd/error_response/blob/master/CHANGELOG.md"
+    "changelog_uri" => "https://github.com/kdan-mobile-software-ltd/error_response/blob/master/CHANGELOG.md",
+    "rubygems_mfa_required" => "true"
   }
 
-  s.add_development_dependency 'activesupport', '~> 7.1.5.1'
-  s.add_development_dependency 'rspec', '~> 3.0'
+  s.add_dependency "activesupport", "~> 7.2.3.1"
 end
diff --git a/lib/error_response.rb b/lib/error_response.rb
diff --git a/lib/error_response/configuration.rb b/lib/error_response/configuration.rb
diff --git a/lib/error_response/helper.rb b/lib/error_response/helper.rb
diff --git a/lib/error_response/request_error.rb b/lib/error_response/request_error.rb
diff --git a/spec/error_response_spec.rb b/spec/error_response_spec.rb
