[Security] Bump rack-cors from 0.4.1 to 1.0.6 (#3199)

* [Security] Bump rack-cors from 0.4.1 to 1.0.6 Bumps [rack-cors](https://github.com/cyu/rack-cors) from 0.4.1 to 1.0.6. **This update includes a security fix.** - [Release notes](https://github.com/cyu/rack-cors/releases) - [Changelog](https://github.com/cyu/rack-cors/blob/master/CHANGELOG.md) - [Commits](cyu/rack-cors@v0.4.1...v1.0.6) Signed-off-by: dependabot-preview[bot] <[email protected]> * security update to fix spec to not reflect origin header https://github.com/cyu/rack-cors/blob/master/CHANGELOG.md#security-1 cyu/rack-cors#126
zooniverse · Nov 20, 2019 · e179e7b · e179e7b
1 parent f24ee09
commit e179e7b
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 7 deletions.
diff --git a/Gemfile b/Gemfile
@@ -37,7 +37,7 @@ gem 'pg', '~> 0.21'
 gem 'pg_search'
 gem 'puma', '~> 3.12.1'
 gem 'pundit', '~> 1.1.0'
-gem 'rack-cors', '~> 0.4', require: 'rack/cors'
+gem 'rack-cors', '~> 1.0', require: 'rack/cors'
 gem 'rails', '~> 4.2.11'
 gem 'ranked-model', '~> 0.4.1'
 gem 'restpack_serializer', github: "zooniverse/restpack_serializer", branch: "rails5" # REST API

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -300,7 +300,8 @@ GEM
     pundit (1.1.0)
       activesupport (>= 3.0.0)
     rack (1.6.11)
-    rack-cors (0.4.1)
+    rack-cors (1.0.6)
+      rack (>= 1.6.0)
     rack-protection (2.0.5)
       rack
     rack-test (0.6.3)
@@ -515,7 +516,7 @@ DEPENDENCIES
   pry-stack_explorer
   puma (~> 3.12.1)
   pundit (~> 1.1.0)
-  rack-cors (~> 0.4)
+  rack-cors (~> 1.0)
   rails (~> 4.2.11)
   ranked-model (~> 0.4.1)
   restpack_serializer!

diff --git a/spec/requests/v1/api_cors_headers_spec.rb b/spec/requests/v1/api_cors_headers_spec.rb
@@ -2,7 +2,7 @@
 
 shared_examples 'cors headers' do
   it 'should have Access-Control-Allow-Origin header' do
-    expect(response.headers).to include('Access-Control-Allow-Origin' => 'example.com')
+    expect(response.headers).to include('Access-Control-Allow-Origin' => '*')
   end
 
   it 'should have Access-Control-Expose-Headers header' do
@@ -26,11 +26,17 @@
   include APIRequestHelpers
 
   let(:user) { create(:user) }
+  let(:request_headers) do
+    {
+      'HTTP_ACCEPT' => 'application/vnd.api+json; version=1',
+      'HTTP_ORIGIN' => 'example.com'
+    }
+  end
 
   describe "non-error requests" do
     before(:each) do
       allow_any_instance_of(Api::ApiController).to receive(:doorkeeper_token).and_return(token(["public", "user"], user.id))
-      get "/api/users/#{user.id}", nil, { "HTTP_ACCEPT" => "application/vnd.api+json; version=1", "HTTP_ORIGIN" => "example.com" }
+      get "/api/users/#{user.id}", nil, request_headers
     end
 
     it { expect(response).to have_http_status(:ok) }
@@ -41,7 +47,7 @@
   describe "4xx erro requests" do
     context "401 request" do
       before(:each) do
-        delete "/api/users/#{user.id}", nil, { "HTTP_ACCEPT" => "application/vnd.api+json; version=1", "HTTP_ORIGIN" => "example.com" }
+        delete "/api/users/#{user.id}", nil, request_headers
       end
 
       it { expect(response).to have_http_status(:unauthorized) }
@@ -52,7 +58,7 @@
     context "404 request" do
       before(:each) do
         allow_any_instance_of(Api::ApiController).to receive(:doorkeeper_token).and_return(token(["public", "user"], user.id))
-        get "/api/users/asdfasdf", nil, { "HTTP_ACCEPT" => "application/vnd.api+json; version=1", "HTTP_ORIGIN" => "example.com" }
+        get '/api/users/asdfasdf', nil, request_headers
       end
 
       it { expect(response).to have_http_status(:not_found) }