activerecord 6.0.5.1 → 6.0.6.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of activerecord might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +26 -0
- data/lib/active_record/coders/yaml_column.rb +15 -5
- data/lib/active_record/connection_adapters/abstract/quoting.rb +10 -1
- data/lib/active_record/core.rb +1 -1
- data/lib/active_record/gem_version.rb +1 -1
- data/lib/active_record/railtie.rb +0 -18
- data/lib/active_record/relation/query_methods.rb +2 -0
- metadata +10 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 62b3dcd186d829531c34dec576e3fd66b4cccb2406fe1e0f8acad98a98e60ba6
|
|
4
|
+
data.tar.gz: 36d39bff0326c50ab47c2f2b36626bce5d670a38c8e6a01a50176ff9f04f74b0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9c6294d1f7ac84e1c763ba79d91877f64af76daad98a44c820690d4b325efa87a6de87e257c2a9491a5ffcd0b0ce0e4f9ac453df28bdb11b389c4005e73e9139
|
|
7
|
+
data.tar.gz: b0977e39fb7156f7d3cb9940da3036987fc37d7d813d2c17ec465097dab254231236f5c2fb4854991320a0b6bd624ce860faf2db42dfc45fed20dfb743f0b038
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,29 @@
|
|
|
1
|
+
## Rails 6.0.6.1 (January 17, 2023) ##
|
|
2
|
+
|
|
3
|
+
* Make `sanitize_as_sql_comment` more strict
|
|
4
|
+
|
|
5
|
+
Though this method was likely never meant to take user input, it was
|
|
6
|
+
attempting sanitization. That sanitization could be bypassed with
|
|
7
|
+
carefully crafted input.
|
|
8
|
+
|
|
9
|
+
This commit makes the sanitization more robust by replacing any
|
|
10
|
+
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
|
|
11
|
+
first pass to remove one surrounding comment to avoid compatibility
|
|
12
|
+
issues for users relying on the existing removal.
|
|
13
|
+
|
|
14
|
+
This also clarifies in the documentation of annotate that it should not
|
|
15
|
+
be provided user input.
|
|
16
|
+
|
|
17
|
+
[CVE-2023-22794]
|
|
18
|
+
|
|
19
|
+
|
|
20
|
+
## Rails 6.0.6 (September 09, 2022) ##
|
|
21
|
+
|
|
22
|
+
* Symbol is allowed by default for YAML columns
|
|
23
|
+
|
|
24
|
+
*Étienne Barrié*
|
|
25
|
+
|
|
26
|
+
|
|
1
27
|
## Rails 6.0.5.1 (July 12, 2022) ##
|
|
2
28
|
|
|
3
29
|
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
|
|
@@ -45,14 +45,24 @@ module ActiveRecord
|
|
|
45
45
|
raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
|
|
46
46
|
end
|
|
47
47
|
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
else
|
|
52
|
-
if YAML.respond_to?(:unsafe_load)
|
|
48
|
+
if YAML.respond_to?(:unsafe_load)
|
|
49
|
+
def yaml_load(payload)
|
|
50
|
+
if ActiveRecord::Base.use_yaml_unsafe_load
|
|
53
51
|
YAML.unsafe_load(payload)
|
|
52
|
+
elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
|
|
53
|
+
YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
|
|
54
54
|
else
|
|
55
|
+
YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
else
|
|
59
|
+
def yaml_load(payload)
|
|
60
|
+
if ActiveRecord::Base.use_yaml_unsafe_load
|
|
55
61
|
YAML.load(payload)
|
|
62
|
+
elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
|
|
63
|
+
YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
|
|
64
|
+
else
|
|
65
|
+
YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
|
|
56
66
|
end
|
|
57
67
|
end
|
|
58
68
|
end
|
|
@@ -139,7 +139,16 @@ module ActiveRecord
|
|
|
139
139
|
end
|
|
140
140
|
|
|
141
141
|
def sanitize_as_sql_comment(value) # :nodoc:
|
|
142
|
-
|
|
142
|
+
# Sanitize a string to appear within a SQL comment
|
|
143
|
+
# For compatibility, this also surrounding "/*+", "/*", and "*/"
|
|
144
|
+
# charcacters, possibly with single surrounding space.
|
|
145
|
+
# Then follows that by replacing any internal "*/" or "/ *" with
|
|
146
|
+
# "* /" or "/ *"
|
|
147
|
+
comment = value.to_s.dup
|
|
148
|
+
comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
|
|
149
|
+
comment.gsub!("*/", "* /")
|
|
150
|
+
comment.gsub!("/*", "/ *")
|
|
151
|
+
comment
|
|
143
152
|
end
|
|
144
153
|
|
|
145
154
|
def column_name_matcher # :nodoc:
|
data/lib/active_record/core.rb
CHANGED
|
@@ -136,7 +136,7 @@ module ActiveRecord
|
|
|
136
136
|
|
|
137
137
|
# Application configurable array that provides additional permitted classes
|
|
138
138
|
# to Psych safe_load in the YAML Coder
|
|
139
|
-
mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
|
|
139
|
+
mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: [Symbol]
|
|
140
140
|
|
|
141
141
|
class_attribute :default_connection_handler, instance_writer: false
|
|
142
142
|
|
|
@@ -259,23 +259,5 @@ To keep using the current cache store, you can turn off cache versioning entirel
|
|
|
259
259
|
self.filter_attributes += Rails.application.config.filter_parameters
|
|
260
260
|
end
|
|
261
261
|
end
|
|
262
|
-
|
|
263
|
-
initializer "active_record.use_yaml_unsafe_load" do |app|
|
|
264
|
-
config.after_initialize do
|
|
265
|
-
unless app.config.active_record.use_yaml_unsafe_load.nil?
|
|
266
|
-
ActiveRecord::Base.use_yaml_unsafe_load =
|
|
267
|
-
app.config.active_record.use_yaml_unsafe_load
|
|
268
|
-
end
|
|
269
|
-
end
|
|
270
|
-
end
|
|
271
|
-
|
|
272
|
-
initializer "active_record.yaml_column_permitted_classes" do |app|
|
|
273
|
-
config.after_initialize do
|
|
274
|
-
unless app.config.active_record.yaml_column_permitted_classes.nil?
|
|
275
|
-
ActiveRecord::Base.yaml_column_permitted_classes =
|
|
276
|
-
app.config.active_record.yaml_column_permitted_classes
|
|
277
|
-
end
|
|
278
|
-
end
|
|
279
|
-
end
|
|
280
262
|
end
|
|
281
263
|
end
|
|
@@ -1000,6 +1000,8 @@ module ActiveRecord
|
|
|
1000
1000
|
# # SELECT "users"."name" FROM "users" /* selecting */ /* user */ /* names */
|
|
1001
1001
|
#
|
|
1002
1002
|
# The SQL block comment delimiters, "/*" and "*/", will be added automatically.
|
|
1003
|
+
#
|
|
1004
|
+
# Some escaping is performed, however untrusted user input should not be used.
|
|
1003
1005
|
def annotate(*args)
|
|
1004
1006
|
check_if_method_has_arguments!(:annotate, args)
|
|
1005
1007
|
spawn.annotate!(*args)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: activerecord
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.0.
|
|
4
|
+
version: 6.0.6.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-01-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,28 +16,28 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 6.0.
|
|
19
|
+
version: 6.0.6.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 6.0.
|
|
26
|
+
version: 6.0.6.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: activemodel
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
31
|
- - '='
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 6.0.
|
|
33
|
+
version: 6.0.6.1
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - '='
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 6.0.
|
|
40
|
+
version: 6.0.6.1
|
|
41
41
|
description: Databases on Rails. Build a persistent domain model by mapping database
|
|
42
42
|
tables to Ruby classes. Strong conventions for associations, validations, aggregations,
|
|
43
43
|
migrations, and testing come baked-in.
|
|
@@ -391,10 +391,10 @@ licenses:
|
|
|
391
391
|
- MIT
|
|
392
392
|
metadata:
|
|
393
393
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
394
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.0.
|
|
395
|
-
documentation_uri: https://api.rubyonrails.org/v6.0.
|
|
394
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.0.6.1/activerecord/CHANGELOG.md
|
|
395
|
+
documentation_uri: https://api.rubyonrails.org/v6.0.6.1/
|
|
396
396
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
397
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.0.
|
|
397
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.0.6.1/activerecord
|
|
398
398
|
rubygems_mfa_required: 'true'
|
|
399
399
|
post_install_message:
|
|
400
400
|
rdoc_options:
|
|
@@ -413,7 +413,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
413
413
|
- !ruby/object:Gem::Version
|
|
414
414
|
version: '0'
|
|
415
415
|
requirements: []
|
|
416
|
-
rubygems_version: 3.
|
|
416
|
+
rubygems_version: 3.4.3
|
|
417
417
|
signing_key:
|
|
418
418
|
specification_version: 4
|
|
419
419
|
summary: Object-relational mapper framework (part of Rails).
|