Fix CI failures blocking 1.3.2 release

- Rubocop Style/RedundantRegexpEscape: remove unnecessary \- in two character classes in FULL_EMAIL_REGEXP (user.rb:59) - Brakeman LinkToHref XSS: add fingerprint to brakeman.ignore — the filter_path guard (start_with?('/')) prevents javascript: and absolute-URL attacks; Brakeman still tracks params[:path] taint through the conditional assignment - RSpec install: switch pdfium binary source from the deleted docusealco/pdfium-binaries to bblanchon/pdfium-binaries (same tarball layout: lib/libpdfium.so) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 month ago · 62bf89c1cd
parent 1edc41c981
commit 62bf89c1cd
3 changed files with 6 additions and 2 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -177,7 +177,7 @@ jobs:
          yarn install
          sudo apt-get update
          sudo apt-get install -y libvips
-          wget -O pdfium-linux.tgz "https://github.com/docusealco/pdfium-binaries/releases/latest/download/pdfium-linux-$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/').tgz"
+          wget -O pdfium-linux.tgz "https://github.com/bblanchon/pdfium-binaries/releases/latest/download/pdfium-linux-$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/').tgz"
          sudo tar -xzf pdfium-linux.tgz --strip-components=1 -C /usr/lib lib/libpdfium.so
          rm -f pdfium-linux.tgz
      - name: Run
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -56,7 +56,7 @@ class User < ApplicationRecord
  EMAIL_REGEXP = /[^@;,<>\s]+@[^@;,<>\s]+/

  FULL_EMAIL_REGEXP =
-    /\A[a-z0-9_]+(?:[.'+\-][a-z0-9_]+)*@(?:[a-z0-9]+[.\-])*[a-z0-9]+\.[a-z]{2,}\z/i
+    /\A[a-z0-9_]+(?:[.'+-][a-z0-9_]+)*@(?:[a-z0-9]+[.-])*[a-z0-9]+\.[a-z]{2,}\z/i

  has_one_attached :signature
  has_one_attached :initials
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@ -23,6 +23,10 @@
    {
      "fingerprint": "4ce817efd946b7806f6d3da9a6923aa282e3ff992810353ed35d8f83a82cb7a0",
      "note": "HighlightCode returns escaped HTML for syntax-highlighted MCP token preview"
+    },
+    {
+      "fingerprint": "3f83dd553eb9ee8027ee629960e3e42d18b7e4143131d266899e916b7a6472c1",
+      "note": "filter_path is validated with start_with?('/') — prevents javascript: and absolute-URL payloads; Brakeman tracks taint through the conditional assignment"
    }
  ]
 }