activerecord 6.0.5 → 6.0.6
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of activerecord might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/lib/active_record/coders/yaml_column.rb +23 -1
- data/lib/active_record/core.rb +10 -0
- data/lib/active_record/gem_version.rb +1 -1
- metadata +10 -10
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c6ce12f937513b9efe3578fdbe01cdeee38dbb3d16d38058099f2ab1e1c7e71a
|
4
|
+
data.tar.gz: ec06c07afcbdd62043bce7bb57c0e3fca32658404088b706a2b4188e919e5bf7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d77444fd1cafdcf149d0e64da878e9f756b5a836720fa49145f93520168ed709c52e6e03d7081c2a7916b11cd3f9a4973859257b3f02765c9e504253dbb85783
|
7
|
+
data.tar.gz: 1ef9d00fc16e11d028a464e437f285a3f3d4300295c6d947ef0c9b0e51f377f2015e60166ae4c0ef719f8593f3af151c275cc1377e982405df9dd978736c43cd
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,38 @@
|
|
1
|
+
## Rails 6.0.6 (September 09, 2022) ##
|
2
|
+
|
3
|
+
* Symbol is allowed by default for YAML columns
|
4
|
+
|
5
|
+
*Étienne Barrié*
|
6
|
+
|
7
|
+
|
8
|
+
## Rails 6.0.5.1 (July 12, 2022) ##
|
9
|
+
|
10
|
+
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
|
11
|
+
|
12
|
+
This adds two new configuration options The configuration options are as
|
13
|
+
follows:
|
14
|
+
|
15
|
+
* `config.active_storage.use_yaml_unsafe_load`
|
16
|
+
|
17
|
+
When set to true, this configuration option tells Rails to use the old
|
18
|
+
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
|
19
|
+
the possible escalation vulnerability in place. Setting this option to true
|
20
|
+
is *not* recommended, but can aid in upgrading.
|
21
|
+
|
22
|
+
* `config.active_record.yaml_column_permitted_classes`
|
23
|
+
|
24
|
+
The "safe YAML" loading method does not allow all classes to be deserialized
|
25
|
+
by default. This option allows you to specify classes deemed "safe" in your
|
26
|
+
application. For example, if your application uses Symbol and Time in
|
27
|
+
serialized data, you can add Symbol and Time to the allowed list as follows:
|
28
|
+
|
29
|
+
```
|
30
|
+
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
|
31
|
+
```
|
32
|
+
|
33
|
+
[CVE-2022-32224]
|
34
|
+
|
35
|
+
|
1
36
|
## Rails 6.0.5 (May 09, 2022) ##
|
2
37
|
|
3
38
|
* No changes.
|
@@ -23,7 +23,7 @@ module ActiveRecord
|
|
23
23
|
def load(yaml)
|
24
24
|
return object_class.new if object_class != Object && yaml.nil?
|
25
25
|
return yaml unless yaml.is_a?(String) && /^---/.match?(yaml)
|
26
|
-
obj =
|
26
|
+
obj = yaml_load(yaml)
|
27
27
|
|
28
28
|
assert_valid_value(obj, action: "load")
|
29
29
|
obj ||= object_class.new if object_class != Object
|
@@ -44,6 +44,28 @@ module ActiveRecord
|
|
44
44
|
rescue ArgumentError
|
45
45
|
raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
|
46
46
|
end
|
47
|
+
|
48
|
+
if YAML.respond_to?(:unsafe_load)
|
49
|
+
def yaml_load(payload)
|
50
|
+
if ActiveRecord::Base.use_yaml_unsafe_load
|
51
|
+
YAML.unsafe_load(payload)
|
52
|
+
elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
|
53
|
+
YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
|
54
|
+
else
|
55
|
+
YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
|
56
|
+
end
|
57
|
+
end
|
58
|
+
else
|
59
|
+
def yaml_load(payload)
|
60
|
+
if ActiveRecord::Base.use_yaml_unsafe_load
|
61
|
+
YAML.load(payload)
|
62
|
+
elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
|
63
|
+
YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
|
64
|
+
else
|
65
|
+
YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
|
66
|
+
end
|
67
|
+
end
|
68
|
+
end
|
47
69
|
end
|
48
70
|
end
|
49
71
|
end
|
data/lib/active_record/core.rb
CHANGED
@@ -128,6 +128,16 @@ module ActiveRecord
|
|
128
128
|
|
129
129
|
mattr_accessor :reading_role, instance_accessor: false, default: :reading
|
130
130
|
|
131
|
+
##
|
132
|
+
# :singleton-method:
|
133
|
+
# Application configurable boolean that instructs the YAML Coder to use
|
134
|
+
# an unsafe load if set to true.
|
135
|
+
mattr_accessor :use_yaml_unsafe_load, instance_writer: false, default: false
|
136
|
+
|
137
|
+
# Application configurable array that provides additional permitted classes
|
138
|
+
# to Psych safe_load in the YAML Coder
|
139
|
+
mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: [Symbol]
|
140
|
+
|
131
141
|
class_attribute :default_connection_handler, instance_writer: false
|
132
142
|
|
133
143
|
self.filter_attributes = []
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: activerecord
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.0.
|
4
|
+
version: 6.0.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-09-09 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 6.0.
|
19
|
+
version: 6.0.6
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 6.0.
|
26
|
+
version: 6.0.6
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: activemodel
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - '='
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 6.0.
|
33
|
+
version: 6.0.6
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - '='
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 6.0.
|
40
|
+
version: 6.0.6
|
41
41
|
description: Databases on Rails. Build a persistent domain model by mapping database
|
42
42
|
tables to Ruby classes. Strong conventions for associations, validations, aggregations,
|
43
43
|
migrations, and testing come baked-in.
|
@@ -391,10 +391,10 @@ licenses:
|
|
391
391
|
- MIT
|
392
392
|
metadata:
|
393
393
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
394
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.0.
|
395
|
-
documentation_uri: https://api.rubyonrails.org/v6.0.
|
394
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.0.6/activerecord/CHANGELOG.md
|
395
|
+
documentation_uri: https://api.rubyonrails.org/v6.0.6/
|
396
396
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
397
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.0.
|
397
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.0.6/activerecord
|
398
398
|
rubygems_mfa_required: 'true'
|
399
399
|
post_install_message:
|
400
400
|
rdoc_options:
|
@@ -413,7 +413,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
413
413
|
- !ruby/object:Gem::Version
|
414
414
|
version: '0'
|
415
415
|
requirements: []
|
416
|
-
rubygems_version: 3.3.
|
416
|
+
rubygems_version: 3.3.3
|
417
417
|
signing_key:
|
418
418
|
specification_version: 4
|
419
419
|
summary: Object-relational mapper framework (part of Rails).
|