Commit Graph

136 Commits

Author SHA1 Message Date
Stanko K.R. 73c2b00211 Rever to using Ssrf instead of SSRF
Ref: https://github.com/basecamp/fizzy/pull/1967#discussion_r2593750027
2025-12-06 11:04:55 +01:00
Jeremy Daer af14feb8fc CSP gives env config precedence (#1976)
Bit clearer, and simpler config wrangling: presence of ENV → use it.
2025-12-05 20:49:41 -08:00
Jeremy Daer ab5964a375 Tune CSP: allow required external sources and user tools (#1977)
External sources:
- challenges.cloudflare.com for Turnstile (script-src, frame-src)
- storage.basecamp.com for Active Storage (connect-src)

User tools: loosen style/img/font/media/worker-src to avoid fighting
accessibility extensions, privacy tools, and custom fonts.
2025-12-05 20:45:48 -08:00
Jeremy Daer 345f457513 Tune CSP for user extensions and close implicit-allow gaps (#1974)
Loosen font-src and add media-src to allow browser extensions like
accessibility fonts (OpenDyslexic) and user style managers to work
without CSP violations.

Add default-src and connect-src directives to close security gaps where
unspecified directives were implicitly allowing all sources.
2025-12-05 16:57:03 -08:00
Jeremy Daer 6006491ab4 Content Security Policy (#1964)
Default to a very narrow policy since there are no CDNs or third-party
resources to contend with.

Configurable via:
- config.x.content_security_policy.* for fizzy-saas gem overrides
- DISABLE_CSP to skip entirely
- CSP_REPORT_ONLY to enable report-only mode
- CSP_REPORT_URI for violation reporting
2025-12-05 14:57:50 -08:00
Stanko K.R. cd3751f4c1 Fix Resolv::DNS always returning no results 2025-12-05 20:09:39 +01:00
Donal McBreen 13db384648 Auto default for UUID primary keys
Patch load_schmema! to set the default value for UUID primary keys. This
removes the need to patch ApplicationRecord + Rails models individually.

It also means we no longer need to patch the default in for the integer
primary key in Search::Record::SQLite.
2025-12-03 14:27:52 +00:00
David Heinemeier Hansson 28371e10c8 Turn off the help notice 2025-12-01 16:25:23 +01:00
Jorge Manrubia 3480e2d6db Handle size in binary columns
In the cable schema we use:

```
    t.binary "payload", size: :long, null: false
```

This will fail when resetting the db otherwise with an error due to the unexpected size property.
2025-12-01 13:32:54 +01:00
Jorge Manrubia 6ccf655597 Move yabeda/prometheus stuff to the gem 2025-11-28 15:53:58 +01:00
Jorge Manrubia 3b0ddf4cfb Move sentry to engine 2025-11-28 15:53:58 +01:00
Jorge Manrubia 96caeacb03 Move to ENV (kamal secrets) 2025-11-28 15:53:58 +01:00
Jorge Manrubia 1083f715a8 This was moved to the gem already by Mike 2025-11-28 15:53:58 +01:00
Jorge Manrubia af42ce43d4 Remove vapid keys in development 2025-11-28 15:53:58 +01:00
Jorge Manrubia 8baf5b8abd Make mission control only accessible for staff members 2025-11-28 15:53:58 +01:00
Jorge Manrubia e1e9a01720 Make open source the default, and check for sass instead 2025-11-28 15:53:48 +01:00
Donal McBreen c4498212dc Merge branch 'main' into sqlite
* main: (116 commits)
  Ensure avatar thumbnails are square
  Update useragent to recognize twitterbot/facebot
  Add defensive styles for non-square avatar images
  Update test for copy changes
  Missed commit
  AI: standardize on https://agents.md
  Make it clear this is just notifications, not comprehensive activity
  AI: configure MCP servers for Chrome, Grafana, and Sentry (#1727)
  Allow requests from Google Image Proxy
  Update to basecamp's useragent fork
  Clean up a little bit the CSRF reporting code
  Claude: production observability guidance (#1725)
  Prevent autoscroll to the root columns container to prevent jump on page load
  Include full name string so you can type your name to filter
  Prioritize current user and assigned users in assignment dropdown
  Check and report on Sec-Fetch-Site header for forgery protection
  bundle update
  Bump bootsnap from 1.18.6 to 1.19.0
  Bump rails from `077c3ad` to `17f6e00`
  Fix cards getting stuck in edit mode
  ...
2025-11-26 10:07:41 +00:00
Donal McBreen b839340cf2 Tidy up modules and on_load points 2025-11-26 10:02:32 +00:00
Donal McBreen 9c86205510 Enforce SQLite column limits via CHECK constraints
Patch the sqlite adapter to add CHECK constraints for string and text
column limits. We'll do them inline, so that any column changes
automatically update the constraints.
2025-11-26 09:50:29 +00:00
Donal McBreen 97bcdf1853 Enforce column limits via concern
SQLite columns lengths are purely informational, so we'll enforce the
limits via a concern that checks the lengths from the schema.
2025-11-25 15:32:34 +00:00
Donal McBreen 67f648f356 Enforce MySQL string/text limits in SQLite
To ensure consistent column lengths, we'll add limits to string and text
columns which match MySQL defaults.
2025-11-25 14:50:40 +00:00
Kevin McConnell b238a5b45b Don't report ConcurrentMigrationError to Sentry 2025-11-25 13:24:07 +00:00
Mike Dalessio 9f117159a6 Restore structured logging of queenbee_id
and clean up some other small remaining "plan b" to-dos.
2025-11-24 15:50:45 -05:00
Kevin McConnell bd259f7795 Add optimistic pausing to avoid stale reads
Instead of writer pinning, we'll track the last transaction ID of each
write in the session. Then on each read we'll wait for the replica to
report that this transaction is available.

If it doesn't become available within a reasonable timeout, we'll
proceed anyway, and accept the possibility of a stale read.

The hope here is that most of the time, the replica is caught up in the
time between a write request and the following read request. If it's
not, we now have a little tolerance to wait for it, which hopefully
proves enough to stale reads are not encountered in normal use.

We also disable the writer affinity opt-out mechanism that we had
before, since we will no longer be using writer affinity at the load
balancer.
2025-11-24 13:29:52 +00:00
Donal McBreen 4c4f6957ec Drop sqlite compability, using a separate schema.rb 2025-11-21 17:25:40 +00:00
Donal McBreen dd18b6641d Simplify patching 2025-11-21 09:15:19 +00:00
Donal McBreen 33ef482189 Patch dumper on load 2025-11-21 09:15:19 +00:00
Donal McBreen 9c8d5e40ad Always apply patches on load 2025-11-21 09:15:19 +00:00
Donal McBreen cc7e091508 Disable multi-db for SQLite 2025-11-21 09:15:19 +00:00
Donal McBreen bb36b4846f Support SQLite searching 2025-11-21 09:15:19 +00:00
Donal McBreen a2333d9a37 Add SQLite support
- UUID support
- Schema compatibility layer, ignore MySQL specific options
- Search not working yet
2025-11-21 09:15:19 +00:00
Mike Dalessio 2c2a1c4b4a Make sure jobs are enqueued only after all transactions are committed
This should fix the recurring ActiveStorage::FileNotFoundError errors
from ActiveStorage::AnalyzeJob.

The issue is that, when images are not direct uploaded (e.g. a card
background image or avatar image), the AnalyzeJob has been getting
enqueued before the file itself was uploaded to blob storage.

Setting ActiveJob::Base.enqueue_after_transaction_commit = true makes
sure that jobs are always enqueued only once *all* transactions have
been committed.

This will be the Rails default at some point, but for now we still
need to explicitly set it.

Big thanks to @jeremy for the assist. 👏
2025-11-20 18:47:42 -05:00
Mike Dalessio 711cc8568e Fix account slugs in Active Storage URLs 2025-11-19 08:51:12 -05:00
Mike Dalessio 3b717bbe0d Move AccountSlug::Extractor later in the stack
so that in development, it runs after reloading; but still before the
database selector middleware in case we ever want to do something
account-specific.
2025-11-18 09:20:47 -05:00
Kevin McConnell 9b3b2f5d29 Prevent pinning writes in non-primary DCs 2025-11-18 11:03:58 +00:00
Mike Dalessio 695037c7ee Make sure rack-mini-profiler doesn't load in test 2025-11-17 15:03:26 -05:00
Mike Dalessio e3ce26c53d rubocop: more style fixes 2025-11-17 14:54:42 -05:00
Stanko K.R. 0b8c51c2e9 Preload cards for columns 2025-11-17 16:16:19 +01:00
Mike Dalessio 2a1817d902 Bringing back the TurboStreamsExtension
so that, for example, notification content contains the URLs properly
scoped to the account.
2025-11-17 09:12:41 -05:00
Mike Dalessio 142a342e53 Make sure ActiveJob preserves the current account context
This is a pretty common pattern, something like this is in both
ActiveRecord::Tenanted and ActsAsTenanted.
2025-11-17 09:12:41 -05:00
Stanko K.R. a9e052d8cb Explicitly use a shard for caching
See: https://github.com/rails/solid_cache/pull/219
2025-11-17 09:12:41 -05:00
Mike Dalessio e3d86bb21e Clean up some spots where "current account" is ambiguous
Primarily this is in tests (which were caught by temporarily
introducing acts_as_tenant and enabling safety checks), but notably
action cable connections were not working properly, and that's now
fixed.
2025-11-17 09:12:41 -05:00
Stanko K.R. 488c74d99e Always use the cache db for caching 2025-11-17 09:12:41 -05:00
Kevin McConnell 11a38a4526 Initial (wip) staging deployment
This adds an initial configuration for staging. Note that we are doing
this ahead of having the full infrastructure in all 3 DCs. So this
this will result in some cross-DC writes for now (e.g. we have a single cache in
IAD). We'll correct this as the infrastructure becomes available.

We'll also run jobs on every app server, until we split them out to
separate instances.
2025-11-17 09:12:41 -05:00
Mike Dalessio fe6df7085f Finish the rollout of account_id to all core data models
Schema:
- add account_id to tables it was missing from
- make account_id a required column everywhere
- add [account_id] indexes, or add `account_id` to existing indices

Models:
- add `belongs_to :account` to all models (default to using a domain
  model's account whenever possible)
- add account_id in all the necessary fixtures
- add account_id to insert_all hashes
- pass account_id to a few initialize calls

Miscellaneous:
- update the import script to set account_id

Note that I'm not adding account_id to the join tables primarily
because I couldn't think of an easy way to populate it without making
it a full Join model, and that was more work than I have time to take
on right now.
2025-11-17 09:12:40 -05:00
Mike Dalessio 5a7f08067a Move setting Current.account into the middleware
so that code called from the Rails controllers can use Current.account
2025-11-17 09:12:40 -05:00
Donal McBreen 6323e0abee Use uuid as the id type in schema.rb
This matches the format in the migration files and makes the type_to_sql
override redundant.

The only wart we are left with is that since there are no true UUID
types in MySQL we'll have to assume that binary(16) columns are UUIDs.

In practice this is probably fine as the MySQL adapter doesn't map any
other types to binary.
2025-11-17 09:12:36 -05:00
Donal McBreen ac82f20051 Memoize native_database_types and consolidate modules 2025-11-17 09:12:36 -05:00
Donal McBreen d81b7af7bb Switch to binary and add uuid as a native type for MySQL 2025-11-17 09:12:36 -05:00
Donal McBreen 8ec5c1af5c Use Binary::Data for serialization
This handles quoting for us automatically
2025-11-17 09:12:36 -05:00