activeadmin 3.1.0 → 3.2.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of activeadmin might be problematic. Click here for more details.

Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +21 -0
  3. data/lib/active_admin/csv_builder.rb +23 -2
  4. data/lib/active_admin/filters/forms.rb +1 -1
  5. data/lib/active_admin/filters/formtastic_addons.rb +1 -1
  6. data/lib/active_admin/inputs/filters/select_input.rb +2 -0
  7. data/lib/active_admin/menu.rb +1 -0
  8. data/lib/active_admin/version.rb +1 -1
  9. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f41c15703a7796ce3b6395820049062ffd4f9fbfe7e95baeffadf283b1262d93
4
- data.tar.gz: 6d78d624d8cf0fb7e8cc629b9d3145abf4a3180d2b1df206f4a765db5e2f66dd
3
+ metadata.gz: 500a0615ecf1635299471dcbc309082815a82d24f03528b7c5926c4a5449fb64
4
+ data.tar.gz: 7ee23a9a3f4658eef536dec2032b40a9d60b054272a09b5e5a833ee51fae4430
5
5
  SHA512:
6
- metadata.gz: c530b7246911f1e83c9181795a969eafa11a83dc2ca7271e67d8944bb7d4a1391b5880c050bb77e6bb5535e44fc70460a53e42e838e6d694d2542f42efb37555
7
- data.tar.gz: 8ca9cd7d704eb7c1eeda4b4210f6db07d8f9ce72caacdd8bc46ae9b188fe518316d8a2714350986960492b6aafc56dd9462ab2ac3272b25361b7e8777034525f
6
+ metadata.gz: 62b6e4f0a45f0d1d102dd3753de0fdddd4b661e6f53af9caebf37fcdda1924e769ed932027f517147f0db2e0c9724bcff49ca5640130a524ae48701c3ae1551b
7
+ data.tar.gz: eb0a26b263ed3cb17e8157581ac30a182467649b622807a4af9fccc2618ddb6b392307e4ec16abca591ed6f3b039c451868c7d9a6869ea89de68893672962455
data/CHANGELOG.md CHANGED
@@ -2,6 +2,22 @@
2
2
 
3
3
  ## Unreleased
4
4
 
5
+ ## 3.2.0 [☰](https://github.com/activeadmin/activeadmin/compare/v3.1.0..v3.2.0)
6
+
7
+ ### Security Fixes
8
+
9
+ * Backport protect against CSV Injection. [#8167] by [@mgrunberg]
10
+
11
+ ### Enhancements
12
+
13
+ * Backport support citext column type in string filter. [#8165] by [@mgrunberg]
14
+ * Backport provide detail in DB statement timeout error for filters. [#8163] by [@mgrunberg]
15
+
16
+ ### Bug Fixes
17
+
18
+ * Backport make sure menu creation does not modify menu options. [#8166] by [@mgrunberg]
19
+ * Backport ransack error with filters when ActiveStorage is used. [#8164] by [@mgrunberg]
20
+
5
21
  ## 3.1.0 [☰](https://github.com/activeadmin/activeadmin/compare/v3.0.0..v3.1.0)
6
22
 
7
23
  ### Enhancements
@@ -877,6 +893,11 @@ Please check [0-6-stable] for previous changes.
877
893
  [#8102]: https://github.com/activeadmin/activeadmin/pull/8102
878
894
  [#8105]: https://github.com/activeadmin/activeadmin/pull/8105
879
895
  [#8106]: https://github.com/activeadmin/activeadmin/pull/8106
896
+ [#8163]: https://github.com/activeadmin/activeadmin/pull/8163
897
+ [#8164]: https://github.com/activeadmin/activeadmin/pull/8164
898
+ [#8165]: https://github.com/activeadmin/activeadmin/pull/8165
899
+ [#8166]: https://github.com/activeadmin/activeadmin/pull/8166
900
+ [#8167]: https://github.com/activeadmin/activeadmin/pull/8167
880
901
 
881
902
  [@1000ship]: https://github.com/1000ship
882
903
  [@5t111111]: https://github.com/5t111111
data/lib/active_admin/csv_builder.rb CHANGED
@@ -51,7 +51,7 @@ module ActiveAdmin
51
51
  csv << bom if bom
52
52
 
53
53
  if column_names
54
- csv << CSV.generate_line(columns.map { |c| encode c.name, options }, **csv_options)
54
+ csv << CSV.generate_line(columns.map { |c| sanitize(encode(c.name, options)) }, **csv_options)
55
55
  end
56
56
 
57
57
  controller.send(:in_paginated_batches) do |resource|
@@ -70,7 +70,7 @@ module ActiveAdmin
70
70
 
71
71
  def build_row(resource, columns, options)
72
72
  columns.map do |column|
73
- encode call_method_or_proc_on(resource, column.data), options
73
+ sanitize(encode(call_method_or_proc_on(resource, column.data), options))
74
74
  end
75
75
  end
76
76
 
@@ -86,6 +86,10 @@ module ActiveAdmin
86
86
  end
87
87
  end
88
88
 
89
+ def sanitize(content)
90
+ Sanitizer.sanitize(content)
91
+ end
92
+
89
93
  def method_missing(method, *args, &block)
90
94
  if @view_context.respond_to? method
91
95
  @view_context.public_send method, *args, &block
@@ -120,4 +124,21 @@ module ActiveAdmin
120
124
  @column_transitive_options ||= @options.slice(*COLUMN_TRANSITIVE_OPTIONS)
121
125
  end
122
126
  end
127
+
128
+ # Prevents CSV Injection according to https://owasp.org/www-community/attacks/CSV_Injection
129
+ module Sanitizer
130
+ extend self
131
+
132
+ ATTACK_CHARACTERS = ["=", "+", "-", "@", "\t", "\r"].freeze
133
+
134
+ def sanitize(value)
135
+ return "'#{value}" if require_sanitization?(value)
136
+
137
+ value
138
+ end
139
+
140
+ def require_sanitization?(value)
141
+ value.is_a?(String) && value.starts_with?(*ATTACK_CHARACTERS)
142
+ end
143
+ end
123
144
  end
data/lib/active_admin/filters/forms.rb CHANGED
@@ -31,7 +31,7 @@ module ActiveAdmin
31
31
  case column.type
32
32
  when :date, :datetime
33
33
  :date_range
34
- when :string, :text
34
+ when :string, :text, :citext
35
35
  :string
36
36
  when :integer, :float, :decimal
37
37
  :numeric
data/lib/active_admin/filters/formtastic_addons.rb CHANGED
@@ -47,7 +47,7 @@ module ActiveAdmin
47
47
  #
48
48
 
49
49
  def searchable_has_many_through?
50
- if reflection && reflection.options[:through]
50
+ if klass.ransackable_associations.include?(method.to_s) && reflection && reflection.options[:through]
51
51
  reflection.through_reflection.klass.ransackable_attributes.include? reflection.foreign_key
52
52
  else
53
53
  false
data/lib/active_admin/inputs/filters/select_input.rb CHANGED
@@ -43,6 +43,8 @@ module ActiveAdmin
43
43
  else
44
44
  super
45
45
  end
46
+ rescue ActiveRecord::QueryCanceled => error
47
+ raise ActiveRecord::QueryCanceled.new "#{error.message.strip} while querying the values for the ActiveAdmin :#{method} filter"
46
48
  end
47
49
 
48
50
  def pluck_column
data/lib/active_admin/menu.rb CHANGED
@@ -48,6 +48,7 @@ module ActiveAdmin
48
48
  # menu.add parent: 'Dashboard', label: 'My Child Dashboard'
49
49
  #
50
50
  def add(options)
51
+ options = options.dup # Make sure parameter is not modified
51
52
  parent_chain = Array.wrap(options.delete(:parent))
52
53
 
53
54
  item = if parent = parent_chain.shift
data/lib/active_admin/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  # frozen_string_literal: true
2
2
  module ActiveAdmin
3
- VERSION = "3.1.0"
3
+ VERSION = "3.2.0"
4
4
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activeadmin
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.0
4
+ version: 3.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Charles Maresh
@@ -15,7 +15,7 @@ authors:
15
15
  autorequire:
16
16
  bindir: bin
17
17
  cert_chain: []
18
- date: 2023-10-23 00:00:00.000000000 Z
18
+ date: 2023-12-11 00:00:00.000000000 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: arbre
@@ -520,7 +520,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
520
520
  - !ruby/object:Gem::Version
521
521
  version: '0'
522
522
  requirements: []
523
- rubygems_version: 3.4.13
523
+ rubygems_version: 3.4.21
524
524
  signing_key:
525
525
  specification_version: 4
526
526
  summary: Active Admin is a Ruby on Rails plugin for generating administration style