activerecord 6.1.5 → 6.1.6.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of activerecord might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +36 -3
- data/lib/active_record/coders/yaml_column.rb +9 -7
- data/lib/active_record/connection_adapters/abstract/schema_definitions.rb +4 -0
- data/lib/active_record/connection_adapters/schema_cache.rb +2 -2
- data/lib/active_record/core.rb +8 -0
- data/lib/active_record/gem_version.rb +2 -2
- data/lib/active_record/migration/compatibility.rb +6 -25
- data/lib/active_record/railtie.rb +18 -0
- metadata +13 -13
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2093e13defc611f0ec1e62d7efd445bcd1c5b182d8aab24f3dd3625047ce2f9f
|
4
|
+
data.tar.gz: 8d3e9a6daab9d0026cc1826d1caf2f24fee239d05b63cbb0eac866b1daded767
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3e6be64f1492b2441290abac0af6cde31950acef133ccdd98202b2ab719dc48b0f969eda318b4712c508cde2f29b3a6c381c27c6e7467b4ee25ec97209717d7a
|
7
|
+
data.tar.gz: 924c8bcbbaa608deb02263437e76947737b041b39a86818585e3d087530f0d1e3fdc537fc10d1177fe6cf2413deaf47f655342435312a5d473a4789e7a35631f
|
data/CHANGELOG.md
CHANGED
@@ -1,15 +1,48 @@
|
|
1
|
+
## Rails 6.1.6.1 (July 12, 2022) ##
|
2
|
+
|
3
|
+
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
|
4
|
+
|
5
|
+
This adds two new configuration options The configuration options are as
|
6
|
+
follows:
|
7
|
+
|
8
|
+
* `config.active_storage.use_yaml_unsafe_load`
|
9
|
+
|
10
|
+
When set to true, this configuration option tells Rails to use the old
|
11
|
+
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
|
12
|
+
the possible escalation vulnerability in place. Setting this option to true
|
13
|
+
is *not* recommended, but can aid in upgrading.
|
14
|
+
|
15
|
+
* `config.active_record.yaml_column_permitted_classes`
|
16
|
+
|
17
|
+
The "safe YAML" loading method does not allow all classes to be deserialized
|
18
|
+
by default. This option allows you to specify classes deemed "safe" in your
|
19
|
+
application. For example, if your application uses Symbol and Time in
|
20
|
+
serialized data, you can add Symbol and Time to the allowed list as follows:
|
21
|
+
|
22
|
+
```
|
23
|
+
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
|
24
|
+
```
|
25
|
+
|
26
|
+
[CVE-2022-32224]
|
27
|
+
|
28
|
+
|
29
|
+
## Rails 6.1.5.1 (April 26, 2022) ##
|
30
|
+
|
31
|
+
* No changes.
|
32
|
+
|
33
|
+
|
1
34
|
## Rails 6.1.5 (March 09, 2022) ##
|
2
35
|
|
3
36
|
* Fix `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` for Ruby 2.6.
|
4
37
|
|
5
|
-
Ruby 2.6 and 2.7 have slightly different implementations of the `String
|
6
|
-
In Ruby 2.6, the receiver of the `String
|
38
|
+
Ruby 2.6 and 2.7 have slightly different implementations of the `String#-@` method.
|
39
|
+
In Ruby 2.6, the receiver of the `String#-@` method is modified under certain circumstances.
|
7
40
|
This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
|
8
41
|
fixed in Ruby 2.7.
|
9
42
|
|
10
43
|
Before the changes in this commit, the
|
11
44
|
`ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` method, which internally
|
12
|
-
calls the `String
|
45
|
+
calls the `String#-@` method, could also modify an input string argument in Ruby 2.6 --
|
13
46
|
changing a tainted, unfrozen string into a tainted, frozen string.
|
14
47
|
|
15
48
|
Fixes #43056
|
@@ -45,13 +45,15 @@ module ActiveRecord
|
|
45
45
|
raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
|
46
46
|
end
|
47
47
|
|
48
|
-
|
49
|
-
|
50
|
-
YAML.
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
48
|
+
def yaml_load(payload)
|
49
|
+
if !ActiveRecord::Base.use_yaml_unsafe_load
|
50
|
+
YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
|
51
|
+
else
|
52
|
+
if YAML.respond_to?(:unsafe_load)
|
53
|
+
YAML.unsafe_load(payload)
|
54
|
+
else
|
55
|
+
YAML.load(payload)
|
56
|
+
end
|
55
57
|
end
|
56
58
|
end
|
57
59
|
end
|
@@ -198,6 +198,10 @@ module ActiveRecord
|
|
198
198
|
|
199
199
|
def index_options(table_name)
|
200
200
|
index_options = as_options(index)
|
201
|
+
|
202
|
+
# legacy reference index names are used on versions 6.0 and earlier
|
203
|
+
return index_options if options[:_uses_legacy_reference_index_name]
|
204
|
+
|
201
205
|
index_options[:name] ||= polymorphic_index_name(table_name) if polymorphic
|
202
206
|
index_options
|
203
207
|
end
|
@@ -207,8 +207,8 @@ module ActiveRecord
|
|
207
207
|
value.map { |i| deep_deduplicate(i) }
|
208
208
|
when String
|
209
209
|
if value.tainted?
|
210
|
-
# Ruby 2.6 and 2.7 have slightly different implementations of the String
|
211
|
-
# In Ruby 2.6, the receiver of the String
|
210
|
+
# Ruby 2.6 and 2.7 have slightly different implementations of the String#-@ method.
|
211
|
+
# In Ruby 2.6, the receiver of the String#-@ method is modified under certain
|
212
212
|
# circumstances, and this was later identified as a bug
|
213
213
|
# (https://bugs.ruby-lang.org/issues/15926) and only fixed in Ruby 2.7.
|
214
214
|
value = value.dup
|
data/lib/active_record/core.rb
CHANGED
@@ -155,6 +155,14 @@ module ActiveRecord
|
|
155
155
|
|
156
156
|
mattr_accessor :legacy_connection_handling, instance_writer: false, default: true
|
157
157
|
|
158
|
+
# Application configurable boolean that instructs the YAML Coder to use
|
159
|
+
# an unsafe load if set to true.
|
160
|
+
mattr_accessor :use_yaml_unsafe_load, instance_writer: false, default: false
|
161
|
+
|
162
|
+
# Application configurable array that provides additional permitted classes
|
163
|
+
# to Psych safe_load in the YAML Coder
|
164
|
+
mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
|
165
|
+
|
158
166
|
self.filter_attributes = []
|
159
167
|
|
160
168
|
def self.connection_handler
|
@@ -22,27 +22,10 @@ module ActiveRecord
|
|
22
22
|
end
|
23
23
|
end
|
24
24
|
|
25
|
-
module SQLite3
|
26
|
-
module TableDefinition
|
27
|
-
def references(*args, **options)
|
28
|
-
args.each do |ref_name|
|
29
|
-
ReferenceDefinition.new(ref_name, type: :integer, **options).add_to(self)
|
30
|
-
end
|
31
|
-
end
|
32
|
-
alias :belongs_to :references
|
33
|
-
|
34
|
-
def column(name, type, index: nil, **options)
|
35
|
-
options[:precision] ||= nil
|
36
|
-
super
|
37
|
-
end
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
25
|
module TableDefinition
|
42
26
|
def references(*args, **options)
|
43
|
-
|
44
|
-
|
45
|
-
end
|
27
|
+
options[:_uses_legacy_reference_index_name] = true
|
28
|
+
super
|
46
29
|
end
|
47
30
|
alias :belongs_to :references
|
48
31
|
end
|
@@ -73,12 +56,11 @@ module ActiveRecord
|
|
73
56
|
|
74
57
|
def add_reference(table_name, ref_name, **options)
|
75
58
|
if connection.adapter_name == "SQLite"
|
76
|
-
|
77
|
-
else
|
78
|
-
reference_definition = ReferenceDefinition.new(ref_name, **options)
|
59
|
+
options[:type] = :integer
|
79
60
|
end
|
80
61
|
|
81
|
-
|
62
|
+
options[:_uses_legacy_reference_index_name] = true
|
63
|
+
super
|
82
64
|
end
|
83
65
|
alias :add_belongs_to :add_reference
|
84
66
|
|
@@ -86,7 +68,6 @@ module ActiveRecord
|
|
86
68
|
def compatible_table_definition(t)
|
87
69
|
class << t
|
88
70
|
prepend TableDefinition
|
89
|
-
prepend SQLite3::TableDefinition
|
90
71
|
end
|
91
72
|
t
|
92
73
|
end
|
@@ -148,7 +129,7 @@ module ActiveRecord
|
|
148
129
|
class << t
|
149
130
|
prepend TableDefinition
|
150
131
|
end
|
151
|
-
|
132
|
+
super
|
152
133
|
end
|
153
134
|
|
154
135
|
def command_recorder
|
@@ -279,5 +279,23 @@ To keep using the current cache store, you can turn off cache versioning entirel
|
|
279
279
|
self.signed_id_verifier_secret ||= -> { Rails.application.key_generator.generate_key("active_record/signed_id") }
|
280
280
|
end
|
281
281
|
end
|
282
|
+
|
283
|
+
initializer "active_record.use_yaml_unsafe_load" do |app|
|
284
|
+
config.after_initialize do
|
285
|
+
unless app.config.active_record.use_yaml_unsafe_load.nil?
|
286
|
+
ActiveRecord::Base.use_yaml_unsafe_load =
|
287
|
+
app.config.active_record.use_yaml_unsafe_load
|
288
|
+
end
|
289
|
+
end
|
290
|
+
end
|
291
|
+
|
292
|
+
initializer "active_record.yaml_column_permitted_classes" do |app|
|
293
|
+
config.after_initialize do
|
294
|
+
unless app.config.active_record.yaml_column_permitted_classes.nil?
|
295
|
+
ActiveRecord::Base.yaml_column_permitted_classes =
|
296
|
+
app.config.active_record.yaml_column_permitted_classes
|
297
|
+
end
|
298
|
+
end
|
299
|
+
end
|
282
300
|
end
|
283
301
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: activerecord
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.1.
|
4
|
+
version: 6.1.6.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-07-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 6.1.
|
19
|
+
version: 6.1.6.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 6.1.
|
26
|
+
version: 6.1.6.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: activemodel
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - '='
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 6.1.
|
33
|
+
version: 6.1.6.1
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - '='
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 6.1.
|
40
|
+
version: 6.1.6.1
|
41
41
|
description: Databases on Rails. Build a persistent domain model by mapping database
|
42
42
|
tables to Ruby classes. Strong conventions for associations, validations, aggregations,
|
43
43
|
migrations, and testing come baked-in.
|
@@ -390,12 +390,12 @@ licenses:
|
|
390
390
|
- MIT
|
391
391
|
metadata:
|
392
392
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
393
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.1.
|
394
|
-
documentation_uri: https://api.rubyonrails.org/v6.1.
|
393
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.1.6.1/activerecord/CHANGELOG.md
|
394
|
+
documentation_uri: https://api.rubyonrails.org/v6.1.6.1/
|
395
395
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
396
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.1.
|
396
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.1.6.1/activerecord
|
397
397
|
rubygems_mfa_required: 'true'
|
398
|
-
post_install_message:
|
398
|
+
post_install_message:
|
399
399
|
rdoc_options:
|
400
400
|
- "--main"
|
401
401
|
- README.rdoc
|
@@ -412,8 +412,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
412
412
|
- !ruby/object:Gem::Version
|
413
413
|
version: '0'
|
414
414
|
requirements: []
|
415
|
-
rubygems_version: 3.3.
|
416
|
-
signing_key:
|
415
|
+
rubygems_version: 3.3.3
|
416
|
+
signing_key:
|
417
417
|
specification_version: 4
|
418
418
|
summary: Object-relational mapper framework (part of Rails).
|
419
419
|
test_files: []
|