use safe_yaml
Includes the safe_yaml gem, which replaces YAML.load and friends with a "safe"
version by default, that does not create arbitrary objects.
DelayedJobs was modified to use unsafe_load, as it relies on deserializing
ruby objects.
The biggest impact is with serialized columns - many of those store
non-simple data types. Most commonly HashWithIndifferentAccess, but
there are a few others as well. Our version of the safe_yaml gem allows
for whitelisting certain classes.
The I18nExtraction::SafeYAML class was also removed, as it's no longer
needed. The extraction task was updated to call YAML.safe_load to be
explicit.
Currently, Gemfile is pointing to the Instructure fork of the safe_yaml
gem on github. This needs to be released as a gem.
Closes CNVS-3784
test plan: If any serialized YAML columns contain a class that we missed
in our whitelist, then that column will fail to deserialize and the
model will behave incorrectly. It's difficult to say what exactly should
be tested, as all the classes should be whitelisted. A general
regression test on migrations, course copy, scribd, and quizzes would
cover most of it.
Change-Id: I3e1a95e101ada3a1b2366ff1ca70db6d17742cce
Reviewed-on: https://gerrit.instructure.com/17404
Reviewed-by: Jon Jensen <jon@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: Clare Hetherington <clare@instructure.com>
2013-02-03 18:36:30 +08:00
|
|
|
source 'https://rubygems.org/'
|
2011-02-01 09:57:29 +08:00
|
|
|
|
2013-09-20 05:55:34 +08:00
|
|
|
if ENV['RAILS_ENV'] != 'test' && (RUBY_VERSION < "1.9.3" || RUBY_VERSION >= "2.0")
|
2013-04-19 23:54:35 +08:00
|
|
|
raise "Canvas requires Ruby 1.9.3"
|
|
|
|
|
end
|
|
|
|
|
|
2013-03-21 04:30:20 +08:00
|
|
|
require File.expand_path("../config/canvas_rails3", __FILE__)
|
|
|
|
|
|
|
|
|
|
if CANVAS_RAILS3
|
|
|
|
|
# 3.0.20 is transitional, we will be on 3.2.x before support is complete
|
|
|
|
|
# that's also why some gems below have to be downgraded, 3.0.20 relies on old versions of some gems
|
|
|
|
|
# just to be clear, Canvas is NOT READY to run under Rails 3 in production
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'rails', '3.0.20'
|
|
|
|
|
gem 'authlogic', '3.2.0'
|
2013-03-21 04:30:20 +08:00
|
|
|
else
|
2013-06-22 03:59:26 +08:00
|
|
|
# If you have a license to rails lts, you can create a vendor/plugins/*/RAILS_LTS yaml file
|
|
|
|
|
# with the Gemfile `gem` command to use (pointing to the private repo with your username/password).
|
|
|
|
|
# Otherwise, the free community version of rails lts will be used.
|
|
|
|
|
lts_file = Dir.glob(File.expand_path("../vendor/plugins/*/RAILS_LTS", __FILE__)).first
|
|
|
|
|
if lts_file
|
|
|
|
|
eval(File.read(lts_file))
|
|
|
|
|
else
|
|
|
|
|
gem 'rails', :git => 'https://github.com/makandra/rails.git', :branch => '2-3-lts', :ref => 'e86daf8ff727d5efc0040c876ba00c9444a5d915'
|
|
|
|
|
end
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'authlogic', '2.1.3'
|
2013-03-21 04:30:20 +08:00
|
|
|
end
|
2011-09-27 13:28:33 +08:00
|
|
|
|
2013-09-20 05:55:34 +08:00
|
|
|
gem "aws-sdk", '1.8.3.1'
|
|
|
|
|
gem 'barby', '0.5.0'
|
|
|
|
|
gem 'bcrypt-ruby', '3.0.1'
|
|
|
|
|
gem 'builder', '2.1.2'
|
2013-03-21 04:30:20 +08:00
|
|
|
if !CANVAS_RAILS3
|
2013-10-07 23:17:08 +08:00
|
|
|
gem 'canvas_connect', '0.2'
|
2013-03-21 04:30:20 +08:00
|
|
|
end
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'daemons', '1.1.0'
|
|
|
|
|
gem 'diff-lcs', '1.1.3', :require => 'diff/lcs'
|
2013-03-21 04:30:20 +08:00
|
|
|
if !CANVAS_RAILS3
|
2013-04-26 07:06:20 +08:00
|
|
|
gem 'encrypted_cookie_store-instructure', '1.0.4', :require => 'encrypted_cookie_store'
|
2013-03-21 04:30:20 +08:00
|
|
|
end
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'erubis', CANVAS_RAILS3 ? '2.6.6' : '2.7.0'
|
2013-03-21 04:30:20 +08:00
|
|
|
if !CANVAS_RAILS3
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'fake_arel', '1.0.0'
|
2013-03-21 04:30:20 +08:00
|
|
|
end
|
2013-08-13 03:35:03 +08:00
|
|
|
gem 'fake_rails3_routes', '1.0.4'
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'ffi', '1.1.5'
|
|
|
|
|
gem 'hairtrigger', '0.2.3'
|
|
|
|
|
gem 'sass', '3.2.3'
|
|
|
|
|
gem 'hashery', '1.3.0', :require => 'hashery/dictionary'
|
|
|
|
|
gem 'highline', '1.6.1'
|
|
|
|
|
gem 'i18n', CANVAS_RAILS3 ? '0.5.0' : '0.6.0'
|
2013-06-19 00:13:38 +08:00
|
|
|
if !CANVAS_RAILS3
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'i18nema', '0.0.7'
|
2013-06-19 00:13:38 +08:00
|
|
|
end
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'icalendar', '1.1.5'
|
|
|
|
|
gem 'jammit', '0.6.6'
|
|
|
|
|
gem 'json', '1.8.0'
|
2011-02-01 09:57:29 +08:00
|
|
|
# native xml parsing, diigo
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'libxml-ruby', '2.6.0', :require => 'xml/libxml'
|
|
|
|
|
gem 'macaddr', '1.0.0' # macaddr 1.2.0 tries to require 'systemu' which isn't a dependency
|
2013-04-19 23:54:35 +08:00
|
|
|
gem 'mail', CANVAS_RAILS3 ? '2.2.19' : '2.5.3'
|
2013-04-09 04:23:01 +08:00
|
|
|
# using this forked gem until https://github.com/37signals/marginalia/pull/15 is in the source gem
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'instructure-marginalia', '1.1.3', :require => false
|
|
|
|
|
gem 'mime-types', '1.17.2', :require => 'mime/types'
|
2011-02-01 09:57:29 +08:00
|
|
|
# attachment_fu (even the current technoweenie one on github) does not work
|
|
|
|
|
# with mini_magick 3.1
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'mini_magick', '1.3.2'
|
|
|
|
|
gem 'netaddr', '1.5.0'
|
|
|
|
|
gem 'nokogiri', '1.5.6'
|
2013-03-22 07:32:21 +08:00
|
|
|
# oauth gem, with rails3 fixes rolled in
|
|
|
|
|
gem 'oauth-instructure', '0.4.9', :require => 'oauth'
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'rack', CANVAS_RAILS3 ? '1.2.5' : '1.1.3'
|
|
|
|
|
gem 'rake', '10.1.0'
|
|
|
|
|
gem 'rdoc', '3.12'
|
2011-09-30 05:47:49 +08:00
|
|
|
gem 'ratom-instructure', '0.6.9', :require => "atom" # custom gem until necessary changes are merged into mainstream
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'rdiscount', '1.6.8'
|
|
|
|
|
gem 'ritex', '1.0.1'
|
2013-06-15 01:09:41 +08:00
|
|
|
if CANVAS_RAILS3
|
|
|
|
|
gem 'routing_concerns', '0.1.0'
|
|
|
|
|
end
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'rotp', '1.4.1'
|
|
|
|
|
gem 'rqrcode', '0.4.2'
|
|
|
|
|
gem 'rscribd', '1.2.0'
|
|
|
|
|
gem 'net-ldap', '0.3.1', :require => 'net/ldap'
|
|
|
|
|
gem 'ruby-saml-mod', '0.1.22'
|
2011-04-08 07:01:32 +08:00
|
|
|
gem 'rubycas-client', '2.2.1'
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'rubyzip', '0.9.5', :require => 'zip/zip'
|
|
|
|
|
gem 'safe_yaml-instructure', '0.8.0', :require => false
|
|
|
|
|
gem 'sanitize', '2.0.3'
|
2013-10-01 04:47:48 +08:00
|
|
|
gem 'shackles', '1.0.1'
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'tzinfo', '0.3.35'
|
|
|
|
|
gem 'useragent', '0.4.16'
|
|
|
|
|
gem 'uuid', '2.3.2'
|
|
|
|
|
gem 'will_paginate', '2.3.15'
|
|
|
|
|
gem 'xml-simple', '1.0.12', :require => 'xmlsimple'
|
|
|
|
|
gem 'foreigner', '0.9.2'
|
|
|
|
|
gem 'crocodoc-ruby', '0.0.1', :require => 'crocodoc'
|
2013-09-05 00:42:21 +08:00
|
|
|
# needs https://github.com/regru/premailer/commit/8d3ae698eff135011b19e1587a68c399ec97b185
|
|
|
|
|
# we can go back to the gem once 1.7.8 is released
|
|
|
|
|
gem 'regru-premailer', :require => 'premailer', :git => "https://github.com/regru/premailer.git", :ref => "08a73c70701f5d81bc4a5cf6c959a45ad94db88e"
|
2011-02-01 09:57:29 +08:00
|
|
|
|
2012-04-19 00:24:58 +08:00
|
|
|
group :assets do
|
Fully adopt Bootstrap & update css to work with it, closes: #CNVS-1344
this commit does the following:
* upgrade bootstrap-sass gem to most recent version
* switches to using bootstrap's normalize.css and forms.css
which fixes a whole bunch of misformatting of how bootstrap
stuff is supposed to look, but changing those 2 affects
a lot of our old stylesheets.
* gets rid of unified_buttons.sass and just uses bootstraps buttons.
.ui-button @extends these because we still have to support .ui-button
for modals & buttonsets. but .button is no longer supported.
* a lot of css file reorganization (there's no more 'blue' and
'normal canvas', there's just canvas)
* a bunch of files had to be tweaked to look good with these changes.
test plan:
This change touches every page in canvas so, no kidding, we need to make
sure every page looks OK. In order to do that:
1. each sprint team needs to give a +1 after they make sure all the
pages in the features they are over look good.
2. the QA person on each team needs to look at the pages for their
teams features for a QA +1
things to look for specifically when testing:
* buttons: this gets rid of all those red 'cancel' links
that are actually buttons, make sure all the buttons you see
look right. if you see 2 plain gray buttons next to each other
like [Save] [Cancel], we should make the primary one blue (by
adding the .btn-primary class)
* Forms: a lot of this change has to do with how form elements look,
especially <select>s, <input>s and <label>s. look at the diffs
for the ones that have the most changes and make sure those look
good, but also check for the ones I missed and make sure those
look good too.
* and just random style changes, if something looks ugly or broken
(and it didn't before), we should fix that.
Also:
just use a link instead of a drop-menu for adding event from sidebar
we used to have a drop down menu for adding events
to cal2 from the sidebar where you'd hit a cog
and it'd ask you if you wanted to add an event or
an assignment. this just simplifies it to an add
icon.
this: http://cl.ly/image/133a2A3q3q1M
instead of: http://cl.ly/image/46463o2s3W0g
Change-Id: I384fe273934bca96bf28423afb1402c7792d8766
Reviewed-on: https://gerrit.instructure.com/15422
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Florence <ryanf@instructure.com>
QA-Review: Ryan Florence <ryanf@instructure.com>
2012-12-21 14:46:28 +08:00
|
|
|
gem 'compass-rails', '1.0.3'
|
2013-04-10 23:24:51 +08:00
|
|
|
gem 'dress_code', '1.0.2'
|
2012-04-19 00:24:58 +08:00
|
|
|
end
|
|
|
|
|
|
2011-03-01 08:37:39 +08:00
|
|
|
group :mysql do
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'mysql2', '0.2.18'
|
2011-03-01 08:37:39 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
group :postgres do
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'pg', '0.15.0'
|
2011-03-01 08:37:39 +08:00
|
|
|
end
|
|
|
|
|
|
2011-05-21 06:15:29 +08:00
|
|
|
group :sqlite do
|
|
|
|
|
gem 'sqlite3-ruby', '1.3.2'
|
|
|
|
|
end
|
|
|
|
|
|
2011-02-01 09:57:29 +08:00
|
|
|
group :test do
|
2013-06-18 01:37:33 +08:00
|
|
|
gem 'simplecov', '0.7.1' if ENV['COVERAGE'] != nil && ENV['COVERAGE'] == "1" # for coverage reporting
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'bluecloth', '2.0.10' # for generating api docs
|
|
|
|
|
gem 'mocha', :git => 'git://github.com/ccutrer/mocha.git', :require => false
|
2013-08-21 04:33:21 +08:00
|
|
|
gem 'parallelized_specs', '0.4.64'
|
2013-05-24 03:18:11 +08:00
|
|
|
gem 'thin', '1.5.1'
|
2013-03-22 07:32:21 +08:00
|
|
|
if CANVAS_RAILS3
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'rspec-rails', '2.13.0'
|
2013-03-22 07:32:21 +08:00
|
|
|
else
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'rspec', '1.3.2'
|
|
|
|
|
gem 'rspec-rails', '1.3.4'
|
2013-03-22 07:32:21 +08:00
|
|
|
end
|
2013-09-12 06:17:54 +08:00
|
|
|
gem 'selenium-webdriver', '2.35.0'
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'webrat', '0.7.3'
|
|
|
|
|
gem 'yard', '0.8.0'
|
|
|
|
|
gem 'yard-appendix', '>=0.1.8'
|
|
|
|
|
gem 'timecop', '0.6.3'
|
|
|
|
|
gem 'test-unit', '1.2.3'
|
2011-02-01 09:57:29 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
group :development do
|
2013-05-01 03:47:24 +08:00
|
|
|
gem 'guard', '1.8.0'
|
2013-10-07 22:07:15 +08:00
|
|
|
gem 'listen', '~>1.3' # pinned to fix guard error
|
2013-03-14 05:05:14 +08:00
|
|
|
gem 'rb-inotify', '~>0.9.0', :require => false
|
2012-12-27 08:14:06 +08:00
|
|
|
gem 'rb-fsevent', :require => false
|
|
|
|
|
gem 'rb-fchange', :require => false
|
|
|
|
|
|
2013-02-08 04:57:04 +08:00
|
|
|
# Option to DISABLE_RUBY_DEBUGGING is helpful IDE-based debugging.
|
|
|
|
|
# The ruby debug gems conflict with the IDE-based debugger gem.
|
|
|
|
|
# Set this option in your dev environment to disable.
|
|
|
|
|
unless ENV['DISABLE_RUBY_DEBUGGING']
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'debugger', '1.5.0'
|
2011-09-27 13:28:33 +08:00
|
|
|
end
|
2012-12-27 08:14:06 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
group :development, :test do
|
|
|
|
|
gem 'coffee-script'
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'coffee-script-source', '1.6.2' #pinned so everyone's compiled output matches
|
2013-08-21 21:22:00 +08:00
|
|
|
gem 'execjs', '1.4.0'
|
2013-09-20 05:55:34 +08:00
|
|
|
gem 'parallel', '0.5.16'
|
2012-06-13 06:07:14 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
group :i18n_tools do
|
2013-04-18 03:41:39 +08:00
|
|
|
gem 'ruby_parser', '3.1.3'
|
|
|
|
|
gem 'sexp_processor', '4.2.1'
|
2011-07-16 00:59:22 +08:00
|
|
|
gem 'ya2yaml', '0.30'
|
2011-02-01 09:57:29 +08:00
|
|
|
end
|
|
|
|
|
|
2011-03-23 07:02:27 +08:00
|
|
|
group :redis do
|
2012-11-14 04:55:14 +08:00
|
|
|
gem 'instructure-redis-store', '1.0.0.2.instructure1', :require => 'redis-store'
|
2012-06-13 00:17:36 +08:00
|
|
|
gem 'redis', '3.0.1'
|
user request throttling
Define the cost of a request as (user cpu + time spent in db queries),
then store that using a leaky bucket algorithm in redis. The algorithm
is slightly modified from a normal leaky bucket, see the comments in the
code.
The parameters (maximum, hwm, outflow) are configurable Settings.
Because this code path is hit on every request, I've tried to keep the
added latency to a minimum.
Uses lua scripting in redis to avoid the latency of an extra round trip
(two round trips with lua, one at the beginning of the request and one
at the end, vs at least three without lua).
closes CNVS-7008
test plan:
* Given the default params, you're not going to ever hit the throttling
limit without making multiple requests in parallel. Normally local dev
environments won't process parallel requests, so you'll want to tweak
the config params.
* Setting.set('request_throttle.hwm', '2')
* Setting.set('request_throttle.outflow', '0.1')
* Make canvas http requests as a logged in user, and verify that after a
few requests in quick succession, you get a 403 response. After
waiting a second for your bucket to fall back below the threshold, you
can make requests again.
* Do the same using the api and sending your access token in the query
string or http auth header.
* This should work correctly with a clustered redis as well.
* If possible it'd be good to test parallel requests as well. The code
should handle this correctly and combine the cost of the parallel
requests, rather than stomping on the values.
Change-Id: I1fdfd4e009d81bd6525bcf45a93437f4c395f129
Reviewed-on: https://gerrit.instructure.com/24256
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Brian Palmer <brianp@instructure.com>
2013-08-21 23:03:42 +08:00
|
|
|
gem 'redis-scripting', '1.0.1'
|
2011-03-23 07:02:27 +08:00
|
|
|
end
|
|
|
|
|
|
2012-09-25 04:05:43 +08:00
|
|
|
group :cassandra do
|
2013-05-07 05:30:56 +08:00
|
|
|
gem 'cassandra-cql', '1.1.5'
|
2012-09-25 04:05:43 +08:00
|
|
|
end
|
|
|
|
|
|
2012-05-16 05:15:11 +08:00
|
|
|
group :embedly do
|
|
|
|
|
gem 'embedly', '1.5.5'
|
|
|
|
|
end
|
|
|
|
|
|
2012-08-02 04:36:26 +08:00
|
|
|
group :statsd do
|
|
|
|
|
gem 'statsd-ruby', '1.0.0', :require => 'statsd'
|
|
|
|
|
end
|
|
|
|
|
|
2013-06-22 01:09:05 +08:00
|
|
|
group :icu do
|
|
|
|
|
gem 'ffi-icu', '0.1.2'
|
|
|
|
|
end
|
|
|
|
|
|
2011-02-01 09:57:29 +08:00
|
|
|
# Non-standard Canvas extension to Bundler behavior -- load the Gemfiles from
|
|
|
|
|
# plugins.
|
2013-09-20 05:55:34 +08:00
|
|
|
Dir[File.join(File.dirname(__FILE__), 'vendor/plugins/*/Gemfile')].each do |g|
|
2011-02-01 09:57:29 +08:00
|
|
|
eval(File.read(g))
|
|
|
|
|
end
|