activeadmin 3.1.0 → 3.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f41c15703a7796ce3b6395820049062ffd4f9fbfe7e95baeffadf283b1262d93
-  data.tar.gz: 6d78d624d8cf0fb7e8cc629b9d3145abf4a3180d2b1df206f4a765db5e2f66dd
+  metadata.gz: ff095f14bad831f14bf12c3da9123bae3311d3c94815a73ef3b8ab67d1ca985a
+  data.tar.gz: 1adb7fa85d65339b74b8a0c1ef45c6ba9be9031a743e144d0edf452064e31083
 SHA512:
-  metadata.gz: c530b7246911f1e83c9181795a969eafa11a83dc2ca7271e67d8944bb7d4a1391b5880c050bb77e6bb5535e44fc70460a53e42e838e6d694d2542f42efb37555
-  data.tar.gz: 8ca9cd7d704eb7c1eeda4b4210f6db07d8f9ce72caacdd8bc46ae9b188fe518316d8a2714350986960492b6aafc56dd9462ab2ac3272b25361b7e8777034525f
+  metadata.gz: 54c3193a35539aeb1c6e094cdd7e03b335168116db76a8ab07eb5991de70cba0931d400840815014ee96bad801723fa628962924d3314e3aa855adebaa3d256d
+  data.tar.gz: 2f51a5be0b992925a0b8a77f62e68812ae19ea3d5666f2df514bbbf4b9a6ccb1c09639853878a8e02e4b9b59077f18ad3041642b6abc5ad8e39f0eec359d0db3

data/CHANGELOG.md

@@ -2,6 +2,29 @@
 
 ## Unreleased
 
+## 3.2.1 [☰](https://github.com/activeadmin/activeadmin/compare/v3.2.0..v3.2.1)
+
+### Enhancements
+
+* Backport Suppress ruby 3.3 warning [#8310] by [@mgrunberg]
+* Backport Recommend using target="_blank" instead of target="blank" [#8311] by [@mgrunberg]
+
+## 3.2.0 [☰](https://github.com/activeadmin/activeadmin/compare/v3.1.0..v3.2.0)
+
+### Security Fixes
+
+* Backport protect against CSV Injection. [#8167] by [@mgrunberg]
+
+### Enhancements
+
+* Backport support citext column type in string filter. [#8165] by [@mgrunberg]
+* Backport provide detail in DB statement timeout error for filters. [#8163] by [@mgrunberg]
+
+### Bug Fixes
+
+* Backport make sure menu creation does not modify menu options. [#8166] by [@mgrunberg]
+* Backport ransack error with filters when ActiveStorage is used. [#8164] by [@mgrunberg]
+
 ## 3.1.0 [☰](https://github.com/activeadmin/activeadmin/compare/v3.0.0..v3.1.0)
 
 ### Enhancements
@@ -877,6 +900,13 @@ Please check [0-6-stable] for previous changes.
 [#8102]: https://github.com/activeadmin/activeadmin/pull/8102
 [#8105]: https://github.com/activeadmin/activeadmin/pull/8105
 [#8106]: https://github.com/activeadmin/activeadmin/pull/8106
+[#8163]: https://github.com/activeadmin/activeadmin/pull/8163
+[#8164]: https://github.com/activeadmin/activeadmin/pull/8164
+[#8165]: https://github.com/activeadmin/activeadmin/pull/8165
+[#8166]: https://github.com/activeadmin/activeadmin/pull/8166
+[#8167]: https://github.com/activeadmin/activeadmin/pull/8167
+[#8310]: https://github.com/activeadmin/activeadmin/pull/8310
+[#8311]: https://github.com/activeadmin/activeadmin/pull/8311
 
 [@1000ship]: https://github.com/1000ship
 [@5t111111]: https://github.com/5t111111

data/lib/active_admin/csv_builder.rb

@@ -51,7 +51,7 @@ module ActiveAdmin
       csv << bom if bom
 
       if column_names
-        csv << CSV.generate_line(columns.map { |c| encode c.name, options }, **csv_options)
+        csv << CSV.generate_line(columns.map { |c| sanitize(encode(c.name, options)) }, **csv_options)
       end
 
       controller.send(:in_paginated_batches) do |resource|
@@ -70,7 +70,7 @@ module ActiveAdmin
 
     def build_row(resource, columns, options)
       columns.map do |column|
-        encode call_method_or_proc_on(resource, column.data), options
+        sanitize(encode(call_method_or_proc_on(resource, column.data), options))
       end
     end
 
@@ -86,6 +86,10 @@ module ActiveAdmin
       end
     end
 
+    def sanitize(content)
+      Sanitizer.sanitize(content)
+    end
+
     def method_missing(method, *args, &block)
       if @view_context.respond_to? method
         @view_context.public_send method, *args, &block
@@ -120,4 +124,21 @@ module ActiveAdmin
       @column_transitive_options ||= @options.slice(*COLUMN_TRANSITIVE_OPTIONS)
     end
   end
+
+  # Prevents CSV Injection according to https://owasp.org/www-community/attacks/CSV_Injection
+  module Sanitizer
+    extend self
+
+    ATTACK_CHARACTERS = ["=", "+", "-", "@", "\t", "\r"].freeze
+
+    def sanitize(value)
+      return "'#{value}" if require_sanitization?(value)
+
+      value
+    end
+
+    def require_sanitization?(value)
+      value.is_a?(String) && value.starts_with?(*ATTACK_CHARACTERS)
+    end
+  end
 end

data/lib/active_admin/filters/forms.rb

@@ -31,7 +31,7 @@ module ActiveAdmin
           case column.type
           when :date, :datetime
             :date_range
-          when :string, :text
+          when :string, :text, :citext
             :string
           when :integer, :float, :decimal
             :numeric

data/lib/active_admin/filters/formtastic_addons.rb

@@ -47,7 +47,7 @@ module ActiveAdmin
       #
 
       def searchable_has_many_through?
-        if reflection && reflection.options[:through]
+        if klass.ransackable_associations.include?(method.to_s) && reflection && reflection.options[:through]
           reflection.through_reflection.klass.ransackable_attributes.include? reflection.foreign_key
         else
           false

data/lib/active_admin/inputs/filters/select_input.rb

@@ -43,6 +43,8 @@ module ActiveAdmin
           else
             super
           end
+        rescue ActiveRecord::QueryCanceled => error
+          raise ActiveRecord::QueryCanceled.new "#{error.message.strip} while querying the values for the ActiveAdmin :#{method} filter"
         end
 
         def pluck_column

data/lib/active_admin/menu.rb

@@ -48,6 +48,7 @@ module ActiveAdmin
       #   menu.add parent: 'Dashboard', label: 'My Child Dashboard'
       #
       def add(options)
+        options = options.dup # Make sure parameter is not modified
         parent_chain = Array.wrap(options.delete(:parent))
 
         item = if parent = parent_chain.shift

data/lib/active_admin/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ActiveAdmin
-  VERSION = "3.1.0"
+  VERSION = "3.2.1"
 end

data/lib/generators/active_admin/install/templates/active_admin.rb.erb

@@ -258,7 +258,7 @@ ActiveAdmin.setup do |config|
   #
   #   config.namespace :admin do |admin|
   #     admin.build_menu :default do |menu|
-  #       menu.add label: "My Great Website", url: "http://www.mygreatwebsite.com", html_options: { target: :blank }
+  #       menu.add label: "My Great Website", url: "http://www.mygreatwebsite.com", html_options: { target: "_blank" }
   #     end
   #   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: activeadmin
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.2.1
 platform: ruby
 authors:
 - Charles Maresh
@@ -15,7 +15,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-23 00:00:00.000000000 Z
+date: 2024-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: arbre
@@ -37,6 +37,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.2.1
+- !ruby/object:Gem::Dependency
+  name: csv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: formtastic
   requirement: !ruby/object:Gem::Requirement
@@ -520,7 +534,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.13
+rubygems_version: 3.4.19
 signing_key:
 specification_version: 4
 summary: Active Admin is a Ruby on Rails plugin for generating administration style