From b5dfed7448131f5a7591eb3c4a5989837463222e Mon Sep 17 00:00:00 2001 From: maebeale Date: Fri, 5 Jun 2026 20:25:48 -0400 Subject: [PATCH 1/5] =?UTF-8?q?Make=20payments=20payer=E2=86=92person/orga?= =?UTF-8?q?nization=20migration=20reversible?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The original migration used `def change` with unguarded `remove_index`, `remove_column`, and `add_reference`, so it could not be rolled back and would fail on a partially-migrated database. Split into explicit up/down with `if_exists`/`if_not_exists` and `column_exists?` guards so rollbacks are idempotent and recover from partial failures. Co-Authored-By: Claude Opus 4.8 --- ...e_payments_payer_to_person_organization.rb | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb b/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb index 96a28d81c..7b790e992 100644 --- a/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb +++ b/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb @@ -1,11 +1,19 @@ class ChangePaymentsPayerToPersonOrganization < ActiveRecord::Migration[8.1] - def change - remove_index :payments, name: "index_payments_on_payer" - remove_index :payments, name: "index_payments_on_payer_type_and_payer_id" + def up + remove_index :payments, name: "index_payments_on_payer", if_exists: true + remove_index :payments, name: "index_payments_on_payer_type_and_payer_id", if_exists: true - remove_column :payments, :payer_id + remove_column :payments, :payer_id, if_exists: true - add_reference :payments, :person, foreign_key: true - add_reference :payments, :organization, type: :integer, foreign_key: true + add_reference :payments, :person, foreign_key: true unless column_exists?(:payments, :person_id) + add_reference :payments, :organization, type: :integer, foreign_key: true unless column_exists?(:payments, :organization_id) + end + + def down + remove_reference :payments, :organization, foreign_key: true, if_exists: true + remove_reference :payments, :person, foreign_key: true, if_exists: true + + add_column :payments, :payer_id, :bigint unless column_exists?(:payments, :payer_id) + add_index :payments, [ :payer_type, :payer_id ], name: "index_payments_on_payer", if_not_exists: true end end From 2acd1a1fe62f9cf85ee7d35c0537125e40418ac0 Mon Sep 17 00:00:00 2001 From: maebeale Date: Fri, 5 Jun 2026 21:20:05 -0400 Subject: [PATCH 2/5] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- ...0_change_payments_payer_to_person_organization.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb b/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb index 7b790e992..14f5a45ec 100644 --- a/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb +++ b/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb @@ -5,8 +5,16 @@ def up remove_column :payments, :payer_id, if_exists: true - add_reference :payments, :person, foreign_key: true unless column_exists?(:payments, :person_id) - add_reference :payments, :organization, type: :integer, foreign_key: true unless column_exists?(:payments, :organization_id) + unless column_exists?(:payments, :person_id) + add_column :payments, :person_id, :bigint + end + add_index :payments, :person_id, if_not_exists: true + add_foreign_key :payments, :people, column: :person_id unless foreign_key_exists?(:payments, :people, column: :person_id) + unless column_exists?(:payments, :organization_id) + add_column :payments, :organization_id, :integer + end + add_index :payments, :organization_id, if_not_exists: true + add_foreign_key :payments, :organizations, column: :organization_id unless foreign_key_exists?(:payments, :organizations, column: :organization_id) end def down From 523fb8aebce6d47844453e70fe1e584a804ea5cd Mon Sep 17 00:00:00 2001 From: maebeale Date: Fri, 5 Jun 2026 21:20:37 -0400 Subject: [PATCH 3/5] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- ...0260530000000_change_payments_payer_to_person_organization.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb b/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb index 14f5a45ec..8040e7ee6 100644 --- a/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb +++ b/db/migrate/20260530000000_change_payments_payer_to_person_organization.rb @@ -23,5 +23,6 @@ def down add_column :payments, :payer_id, :bigint unless column_exists?(:payments, :payer_id) add_index :payments, [ :payer_type, :payer_id ], name: "index_payments_on_payer", if_not_exists: true + add_index :payments, [ :payer_type, :payer_id ], name: "index_payments_on_payer_type_and_payer_id", if_not_exists: true end end From 476d9b2f53357fb00ea673b0d40028ab090027df Mon Sep 17 00:00:00 2001 From: maebeale Date: Fri, 5 Jun 2026 21:24:32 -0400 Subject: [PATCH 4/5] Upgrade puma to 7.2.1 to fix PROXY protocol CVEs Puma 6.6.1 is vulnerable to CVE-2026-47736 and CVE-2026-47737 (PROXY protocol v1 remote memory exhaustion and repeated-header acceptance), both rated High. The advisory's fix is `~> 7.2.1` or `>= 8.0.2`, so bump to the 7.2 line, which keeps us on a single major upgrade. Co-Authored-By: Claude Opus 4.8 --- Gemfile | 2 +- Gemfile.lock | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index 17d52f070..7090d9c93 100644 --- a/Gemfile +++ b/Gemfile @@ -19,7 +19,7 @@ gem "devise", "~> 5.0.4" gem "draper" gem "aws-sdk-s3" -gem "puma", "~> 6.0" # Add Puma as the web server +gem "puma", "~> 7.2" # Add Puma as the web server gem "cocoon", "~> 1.2.6" diff --git a/Gemfile.lock b/Gemfile.lock index f8ee305bc..aa7e530b1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -557,7 +557,7 @@ GEM date stringio public_suffix (7.0.2) - puma (6.6.1) + puma (7.2.1) nio4r (~> 2.0) raabro (1.4.0) racc (1.8.1) @@ -818,7 +818,7 @@ DEPENDENCIES premailer-rails pry-coolline pry-rails - puma (~> 6.0) + puma (~> 7.2) rack-mini-profiler (~> 4.0) rails (~> 8.1.0) receipts (~> 2.4) @@ -1047,7 +1047,7 @@ CHECKSUMS pry-rails (0.3.11) sha256=a69e28e24a34d75d1f60bcf241192a54253f8f7ef8a62cba1e75750a9653593d psych (5.3.1) sha256=eb7a57cef10c9d70173ff74e739d843ac3b2c019a003de48447b2963d81b1974 public_suffix (7.0.2) sha256=9114090c8e4e7135c1fd0e7acfea33afaab38101884320c65aaa0ffb8e26a857 - puma (6.6.1) sha256=b9b56e4a4ea75d1bfa6d9e1972ee2c9f43d0883f011826d914e8e37b3694ea1e + puma (7.2.1) sha256=d7bf0e9cabd532e0d401e142cd94e3ac531e993610e2d80e6fbf9c26961414b0 raabro (1.4.0) sha256=d4fa9ff5172391edb92b242eed8be802d1934b1464061ae5e70d80962c5da882 racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f rack (3.2.6) sha256=5ed78e1f73b2e25679bec7d45ee2d4483cc4146eb1be0264fc4d94cb5ef212c2 From 5b2a45270c11b554f5d16bc64839089799166ff2 Mon Sep 17 00:00:00 2001 From: maebeale Date: Fri, 5 Jun 2026 21:31:11 -0400 Subject: [PATCH 5/5] Revert "Upgrade puma to 7.2.1 to fix PROXY protocol CVEs" This reverts commit 476d9b2f53357fb00ea673b0d40028ab090027df. --- Gemfile | 2 +- Gemfile.lock | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index 7090d9c93..17d52f070 100644 --- a/Gemfile +++ b/Gemfile @@ -19,7 +19,7 @@ gem "devise", "~> 5.0.4" gem "draper" gem "aws-sdk-s3" -gem "puma", "~> 7.2" # Add Puma as the web server +gem "puma", "~> 6.0" # Add Puma as the web server gem "cocoon", "~> 1.2.6" diff --git a/Gemfile.lock b/Gemfile.lock index aa7e530b1..f8ee305bc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -557,7 +557,7 @@ GEM date stringio public_suffix (7.0.2) - puma (7.2.1) + puma (6.6.1) nio4r (~> 2.0) raabro (1.4.0) racc (1.8.1) @@ -818,7 +818,7 @@ DEPENDENCIES premailer-rails pry-coolline pry-rails - puma (~> 7.2) + puma (~> 6.0) rack-mini-profiler (~> 4.0) rails (~> 8.1.0) receipts (~> 2.4) @@ -1047,7 +1047,7 @@ CHECKSUMS pry-rails (0.3.11) sha256=a69e28e24a34d75d1f60bcf241192a54253f8f7ef8a62cba1e75750a9653593d psych (5.3.1) sha256=eb7a57cef10c9d70173ff74e739d843ac3b2c019a003de48447b2963d81b1974 public_suffix (7.0.2) sha256=9114090c8e4e7135c1fd0e7acfea33afaab38101884320c65aaa0ffb8e26a857 - puma (7.2.1) sha256=d7bf0e9cabd532e0d401e142cd94e3ac531e993610e2d80e6fbf9c26961414b0 + puma (6.6.1) sha256=b9b56e4a4ea75d1bfa6d9e1972ee2c9f43d0883f011826d914e8e37b3694ea1e raabro (1.4.0) sha256=d4fa9ff5172391edb92b242eed8be802d1934b1464061ae5e70d80962c5da882 racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f rack (3.2.6) sha256=5ed78e1f73b2e25679bec7d45ee2d4483cc4146eb1be0264fc4d94cb5ef212c2