Apply Ruby and Rails patches

[orien]

Changes

• Bump Rails from 6.1.5.1 to 6.1.6.1: A new Rails release which resolves CVE-2022-32224
• Bump Ruby from 2.7.5 to 2.7.6: A new Ruby release which resolves CVE-2022-28739
• Add Linux x86_64 platform: Avoids compiling Nokogiri when building on this platform.
• Bump diffy from 3.2.0 to 3.4.2: Resolve CVE-2022-33127

[grosser]

thanks!
confirmed this at least boots/is deployable 🤞

[orien]

Thanks

Looks like there are a couple more security issues:

Name: diffy
Version: 3.2.0
CVE: CVE-2022-33127
GHSA: GHSA-5ww9-9qp2-x524
Criticality: Critical
URL: https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593
Title: Improper handling of double quotes in file name in Diffy in Windows environment
Solution: upgrade to >= 3.4.1

Name: octokit
Version: 4.18.0
CVE: CVE-2022-31072
GHSA: GHSA-g28x-pgr3-qqx6
Criticality: Low
URL: https://github.com/octokit/octokit.rb/security/advisories/GHSA-g28x-pgr3-qqx6
Title: Octokit gem published with world-writable files
Solution: upgrade to >= 4.25.0

Ok for me to add patches for these in this PR?

[grosser]

feel free to add as many patches as you like as long as they are low-risk, but I'd recommend hunting down these test-bugs first before adding more :)

Psych::DisallowedClass: Tried to load unspecified class: ActiveSupport::TimeWithZone
Psych::DisallowedClass: Tried to load unspecified class: BigDecimal

[grosser]

# https://github.com/collectiveidea/audited/issues/631
# List of classes deemed safe to load by YAML, and required by the Audited
# gem when deserialized audit records.
# As of Rails 6.0.5.1, YAML safe-loading method does not allow all classes
# to be deserialized by default: https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
Rails.application.config.active_record.yaml_column_permitted_classes = [
  ActiveSupport::TimeWithZone,
  ActiveSupport::TimeZone,
  Date,
  Time,
  ActiveSupport::HashWithIndifferentAccess,
  BigDecimal
]

[orien]

I see there's an octokit monkey patch in this project, upgrading the octokit gem will take a bit of work. It's probably best for someone with more familiarity with the project than me to attempt it.

[grosser]

does octokit need the update ?

[grosser]

ahh

Name: octokit
Version: 4.[18](https://github.com/zendesk/samson/runs/7336090878?check_suite_focus=true#step:7:19).0
CVE: CVE-2022-31072

[grosser]

taking care of octokit here #4022