Update gems to fix all the CVEs (#96)

* Update rails based on CVE

Name: actionpack
Version: 5.2.1
Advisory: CVE-2020-8166
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.2.1
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-15169
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-5267
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-8167
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: activejob
Version: 5.2.1
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2018-16477
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
Title: Bypass vulnerability in Active Storage
Solution: upgrade to >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2020-8162
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
Title: Circumvention of file size limits in ActiveStorage
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: activesupport
Version: 5.2.1
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

* Update jquery-rails for CVE

ruby-advisory-db: 472 advisories
Name: jquery-rails
Version: 4.3.3
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4

* Update json gem for CVE
Name: json
Version: 2.0.2
Advisory: CVE-2020-10663
Criticality: Unknown
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Solution: upgrade to >= 2.3.0

* Update puma gem

Name: puma
Version: 3.11.4
Advisory: CVE-2019-16770
Criticality: High
URL: GHSA-7xx3-m584-x994
Title: Keepalive thread overload/DoS in puma
Solution: upgrade to ~> 3.12.2, >= 4.3.1

* Update rubyzip gem for CVE

ruby-advisory-db: 472 advisories
Name: rubyzip
Version: 1.2.2
Advisory: CVE-2019-16892
Criticality: Unknown
URL: rubyzip/rubyzip#403
Title: Denial of Service in rubyzip ("zip bombs")
Solution: upgrade to >= 1.3.0

* Update simple_form to fix CVE

Name: simple_form
Version: 4.0.1
Advisory: CVE-2019-16676
Criticality: Unknown
URL: GHSA-r74q-gxcg-73hx
Title: simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Solution: upgrade to >= 5.0

Gemfile

@@ -24,7 +24,7 @@ gem "normalize-rails"
 gem "pg"
 gem 'puma'
 gem "rack-canonical-host"
-gem "rails", "~> 5.2.1"
+gem "rails", "~> 5.2.4.3"
 gem "recipient_interceptor"
 gem "redcarpet"
 gem "refills"

Gemfile.lock

@@ -1,43 +1,43 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.1)
-      actionpack (= 5.2.1)
+    actioncable (5.2.4.4)
+      actionpack (= 5.2.4.4)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.1)
-      actionpack (= 5.2.1)
-      actionview (= 5.2.1)
-      activejob (= 5.2.1)
+    actionmailer (5.2.4.4)
+      actionpack (= 5.2.4.4)
+      actionview (= 5.2.4.4)
+      activejob (= 5.2.4.4)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.1)
-      actionview (= 5.2.1)
-      activesupport (= 5.2.1)
-      rack (~> 2.0)
+    actionpack (5.2.4.4)
+      actionview (= 5.2.4.4)
+      activesupport (= 5.2.4.4)
+      rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.1)
-      activesupport (= 5.2.1)
+    actionview (5.2.4.4)
+      activesupport (= 5.2.4.4)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.1)
-      activesupport (= 5.2.1)
+    activejob (5.2.4.4)
+      activesupport (= 5.2.4.4)
       globalid (>= 0.3.6)
-    activemodel (5.2.1)
-      activesupport (= 5.2.1)
-    activerecord (5.2.1)
-      activemodel (= 5.2.1)
-      activesupport (= 5.2.1)
+    activemodel (5.2.4.4)
+      activesupport (= 5.2.4.4)
+    activerecord (5.2.4.4)
+      activemodel (= 5.2.4.4)
+      activesupport (= 5.2.4.4)
       arel (>= 9.0)
-    activestorage (5.2.1)
-      actionpack (= 5.2.1)
-      activerecord (= 5.2.1)
+    activestorage (5.2.4.4)
+      actionpack (= 5.2.4.4)
+      activerecord (= 5.2.4.4)
       marcel (~> 0.3.1)
-    activesupport (5.2.1)
+    activesupport (5.2.4.4)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -66,7 +66,7 @@ GEM
       sass (~> 3.4)
       thor (~> 0.19)
     browser (2.2.0)
-    builder (3.2.3)
+    builder (3.2.4)
     bundler-audit (0.5.0)
       bundler (~> 1.2)
       thor (~> 0.18)
@@ -110,10 +110,10 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.12.2)
-    concurrent-ruby (1.0.5)
+    concurrent-ruby (1.1.7)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
-    crass (1.0.4)
+    crass (1.0.6)
     database_cleaner (1.7.0)
     delayed_job (4.1.5)
       activesupport (>= 3.0, < 5.3)
@@ -131,7 +131,7 @@ GEM
       thread
       thread_safe
     encryptor (3.0.0)
-    erubi (1.7.1)
+    erubi (1.9.0)
     erubis (2.7.0)
     execjs (2.7.0)
     factory_bot (4.11.1)
@@ -153,11 +153,11 @@ GEM
       faraday_middleware (~> 0.9)
       faraday_middleware-parse_oj (~> 0.3)
       launchy (~> 2.4)
-    globalid (0.4.1)
+    globalid (0.4.2)
       activesupport (>= 4.2.0)
     hashdiff (0.3.7)
     highline (1.7.8)
-    i18n (1.1.1)
+    i18n (1.8.5)
       concurrent-ruby (~> 1.0)
     i18n-tasks (0.9.5)
       activesupport (>= 4.0.2)
@@ -170,14 +170,14 @@ GEM
       term-ansicolor (>= 1.3.2)
       terminal-table (>= 1.5.1)
     io-like (0.3.0)
-    jquery-rails (4.3.3)
+    jquery-rails (4.4.0)
       rails-dom-testing (>= 1, < 3)
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
-    json (2.0.2)
+    json (2.3.1)
     launchy (2.4.3)
       addressable (~> 2.3)
-    loofah (2.2.2)
+    loofah (2.7.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -188,20 +188,20 @@ GEM
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
-    mimemagic (0.3.2)
-    mini_mime (1.0.1)
-    mini_portile2 (2.3.0)
-    minitest (5.11.3)
+    mimemagic (0.3.5)
+    mini_mime (1.0.2)
+    mini_portile2 (2.4.0)
+    minitest (5.14.2)
     multipart-post (2.0.0)
     neat (1.7.4)
       bourbon (>= 4.0)
       sass (>= 3.3)
     net-scp (1.2.1)
       net-ssh (>= 2.6.5)
     net-ssh (4.1.0)
-    nio4r (2.3.1)
-    nokogiri (1.8.5)
-      mini_portile2 (~> 2.3.0)
+    nio4r (2.5.4)
+    nokogiri (1.10.10)
+      mini_portile2 (~> 2.4.0)
     normalize-rails (3.0.3)
     oj (2.18.5)
     parser (2.3.1.4)
@@ -214,39 +214,40 @@ GEM
     pry-rails (0.3.4)
       pry (>= 0.9.10)
     public_suffix (3.0.2)
-    puma (3.11.4)
-    rack (2.0.5)
+    puma (5.0.2)
+      nio4r (~> 2.0)
+    rack (2.2.3)
     rack-canonical-host (0.2.2)
       addressable (> 0, < 3)
       rack (>= 1.0.0, < 3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rack-timeout (0.4.2)
-    rails (5.2.1)
-      actioncable (= 5.2.1)
-      actionmailer (= 5.2.1)
-      actionpack (= 5.2.1)
-      actionview (= 5.2.1)
-      activejob (= 5.2.1)
-      activemodel (= 5.2.1)
-      activerecord (= 5.2.1)
-      activestorage (= 5.2.1)
-      activesupport (= 5.2.1)
+    rails (5.2.4.4)
+      actioncable (= 5.2.4.4)
+      actionmailer (= 5.2.4.4)
+      actionpack (= 5.2.4.4)
+      actionview (= 5.2.4.4)
+      activejob (= 5.2.4.4)
+      activemodel (= 5.2.4.4)
+      activerecord (= 5.2.4.4)
+      activestorage (= 5.2.4.4)
+      activesupport (= 5.2.4.4)
       bundler (>= 1.3.0)
-      railties (= 5.2.1)
+      railties (= 5.2.4.4)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.4)
-      loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.1)
-      actionpack (= 5.2.1)
-      activesupport (= 5.2.1)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (5.2.4.4)
+      actionpack (= 5.2.4.4)
+      activesupport (= 5.2.4.4)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)
-    rake (12.3.1)
+    rake (13.0.1)
     rb-fsevent (0.10.3)
     rb-inotify (0.9.10)
       ffi (>= 0.5.0, < 2)
@@ -271,7 +272,7 @@ GEM
       rspec-mocks (~> 3.8.0)
       rspec-support (~> 3.8.0)
     rspec-support (3.8.0)
-    rubyzip (1.2.2)
+    rubyzip (1.3.0)
     safe_yaml (1.0.4)
     sass (3.6.0)
       sass-listen (~> 4.0.0)
@@ -289,7 +290,7 @@ GEM
       rubyzip (~> 1.2)
     shoulda-matchers (3.1.1)
       activesupport (>= 4.0.0)
-    simple_form (4.0.1)
+    simple_form (5.0.3)
       actionpack (>= 5.0)
       activemodel (>= 5.0)
     simplecov (0.12.0)
@@ -304,7 +305,7 @@ GEM
     sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.2.1)
+    sprockets-rails (3.2.2)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
@@ -319,7 +320,7 @@ GEM
       tins (~> 1.0)
     terminal-table (1.7.3)
       unicode-display_width (~> 1.1.1)
-    thor (0.20.0)
+    thor (0.20.3)
     thread (0.2.2)
     thread_safe (0.3.6)
     tilt (2.0.8)
@@ -328,7 +329,7 @@ GEM
     title (0.0.7)
       i18n
       rails (>= 3.1)
-    tzinfo (1.2.5)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
     uglifier (3.0.2)
       execjs (>= 0.3.0, < 3)
@@ -342,9 +343,9 @@ GEM
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff
-    websocket-driver (0.7.0)
+    websocket-driver (0.7.3)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.3)
+    websocket-extensions (0.1.5)
     whenever (0.9.7)
       chronic (>= 0.6.3)
     xpath (2.1.0)
@@ -388,7 +389,7 @@ DEPENDENCIES
   puma
   rack-canonical-host
   rack-timeout
-  rails (~> 5.2.1)
+  rails (~> 5.2.4.3)
   recipient_interceptor
   redcarpet
   refills