CU-868j244hj :: 31.8.0 pre release (#6139)

* refactor edit SEP form to show selected option (#6096)

* refactor build_fieldset_choices and build_input_hash

* lint fix

* enhance script to transition consumer role states to fully verified (#6103)

* enhance script to transition consumer role states to fully verified

* refactor to introduce batching

* lint fix

* refactor CSV handling in transition consumers script to append results and improve error logging

* refactor

* set new rop due date for bulk calls (#6102)

* save

* updates evidence spec

* remove utils changes, add specs

* update specs

* remove binding

* fix error

* add specs for non esi bulk calls

* remove local adjustments to run spec

---------

Co-authored-by: Sai Praveen Gudimetla <saipraveen.gudimetla@gmail.com>

* add devise to bundler audit ignore (#6098)

* address gap in pvc logic (#6100)

* save

* updates evidence spec

* separate rrv other bulk call updates

---------

Co-authored-by: Sai Praveen Gudimetla <saipraveen.gudimetla@gmail.com>

* remove custom handling on remove qhp applicant modal (#6108)

Co-authored-by: Alec Turnbull <alecturnbull81@gmail.com>

* refactor access verification logic in FamiliesController (#6115)

* refactor access verification logic in FamiliesController

* fix spec

* remediate CVE-2026-33306 with bcrypt bump to 3.1.22 (#6120)

CVE-2026-33306 bcrypt minor version uplift

* data fix ridp verified consumers with bad bookmark url (#6121)

* data fix for bad bookmark urls

* update scope of fix to all ridp verified with bad bookmark

* rubocop fix

* set admin bookmark url to nil

* security: fix bundler-audit vulnerabilities (activestorage) (#6133)

fix: update gems to resolve bundler-audit security vulnerabilities

This commit updates vulnerable gems identified by bundler-audit.
See PR description for detailed analysis of changes and affected components.

---------

Co-authored-by: Jacob Kagon <69021620+jacobkagon@users.noreply.github.com>
Co-authored-by: Tristan <33517218+TristanB17@users.noreply.github.com>
Co-authored-by: Sai Praveen Gudimetla <saipraveen.gudimetla@gmail.com>
Co-authored-by: Alec Turnbull <alecturnbull81@gmail.com>
Co-authored-by: Michael Karamanov <mdkaramanov@gmail.com>
Co-authored-by: Marco (Polo) Ornelas <marco.ornelas@ideacrew.com>

Author: 7 people

.bundler-audit.yml

@@ -29,3 +29,9 @@ ignore:
   - CVE-2024-43411  # GHSA-6v96-m24v-f58j – Low-risk XSS via domain takeover
   - CVE-2025-61921  # GHSA-mr3q-g2mv-mr4q - Sinatra ReDoS via ETag header
   - CVE-2026-25765 # GHSA-33mh-2634-fwr2 - faraday
+  - GHSA-57hq-95w6-v4fc
+  # CVE-2026-32700: patched version (5.0.3) requires Rails >= 7.0; project is on Rails 6.1.7.10.
+  # Resolve by upgrading Rails to >= 7.0 and then devise to 5.0.3.
+  # CVE-2026-33658: patched versions require Rails >= 7.2.3.1; project is on Rails 6.1.7.10.
+  # Resolve by upgrading Rails to ~> 7.2.3.1, ~> 8.0.4.1, or >= 8.1.2.1.
+  - CVE-2026-33658  # GHSA-p9fm-f462-ggrg – Active Storage DoS via multi-range requests in proxy mode

Gemfile

@@ -59,7 +59,7 @@ gem 'aws-sdk',                  '~> 3.2'
 gem 'aws-sdk-s3',               '>= 1.208.0'
 # Ruby 3.1.6 ships with logger 1.5.0 but aws-sdk-core 3.240.0 requires logger 1.7.0; try removing logger dependency after next ruby upgrade
 gem 'logger',                   '~> 1.7.0'  
-gem 'bcrypt',                   '~> 3.1'
+gem 'bcrypt',                   '~> 3.1.22'
 gem 'bootsnap',                 '>= 1.1', require: false
 gem 'browser',                  '2.7.0'
 gem 'ckeditor',                 '~> 5.1.3'

Gemfile.lock

@@ -1895,7 +1895,7 @@ GEM
       thread_safe (~> 0.3, >= 0.3.1)
     backports (3.23.0)
     base64 (0.3.0)
-    bcrypt (3.1.13)
+    bcrypt (3.1.22)
     benchmark-malloc (0.2.0)
     benchmark-perf (0.6.0)
     benchmark-trend (0.4.0)
@@ -2613,7 +2613,7 @@ DEPENDENCIES
   aws-sdk (~> 3.2)
   aws-sdk-s3 (>= 1.208.0)
   axe-core-cucumber (~> 4.8.0)
-  bcrypt (~> 3.1)
+  bcrypt (~> 3.1.22)
   benefit_markets!
   benefit_sponsors!
   bootsnap (>= 1.1)

SECURITY.md

@@ -2,6 +2,24 @@
 
 ## Vulnerability Mitigations
 
+### GHSA-57hq-95w6-v4fc - Devise "change email" race condition
+
+**Vulnerability:** A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option (the default when using Confirmable with email changes). (`CVE-2026-32700`).
+
+**Current Status:** Enroll is currently pinned to devise `4.5.x` through the `Gemfile`.
+
+**Mitigation:** This CVE is temporarily added to `.bundler-audit.yml` as we are upgrading Rails 8 in parallel. The long-term fix is to upgrade `rails` to `>= 7.0` and devise to `5.0.3` simultaneously.
+
+**Actions Taken:**
+1. Documented vulnerability and mitigation plan in this file.
+2. Added `GHSA-57hq-95w6-v4fc` to bundler-audit ignore list as a temporary exception.
+3. Tracked follow-up to remove the exception after Ruby upgrade.
+
+**Ongoing Measures:**
+1. Keep this exception time boxed for 90 days as Rails 8 upgrade is coming soon.
+2. Remove the ignore entry after dependency upgrade.
+
+
 ### GHSA-wx95-c6cv-8532 - Nokogiri canonicalization failure error handling
 
 **Vulnerability:** Nokogiri versions below `1.19.1` will not raise an exception when canonicalization fails, specifically when checking the return value of `xmlC14NExecute` in the associated canonicalization methods (`GHSA-wx95-c6cv-8532`).
@@ -244,6 +262,38 @@ We backported the upstream restriction that disallows the dangerous transformati
 1. When we upgrade Rails Version to ~> 7.1.5.2', '~> 7.2.2.2', '>= 8.0.2.1', we need to remove 
 config/initializers/security_backports/active_storage_disallow_dangerous_transformations.rb
 
+#### CVE-2026-33658
+
+Source: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
+
+**Description:**
+
+```
+Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests. This affects ActiveStorage versions in Rails 6.1.7.10 and below.
+```
+
+**Mitigation:**
+
+Active Storage is NOT ENABLED in this application. The Active Storage engine is explicitly disabled in `config/application.rb` (line 12 is commented out). This CVE requires upgrading Rails from 6.1.x to 7.2.3.1+, 8.0.4.1+, or 8.1.2.1+ (major version upgrade).
+
+**Risk Assessment:**
+- **Severity**: Not Applicable
+- **Actual Risk**: None - Active Storage is not loaded or used
+- **Impact**: No impact as the vulnerable component is not present
+
+**Actions Taken:**
+
+1. Verified Active Storage is disabled in config/application.rb
+2. Confirmed no config/storage.yml exists
+3. Confirmed no models use has_one_attached or has_many_attached
+4. Added CVE-2026-33658 to .bundler-audit.yml ignore list
+5. Documented reason for ignoring: requires major Rails version upgrade
+
+**TODO - Future Actions**
+
+1. When we upgrade Rails to ~> 7.2.3.1, ~> 8.0.4.1, or >= 8.1.2.1, remove CVE-2026-33658 from .bundler-audit.yml
+2. If Active Storage is ever enabled in the future, ensure patched Rails version is used
+
 ### CVE-2023-4771, CVE-2024-24815, CVE-2024-24816, CVE-2024-43407, CVE-2024-43411
 
 **Sources:**

app/assets/javascripts/qhp_application.js

@@ -1,75 +1,30 @@
-document.addEventListener('click', function(e) {
-    if (e.target.matches('button#delete_applicant_button_qhp')) {
-        e.preventDefault();
-        showModal();
-    }
-
-    if (e.target.textContent.trim() === 'Cancel') {
-        closeModal();
-    }
-
-    if (e.target.matches('#destroy-confirm-qhp')) {
-        confirmDestroyApplicantQhp(e, e.target.dataset.url);
-    }
+$(document).on('click', 'button#delete_applicant_button_qhp', function (e) {
+  e.preventDefault();
+  $('#destroyApplicantQhp').modal();
+
+  $('#destroyApplicantQhp .modal-cancel-button').on('click', function (e) {
+    $('#destroyApplicantQhp').modal('hidden');
+  });
+  $('.btn-confirmation').removeAttr('disabled');
 });
 
-function showModal() {
-    const modal = document.getElementById('destroyApplicantQhp');
-    modal.classList.add('show');
-    modal.style.display = 'block';
-    document.body.classList.add('modal-open');
-    
-    const backdrop = document.createElement('div');
-    backdrop.className = 'modal-backdrop fade show';
-    document.body.appendChild(backdrop);
-    
-    const confirmButton = document.querySelector('.btn-confirmation');
-    if (confirmButton) confirmButton.removeAttribute('disabled');
-}
-
-function closeModal() {
-    const modal = document.getElementById('destroyApplicantQhp');
-    if (modal) {
-        modal.style.display = 'none';
-        modal.classList.remove('show');
-    }
-    document.body.classList.remove('modal-open');
-    const backdrop = document.querySelector('.modal-backdrop');
-    if (backdrop) backdrop.remove();
-}
+$(document).on('click', '#destroy-confirm-qhp', function (e) {
+  confirmDestroyApplicantQhp(e, $(this).data('url'));
+});
 
 function confirmDestroyApplicantQhp(event, url) {
-    const confirmButton = document.getElementById('destroy-confirm-qhp');
-    confirmButton.disabled = true;
-    event.preventDefault();
-    event.stopImmediatePropagation();
-
-    // Clean up modal
-    document.querySelectorAll('.modal-backdrop').forEach(el => el.classList.remove('modal-backdrop'));
-    document.querySelectorAll('.modal-open').forEach(el => el.classList.remove('modal-open'));
-
-    // Get CSRF token from meta tag --> not needed when running cucumber test
-    const csrfMeta = document.querySelector('meta[name="csrf-token"]');
-    const csrfToken = csrfMeta ? csrfMeta.getAttribute('content') : '';
-
-    fetch(url, {
-        method: 'DELETE',
-        headers: { 'X-CSRF-Token': csrfToken }
-    })
-    .then(response => {
-        closeModal();
-        if (response.redirected) {
-            // Follow the redirect from the controller
-            window.location.href = response.url;
-        } else if (response.ok) {
-            // Fallback: navigate to applicants index
-            const baseUrl = url.replace(/\/[^\/]+$/, '');
-            window.location.href = baseUrl;
-        } else {
-            throw new Error(`HTTP ${response.status}`);
-        }
-    })
-    .catch(error => {
-        confirmButton.disabled = false;
-    });
-}
+  $('#destroy-confirm-qhp').prop('disabled', true);
+  event.preventDefault();
+  event.stopImmediatePropagation();
+
+  $('.modal-backdrop').removeClass('modal-backdrop');
+  $('.modal-open').removeClass('modal-open');
+
+  $.ajax({
+    url: url,
+    type: 'DELETE',
+    dataType: 'script',
+    contentType: false,
+    processData: false,
+  });
+}

app/controllers/insured/families_controller.rb

@@ -12,7 +12,7 @@ class Insured::FamiliesController < FamiliesController
                                            :check_insurance_reason, :verification, :verification_detail, :verification_individual, :verification_history, :personal, :inbox, :manage_family, :brokers, :enrollment_history]
   before_action :updateable?, only: [:delete_consumer_broker, :record_sep, :purchase, :upload_notice]
   before_action :init_qualifying_life_events, only: [:home, :manage_family, :find_sep]
-  before_action :check_for_address_info, only: [:find_sep, :home]
+  before_action :verify_access_prerequisites, only: [:find_sep, :home]
   before_action :check_employee_role
   before_action :find_or_build_consumer_role, only: [:home]
   before_action :calculate_dates, only: [:check_move_reason, :check_marriage_reason, :check_insurance_reason]
@@ -705,15 +705,11 @@ def init_qualifying_life_events
     end
   end
 
-  def check_for_address_info
+  def verify_access_prerequisites
     if @person.has_active_employee_role?
       redirect_to edit_insured_employee_path(@person.active_employee_roles.first) if @person.addresses.blank?
-    elsif @person.is_consumer_role_active?
-      if !(@person.addresses.present? || (@person.is_homeless || @person.is_temporarily_out_of_state))
-        redirect_to edit_insured_consumer_role_path(@person.consumer_role)
-      elsif ridp_redirection
-        redirect_to ridp_agreement_insured_consumer_role_index_path
-      end
+    elsif @person.is_consumer_role_active? && ridp_redirection
+      redirect_to ridp_agreement_insured_consumer_role_index_path
     end
   end