activerecord 6.1.5.1 → 6.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a234f311c9d8eb911868e3cc648b0230a221b370c0b7645295b80dd991d5b6a
-  data.tar.gz: b3105e763a3ae5c0fc064f0f0939f46760f70a827319dde19c4303829be22d66
+  metadata.gz: f11907365b78163229d5724a47f9a99b84ad5d8adbb8092b05d7fcc657b3068e
+  data.tar.gz: e495d26d1c679db2ab9a91e81112ae6b22d3466702601e645bfc43067166efa2
 SHA512:
-  metadata.gz: 02f74282e0aae2b219cdbeb0808244048535b74ff148835c93bb7dbd26034b19e786937c0f5e3de3f8884caa2578c182567135f3630963ef86fce9e03409f1e2
-  data.tar.gz: b63f8584e2c11dc5a93b11fc70cfc6a2859f31438a2e0538393e557e3f9d2a1408f35ca150518e232ffa7b977c9f1db2500c3117fe65c8e2a36187cb737802a0
+  metadata.gz: 688b39dd7ca026c860efd8311df6ed968abd37ed4655fd04816abd3aa03f625fe63026f66cbac20d3db3c60c449dd4fd0621e6705c8f22f5b68025f9fa83eee7
+  data.tar.gz: 58fdf458ec41d07a4eff8aee4f79b636d2347460f28a2bbc99fc475a96bb3ae0c4961f558603f237e3e838f3d69ba320d9583b8c5c78bfe470585561ff16f48c

data/CHANGELOG.md

@@ -1,3 +1,55 @@
+## Rails 6.1.7 (September 09, 2022) ##
+
+*   Symbol is allowed by default for YAML columns
+
+    *Étienne Barrié*
+
+*   Fix `ActiveRecord::Store` to serialize as a regular Hash
+
+    Previously it would serialize as an `ActiveSupport::HashWithIndifferentAccess`
+    which is wasteful and cause problem with YAML safe_load.
+
+    *Jean Boussier*
+
+*   Fix PG.connect keyword arguments deprecation warning on ruby 2.7
+
+    Fixes #44307.
+
+    *Nikita Vasilevsky*
+
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   Change ActiveRecord::Coders::YAMLColumn default to safe_load
+
+    This adds two new configuration options The configuration options are as
+    follows:
+    
+    * `config.active_storage.use_yaml_unsafe_load`
+    
+    When set to true, this configuration option tells Rails to use the old
+    "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
+    the possible escalation vulnerability in place.  Setting this option to true
+    is *not* recommended, but can aid in upgrading.
+    
+    * `config.active_record.yaml_column_permitted_classes`
+    
+    The "safe YAML" loading method does not allow all classes to be deserialized
+    by default.  This option allows you to specify classes deemed "safe" in your
+    application.  For example, if your application uses Symbol and Time in
+    serialized data, you can add Symbol and Time to the allowed list as follows:
+    
+    ```
+    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
+    ```
+
+    [CVE-2022-32224]
+
+
+## Rails 6.1.6 (May 09, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.5.1 (April 26, 2022) ##
 
 *   No changes.
@@ -7,14 +59,14 @@
 
 *   Fix `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` for Ruby 2.6.
 
-    Ruby 2.6 and 2.7 have slightly different implementations of the `String#@-` method.
-    In Ruby 2.6, the receiver of the `String#@-` method is modified under certain circumstances.
+    Ruby 2.6 and 2.7 have slightly different implementations of the `String#-@` method.
+    In Ruby 2.6, the receiver of the `String#-@` method is modified under certain circumstances.
     This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
     fixed in Ruby 2.7.
 
     Before the changes in this commit, the
     `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` method, which internally
-    calls the `String#@-` method, could also modify an input string argument in Ruby 2.6 --
+    calls the `String#-@` method, could also modify an input string argument in Ruby 2.6 --
     changing a tainted, unfrozen string into a tainted, frozen string.
 
     Fixes #43056

data/lib/active_record/coders/yaml_column.rb

@@ -47,11 +47,23 @@ module ActiveRecord
 
         if YAML.respond_to?(:unsafe_load)
           def yaml_load(payload)
-            YAML.unsafe_load(payload)
+            if ActiveRecord::Base.use_yaml_unsafe_load
+              YAML.unsafe_load(payload)
+            elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
+              YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
+            else
+              YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
+            end
           end
         else
           def yaml_load(payload)
-            YAML.load(payload)
+            if ActiveRecord::Base.use_yaml_unsafe_load
+              YAML.load(payload)
+            elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
+              YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
+            else
+              YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
+            end
           end
         end
     end

data/lib/active_record/connection_adapters/abstract/schema_definitions.rb

@@ -198,6 +198,10 @@ module ActiveRecord
 
         def index_options(table_name)
           index_options = as_options(index)
+
+          # legacy reference index names are used on versions 6.0 and earlier
+          return index_options if options[:_uses_legacy_reference_index_name]
+
           index_options[:name] ||= polymorphic_index_name(table_name) if polymorphic
           index_options
         end

data/lib/active_record/connection_adapters/postgresql_adapter.rb

@@ -75,7 +75,7 @@ module ActiveRecord
 
       class << self
         def new_client(conn_params)
-          PG.connect(conn_params)
+          PG.connect(**conn_params)
         rescue ::PG::Error => error
           if conn_params && conn_params[:dbname] && error.message.include?(conn_params[:dbname])
             raise ActiveRecord::NoDatabaseError
@@ -247,7 +247,7 @@ module ActiveRecord
       def initialize(connection, logger, connection_parameters, config)
         super(connection, logger, config)
 
-        @connection_parameters = connection_parameters
+        @connection_parameters = connection_parameters || {}
 
         # @local_tz is initialized as nil to avoid warnings when connect tries to use it
         @local_tz = nil

data/lib/active_record/connection_adapters/schema_cache.rb

@@ -207,8 +207,8 @@ module ActiveRecord
               value.map { |i| deep_deduplicate(i) }
             when String
               if value.tainted?
-                # Ruby 2.6 and 2.7 have slightly different implementations of the String#@- method.
-                # In Ruby 2.6, the receiver of the String#@- method is modified under certain
+                # Ruby 2.6 and 2.7 have slightly different implementations of the String#-@ method.
+                # In Ruby 2.6, the receiver of the String#-@ method is modified under certain
                 # circumstances, and this was later identified as a bug
                 # (https://bugs.ruby-lang.org/issues/15926) and only fixed in Ruby 2.7.
                 value = value.dup

data/lib/active_record/core.rb

@@ -155,6 +155,14 @@ module ActiveRecord
 
       mattr_accessor :legacy_connection_handling, instance_writer: false, default: true
 
+      # Application configurable boolean that instructs the YAML Coder to use
+      # an unsafe load if set to true.
+      mattr_accessor :use_yaml_unsafe_load, instance_writer: false, default: false
+
+      # Application configurable array that provides additional permitted classes
+      # to Psych safe_load in the YAML Coder
+      mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: [Symbol]
+
       self.filter_attributes = []
 
       def self.connection_handler

data/lib/active_record/gem_version.rb

@@ -9,8 +9,8 @@ module ActiveRecord
   module VERSION
     MAJOR = 6
     MINOR = 1
-    TINY  = 5
-    PRE   = "1"
+    TINY  = 7
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_record/migration/compatibility.rb

@@ -22,27 +22,10 @@ module ActiveRecord
           end
         end
 
-        module SQLite3
-          module TableDefinition
-            def references(*args, **options)
-              args.each do |ref_name|
-                ReferenceDefinition.new(ref_name, type: :integer, **options).add_to(self)
-              end
-            end
-            alias :belongs_to :references
-
-            def column(name, type, index: nil, **options)
-              options[:precision] ||= nil
-              super
-            end
-          end
-        end
-
         module TableDefinition
           def references(*args, **options)
-            args.each do |ref_name|
-              ReferenceDefinition.new(ref_name, **options).add_to(self)
-            end
+            options[:_uses_legacy_reference_index_name] = true
+            super
           end
           alias :belongs_to :references
         end
@@ -73,12 +56,11 @@ module ActiveRecord
 
         def add_reference(table_name, ref_name, **options)
           if connection.adapter_name == "SQLite"
-            reference_definition = ReferenceDefinition.new(ref_name, type: :integer, **options)
-          else
-            reference_definition = ReferenceDefinition.new(ref_name, **options)
+            options[:type] = :integer
           end
 
-          reference_definition.add_to(connection.update_table_definition(table_name, self))
+          options[:_uses_legacy_reference_index_name] = true
+          super
         end
         alias :add_belongs_to :add_reference
 
@@ -86,7 +68,6 @@ module ActiveRecord
           def compatible_table_definition(t)
             class << t
               prepend TableDefinition
-              prepend SQLite3::TableDefinition
             end
             t
           end
@@ -148,7 +129,7 @@ module ActiveRecord
             class << t
               prepend TableDefinition
             end
-            t
+            super
           end
 
           def command_recorder

data/lib/active_record/store.rb

@@ -268,7 +268,7 @@ module ActiveRecord
         end
 
         def dump(obj)
-          @coder.dump self.class.as_indifferent_hash(obj)
+          @coder.dump as_regular_hash(obj)
         end
 
         def load(yaml)
@@ -285,6 +285,11 @@ module ActiveRecord
             ActiveSupport::HashWithIndifferentAccess.new
           end
         end
+
+        private
+          def as_regular_hash(obj)
+            obj.respond_to?(:to_hash) ? obj.to_hash : {}
+          end
       end
   end
 end

data/lib/active_record/test_fixtures.rb

@@ -134,7 +134,7 @@ module ActiveRecord
         @connection_subscriber = ActiveSupport::Notifications.subscribe("!connection.active_record") do |_, _, _, _, payload|
           spec_name = payload[:spec_name] if payload.key?(:spec_name)
           shard = payload[:shard] if payload.key?(:shard)
-          setup_shared_connection_pool
+          setup_shared_connection_pool if ActiveRecord::Base.legacy_connection_handling
 
           if spec_name
             begin
@@ -143,10 +143,14 @@ module ActiveRecord
               connection = nil
             end
 
-            if connection && !@fixture_connections.include?(connection)
-              connection.begin_transaction joinable: false, _lazy: false
-              connection.pool.lock_thread = true if lock_threads
-              @fixture_connections << connection
+            if connection
+              setup_shared_connection_pool unless ActiveRecord::Base.legacy_connection_handling
+
+              if !@fixture_connections.include?(connection)
+                connection.begin_transaction joinable: false, _lazy: false
+                connection.pool.lock_thread = true if lock_threads
+                @fixture_connections << connection
+              end
             end
           end
         end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activerecord
 version: !ruby/object:Gem::Version
-  version: 6.1.5.1
+  version: 6.1.7
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-04-26 00:00:00.000000000 Z
+date: 2022-09-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.5.1
+        version: 6.1.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.5.1
+        version: 6.1.7
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.5.1
+        version: 6.1.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.5.1
+        version: 6.1.7
 description: Databases on Rails. Build a persistent domain model by mapping database
   tables to Ruby classes. Strong conventions for associations, validations, aggregations,
   migrations, and testing come baked-in.
@@ -390,10 +390,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.5.1/activerecord/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.5.1/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.7/activerecord/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.7/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.5.1/activerecord
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.7/activerecord
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options:
@@ -412,7 +412,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
 summary: Object-relational mapper framework (part of Rails).