activerecord 6.0.5 → 6.0.6

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activerecord might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3b924984d698eccbd8d5220f19aea7ec6adc25ebffd166df8952a4725ecf6e92
4
- data.tar.gz: dcd92d322eb2ea79de53237472aad6ce7bba4d49004bb7efbd4b5745e69687d7
3
+ metadata.gz: c6ce12f937513b9efe3578fdbe01cdeee38dbb3d16d38058099f2ab1e1c7e71a
4
+ data.tar.gz: ec06c07afcbdd62043bce7bb57c0e3fca32658404088b706a2b4188e919e5bf7
5
5
  SHA512:
6
- metadata.gz: 3809f3a8db911d86b1a3f650e3b851907c692207e281ee03221817c08ef54b3a963855d95727a876db78687caa1da6f2b90d6c917d0006e862711d04e8b89164
7
- data.tar.gz: 6cca66d11a39d09266d8376efec65a0b13b0f4afe68363dc0d12a52b6b6c745d8dbd2f011085f73fc6344c8e604626560f24a1a9484c06deae4a044fac39afc3
6
+ metadata.gz: d77444fd1cafdcf149d0e64da878e9f756b5a836720fa49145f93520168ed709c52e6e03d7081c2a7916b11cd3f9a4973859257b3f02765c9e504253dbb85783
7
+ data.tar.gz: 1ef9d00fc16e11d028a464e437f285a3f3d4300295c6d947ef0c9b0e51f377f2015e60166ae4c0ef719f8593f3af151c275cc1377e982405df9dd978736c43cd
data/CHANGELOG.md CHANGED
@@ -1,3 +1,38 @@
1
+ ## Rails 6.0.6 (September 09, 2022) ##
2
+
3
+ * Symbol is allowed by default for YAML columns
4
+
5
+ *Étienne Barrié*
6
+
7
+
8
+ ## Rails 6.0.5.1 (July 12, 2022) ##
9
+
10
+ * Change ActiveRecord::Coders::YAMLColumn default to safe_load
11
+
12
+ This adds two new configuration options The configuration options are as
13
+ follows:
14
+
15
+ * `config.active_storage.use_yaml_unsafe_load`
16
+
17
+ When set to true, this configuration option tells Rails to use the old
18
+ "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
19
+ the possible escalation vulnerability in place. Setting this option to true
20
+ is *not* recommended, but can aid in upgrading.
21
+
22
+ * `config.active_record.yaml_column_permitted_classes`
23
+
24
+ The "safe YAML" loading method does not allow all classes to be deserialized
25
+ by default. This option allows you to specify classes deemed "safe" in your
26
+ application. For example, if your application uses Symbol and Time in
27
+ serialized data, you can add Symbol and Time to the allowed list as follows:
28
+
29
+ ```
30
+ config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
31
+ ```
32
+
33
+ [CVE-2022-32224]
34
+
35
+
1
36
  ## Rails 6.0.5 (May 09, 2022) ##
2
37
 
3
38
  * No changes.
@@ -23,7 +23,7 @@ module ActiveRecord
23
23
  def load(yaml)
24
24
  return object_class.new if object_class != Object && yaml.nil?
25
25
  return yaml unless yaml.is_a?(String) && /^---/.match?(yaml)
26
- obj = YAML.load(yaml)
26
+ obj = yaml_load(yaml)
27
27
 
28
28
  assert_valid_value(obj, action: "load")
29
29
  obj ||= object_class.new if object_class != Object
@@ -44,6 +44,28 @@ module ActiveRecord
44
44
  rescue ArgumentError
45
45
  raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
46
46
  end
47
+
48
+ if YAML.respond_to?(:unsafe_load)
49
+ def yaml_load(payload)
50
+ if ActiveRecord::Base.use_yaml_unsafe_load
51
+ YAML.unsafe_load(payload)
52
+ elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
53
+ YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
54
+ else
55
+ YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
56
+ end
57
+ end
58
+ else
59
+ def yaml_load(payload)
60
+ if ActiveRecord::Base.use_yaml_unsafe_load
61
+ YAML.load(payload)
62
+ elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
63
+ YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
64
+ else
65
+ YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
66
+ end
67
+ end
68
+ end
47
69
  end
48
70
  end
49
71
  end
@@ -128,6 +128,16 @@ module ActiveRecord
128
128
 
129
129
  mattr_accessor :reading_role, instance_accessor: false, default: :reading
130
130
 
131
+ ##
132
+ # :singleton-method:
133
+ # Application configurable boolean that instructs the YAML Coder to use
134
+ # an unsafe load if set to true.
135
+ mattr_accessor :use_yaml_unsafe_load, instance_writer: false, default: false
136
+
137
+ # Application configurable array that provides additional permitted classes
138
+ # to Psych safe_load in the YAML Coder
139
+ mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: [Symbol]
140
+
131
141
  class_attribute :default_connection_handler, instance_writer: false
132
142
 
133
143
  self.filter_attributes = []
@@ -9,7 +9,7 @@ module ActiveRecord
9
9
  module VERSION
10
10
  MAJOR = 6
11
11
  MINOR = 0
12
- TINY = 5
12
+ TINY = 6
13
13
  PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activerecord
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.5
4
+ version: 6.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-05-09 00:00:00.000000000 Z
11
+ date: 2022-09-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.0.5
19
+ version: 6.0.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.0.5
26
+ version: 6.0.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 6.0.5
33
+ version: 6.0.6
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 6.0.5
40
+ version: 6.0.6
41
41
  description: Databases on Rails. Build a persistent domain model by mapping database
42
42
  tables to Ruby classes. Strong conventions for associations, validations, aggregations,
43
43
  migrations, and testing come baked-in.
@@ -391,10 +391,10 @@ licenses:
391
391
  - MIT
392
392
  metadata:
393
393
  bug_tracker_uri: https://github.com/rails/rails/issues
394
- changelog_uri: https://github.com/rails/rails/blob/v6.0.5/activerecord/CHANGELOG.md
395
- documentation_uri: https://api.rubyonrails.org/v6.0.5/
394
+ changelog_uri: https://github.com/rails/rails/blob/v6.0.6/activerecord/CHANGELOG.md
395
+ documentation_uri: https://api.rubyonrails.org/v6.0.6/
396
396
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
397
- source_code_uri: https://github.com/rails/rails/tree/v6.0.5/activerecord
397
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.6/activerecord
398
398
  rubygems_mfa_required: 'true'
399
399
  post_install_message:
400
400
  rdoc_options:
@@ -413,7 +413,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
413
413
  - !ruby/object:Gem::Version
414
414
  version: '0'
415
415
  requirements: []
416
- rubygems_version: 3.3.7
416
+ rubygems_version: 3.3.3
417
417
  signing_key:
418
418
  specification_version: 4
419
419
  summary: Object-relational mapper framework (part of Rails).