Bump actionpack from 7.0.2.4 to 7.0.4.1#23

Bumps [actionpack](https://github.com/rails/rails) from 7.0.2.4 to 7.0.4.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails/releases">actionpack's releases</a>.</em></p> <blockquote> <h2>v7.0.4.1</h2> <p>This is a security release. More information is available in our security announcements forum: <a href="https://discuss.rubyonrails.org/c/security-announcements/9">https://discuss.rubyonrails.org/c/security-announcements/9</a></p> <h2>Active Support</h2> <ul> <li> <p>Avoid regex backtracking in Inflector.underscore</p> <p>[CVE-2023-22796]</p> </li> </ul> <h2>Active Model</h2> <ul> <li>No changes.</li> </ul> <h2>Active Record</h2> <ul> <li> <p>Make sanitize_as_sql_comment more strict</p> <p>Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input.</p> <p>This commit makes the sanitization more robust by replacing any occurrances of &quot;/<em>&quot; or &quot;</em>/&quot; with &quot;/ <em>&quot; or &quot;</em> /&quot;. It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal.</p> <p>This also clarifies in the documentation of annotate that it should not be provided user input.</p> <p>[CVE-2023-22794]</p> </li> <li> <p>Added integer width check to PostgreSQL::Quoting</p> <p>Given a value outside the range for a 64bit signed integer type PostgreSQL will treat the column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan.</p> <p>This behavior is configurable via ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.</p> <p>[CVE-2022-44566]</p> </li> </ul> <h2>Action View</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rails/rails/blob/v7.0.4.1/actionpack/CHANGELOG.md">actionpack's changelog</a>.</em></p> <blockquote> <h2>Rails 7.0.4.1 (January 17, 2023)</h2> <ul> <li> <p>Fix sec issue with _url_host_allowed?</p> <p>Disallow certain strings from <code>_url_host_allowed?</code> to avoid a redirect to malicious sites.</p> <p>[CVE-2023-22797]</p> </li> <li> <p>Avoid regex backtracking on If-None-Match header</p> <p>[CVE-2023-22795]</p> </li> <li> <p>Use string#split instead of regex for domain parts</p> <p>[CVE-2023-22792]</p> </li> </ul> <h2>Rails 7.0.4 (September 09, 2022)</h2> <ul> <li> <p>Prevent <code>ActionDispatch::ServerTiming</code> from overwriting existing values in <code>Server-Timing</code>.</p> <p>Previously, if another middleware down the chain set <code>Server-Timing</code> header, it would overwritten by <code>ActionDispatch::ServerTiming</code>.</p> <p><em>Jakub Malinowski</em></p> </li> </ul> <h2>Rails 7.0.3.1 (July 12, 2022)</h2> <ul> <li>No changes.</li> </ul> <h2>Rails 7.0.3 (May 09, 2022)</h2> <ul> <li> <p>Allow relative redirects when <code>raise_on_open_redirects</code> is enabled.</p> <p><em>Tom Hughes</em></p> </li> <li> <p>Fix <code>authenticate_with_http_basic</code> to allow for missing password.</p> <p>Before Rails 7.0 it was possible to handle basic authentication with only a username.</p> <pre lang="ruby"><code>authenticate_with_http_basic do |token, _| ApiClient.authenticate(token) end </code></pre> <p>This ability is restored.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rails/rails/commit/23e0345fe900dfd7edd6e8e5a7a6bd54b2a7d2ed"><code>23e0345</code></a> Version 7.0.4.1</li> <li><a href="https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f"><code>8d82687</code></a> Avoid regex backtracking on If-None-Match header</li> <li><a href="https://github.com/rails/rails/commit/cd46b0e46962013fbf93d5b1f12b2f22e57d49eb"><code>cd46b0e</code></a> Use string#split instead of regex for domain parts</li> <li><a href="https://github.com/rails/rails/commit/e50e26d7a9f4a1e4fb5ef2538c30b2b5cc81bd92"><code>e50e26d</code></a> Fix sec issue with _url_host_allowed?</li> <li><a href="https://github.com/rails/rails/commit/8015c2c2cf5c8718449677570f372ceb01318a32"><code>8015c2c</code></a> Version 7.0.4</li> <li><a href="https://github.com/rails/rails/commit/f3c345edb1a9e13e66d7fb204ba637abc6e7afb7"><code>f3c345e</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/rails/rails/issues/45964">#45964</a> from jhawthorn/server_timing_safety</li> <li><a href="https://github.com/rails/rails/commit/4d25c645aa178486790c806015f72b03b6015ba1"><code>4d25c64</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/rails/rails/issues/45221">#45221</a> from jhawthorn/ac_params_eql_fix</li> <li><a href="https://github.com/rails/rails/commit/47cff401f91676e3d2ae4c36d697f0ada3b65417"><code>47cff40</code></a> Format inline code [ci-skip]</li> <li><a href="https://github.com/rails/rails/commit/c5a407d03d96606cdcd4bbeffab8ab654c35feb0"><code>c5a407d</code></a> Linkify code references [ci-skip]</li> <li><a href="https://github.com/rails/rails/commit/e874cf598a8acabf42e1b2dd97229e2f399a0e59"><code>e874cf5</code></a> Fix typos [ci-skip]</li> <li>Additional commits viewable in <a href="https://github.com/rails/rails/compare/v7.0.2.4...v7.0.4.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/sas2job/magic_ball_tg_bot/network/alerts). </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.