activeadmin 3.1.0 → 3.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +21 -0
  3. data/lib/active_admin/csv_builder.rb +23 -2
  4. data/lib/active_admin/filters/forms.rb +1 -1
  5. data/lib/active_admin/filters/formtastic_addons.rb +1 -1
  6. data/lib/active_admin/inputs/filters/select_input.rb +2 -0
  7. data/lib/active_admin/menu.rb +1 -0
  8. data/lib/active_admin/version.rb +1 -1
  9. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f41c15703a7796ce3b6395820049062ffd4f9fbfe7e95baeffadf283b1262d93
4
- data.tar.gz: 6d78d624d8cf0fb7e8cc629b9d3145abf4a3180d2b1df206f4a765db5e2f66dd
3
+ metadata.gz: 500a0615ecf1635299471dcbc309082815a82d24f03528b7c5926c4a5449fb64
4
+ data.tar.gz: 7ee23a9a3f4658eef536dec2032b40a9d60b054272a09b5e5a833ee51fae4430
5
5
  SHA512:
6
- metadata.gz: c530b7246911f1e83c9181795a969eafa11a83dc2ca7271e67d8944bb7d4a1391b5880c050bb77e6bb5535e44fc70460a53e42e838e6d694d2542f42efb37555
7
- data.tar.gz: 8ca9cd7d704eb7c1eeda4b4210f6db07d8f9ce72caacdd8bc46ae9b188fe518316d8a2714350986960492b6aafc56dd9462ab2ac3272b25361b7e8777034525f
6
+ metadata.gz: 62b6e4f0a45f0d1d102dd3753de0fdddd4b661e6f53af9caebf37fcdda1924e769ed932027f517147f0db2e0c9724bcff49ca5640130a524ae48701c3ae1551b
7
+ data.tar.gz: eb0a26b263ed3cb17e8157581ac30a182467649b622807a4af9fccc2618ddb6b392307e4ec16abca591ed6f3b039c451868c7d9a6869ea89de68893672962455
data/CHANGELOG.md CHANGED
@@ -2,6 +2,22 @@
2
2
 
3
3
  ## Unreleased
4
4
 
5
+ ## 3.2.0 [☰](https://github.com/activeadmin/activeadmin/compare/v3.1.0..v3.2.0)
6
+
7
+ ### Security Fixes
8
+
9
+ * Backport protect against CSV Injection. [#8167] by [@mgrunberg]
10
+
11
+ ### Enhancements
12
+
13
+ * Backport support citext column type in string filter. [#8165] by [@mgrunberg]
14
+ * Backport provide detail in DB statement timeout error for filters. [#8163] by [@mgrunberg]
15
+
16
+ ### Bug Fixes
17
+
18
+ * Backport make sure menu creation does not modify menu options. [#8166] by [@mgrunberg]
19
+ * Backport ransack error with filters when ActiveStorage is used. [#8164] by [@mgrunberg]
20
+
5
21
  ## 3.1.0 [☰](https://github.com/activeadmin/activeadmin/compare/v3.0.0..v3.1.0)
6
22
 
7
23
  ### Enhancements
@@ -877,6 +893,11 @@ Please check [0-6-stable] for previous changes.
877
893
  [#8102]: https://github.com/activeadmin/activeadmin/pull/8102
878
894
  [#8105]: https://github.com/activeadmin/activeadmin/pull/8105
879
895
  [#8106]: https://github.com/activeadmin/activeadmin/pull/8106
896
+ [#8163]: https://github.com/activeadmin/activeadmin/pull/8163
897
+ [#8164]: https://github.com/activeadmin/activeadmin/pull/8164
898
+ [#8165]: https://github.com/activeadmin/activeadmin/pull/8165
899
+ [#8166]: https://github.com/activeadmin/activeadmin/pull/8166
900
+ [#8167]: https://github.com/activeadmin/activeadmin/pull/8167
880
901
 
881
902
  [@1000ship]: https://github.com/1000ship
882
903
  [@5t111111]: https://github.com/5t111111
data/lib/active_admin/csv_builder.rb CHANGED
@@ -51,7 +51,7 @@ module ActiveAdmin
51
51
  csv << bom if bom
52
52
 
53
53
  if column_names
54
- csv << CSV.generate_line(columns.map { |c| encode c.name, options }, **csv_options)
54
+ csv << CSV.generate_line(columns.map { |c| sanitize(encode(c.name, options)) }, **csv_options)
55
55
  end
56
56
 
57
57
  controller.send(:in_paginated_batches) do |resource|
@@ -70,7 +70,7 @@ module ActiveAdmin
70
70
 
71
71
  def build_row(resource, columns, options)
72
72
  columns.map do |column|
73
- encode call_method_or_proc_on(resource, column.data), options
73
+ sanitize(encode(call_method_or_proc_on(resource, column.data), options))
74
74
  end
75
75
  end
76
76
 
@@ -86,6 +86,10 @@ module ActiveAdmin
86
86
  end
87
87
  end
88
88
 
89
+ def sanitize(content)
90
+ Sanitizer.sanitize(content)
91
+ end
92
+
89
93
  def method_missing(method, *args, &block)
90
94
  if @view_context.respond_to? method
91
95
  @view_context.public_send method, *args, &block
@@ -120,4 +124,21 @@ module ActiveAdmin
120
124
  @column_transitive_options ||= @options.slice(*COLUMN_TRANSITIVE_OPTIONS)
121
125
  end
122
126
  end
127
+
128
+ # Prevents CSV Injection according to https://owasp.org/www-community/attacks/CSV_Injection
129
+ module Sanitizer
130
+ extend self
131
+
132
+ ATTACK_CHARACTERS = ["=", "+", "-", "@", "\t", "\r"].freeze
133
+
134
+ def sanitize(value)
135
+ return "'#{value}" if require_sanitization?(value)
136
+
137
+ value
138
+ end
139
+
140
+ def require_sanitization?(value)
141
+ value.is_a?(String) && value.starts_with?(*ATTACK_CHARACTERS)
142
+ end
143
+ end
123
144
  end
data/lib/active_admin/filters/forms.rb CHANGED
@@ -31,7 +31,7 @@ module ActiveAdmin
31
31
  case column.type
32
32
  when :date, :datetime
33
33
  :date_range
34
- when :string, :text
34
+ when :string, :text, :citext
35
35
  :string
36
36
  when :integer, :float, :decimal
37
37
  :numeric
data/lib/active_admin/filters/formtastic_addons.rb CHANGED
@@ -47,7 +47,7 @@ module ActiveAdmin
47
47
  #
48
48
 
49
49
  def searchable_has_many_through?
50
- if reflection && reflection.options[:through]
50
+ if klass.ransackable_associations.include?(method.to_s) && reflection && reflection.options[:through]
51
51
  reflection.through_reflection.klass.ransackable_attributes.include? reflection.foreign_key
52
52
  else
53
53
  false
data/lib/active_admin/inputs/filters/select_input.rb CHANGED
@@ -43,6 +43,8 @@ module ActiveAdmin
43
43
  else
44
44
  super
45
45
  end
46
+ rescue ActiveRecord::QueryCanceled => error
47
+ raise ActiveRecord::QueryCanceled.new "#{error.message.strip} while querying the values for the ActiveAdmin :#{method} filter"
46
48
  end
47
49
 
48
50
  def pluck_column
data/lib/active_admin/menu.rb CHANGED
@@ -48,6 +48,7 @@ module ActiveAdmin
48
48
  # menu.add parent: 'Dashboard', label: 'My Child Dashboard'
49
49
  #
50
50
  def add(options)
51
+ options = options.dup # Make sure parameter is not modified
51
52
  parent_chain = Array.wrap(options.delete(:parent))
52
53
 
53
54
  item = if parent = parent_chain.shift
data/lib/active_admin/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  # frozen_string_literal: true
2
2
  module ActiveAdmin
3
- VERSION = "3.1.0"
3
+ VERSION = "3.2.0"
4
4
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activeadmin
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.0
4
+ version: 3.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Charles Maresh
@@ -15,7 +15,7 @@ authors:
15
15
  autorequire:
16
16
  bindir: bin
17
17
  cert_chain: []
18
- date: 2023-10-23 00:00:00.000000000 Z
18
+ date: 2023-12-11 00:00:00.000000000 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: arbre
@@ -520,7 +520,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
520
520
  - !ruby/object:Gem::Version
521
521
  version: '0'
522
522
  requirements: []
523
- rubygems_version: 3.4.13
523
+ rubygems_version: 3.4.21
524
524
  signing_key:
525
525
  specification_version: 4
526
526
  summary: Active Admin is a Ruby on Rails plugin for generating administration style