activerecord 6.1.6.1 → 6.1.7.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +79 -0
- data/lib/active_record/coders/yaml_column.rb +15 -5
- data/lib/active_record/connection_adapters/abstract/quoting.rb +10 -1
- data/lib/active_record/connection_adapters/postgresql/quoting.rb +26 -0
- data/lib/active_record/connection_adapters/postgresql_adapter.rb +2 -2
- data/lib/active_record/core.rb +8 -1
- data/lib/active_record/gem_version.rb +2 -2
- data/lib/active_record/railtie.rb +0 -18
- data/lib/active_record/relation/query_methods.rb +2 -0
- data/lib/active_record/store.rb +6 -1
- data/lib/active_record/test_fixtures.rb +9 -5
- metadata +9 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7ec4eda45d1e8e0c9fddeae0ff2a3669ac9e8a2b0c90abaf05446db92476268c
|
4
|
+
data.tar.gz: da031bd64708f1a910f8b1945272bcfbd4eefe7c592c6756791216e1fa5efa33
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 788d6b0d99b8e228bdb8382082682775ea483b828decdd74dcb1b1f8682160b289194e278a4870432c053f8df994e713236e81c533859a606b786b92d5dfad18
|
7
|
+
data.tar.gz: 98863969baa8cf720741a24b1e45b2fd148a07d872579a39535e75d3927e4816efc757284c39af269dd4708cd3ece6846607c6580b3546bf2da82b9ff7adeebe
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,77 @@
|
|
1
|
+
## Rails 6.1.7.6 (August 22, 2023) ##
|
2
|
+
|
3
|
+
* No changes.
|
4
|
+
|
5
|
+
|
6
|
+
## Rails 6.1.7.5 (August 22, 2023) ##
|
7
|
+
|
8
|
+
* No changes.
|
9
|
+
|
10
|
+
|
11
|
+
## Rails 6.1.7.4 (June 26, 2023) ##
|
12
|
+
|
13
|
+
* No changes.
|
14
|
+
|
15
|
+
|
16
|
+
## Rails 6.1.7.3 (March 13, 2023) ##
|
17
|
+
|
18
|
+
* No changes.
|
19
|
+
|
20
|
+
|
21
|
+
## Rails 6.1.7.2 (January 24, 2023) ##
|
22
|
+
|
23
|
+
* No changes.
|
24
|
+
|
25
|
+
|
26
|
+
## Rails 6.1.7.1 (January 17, 2023) ##
|
27
|
+
|
28
|
+
* Make sanitize_as_sql_comment more strict
|
29
|
+
|
30
|
+
Though this method was likely never meant to take user input, it was
|
31
|
+
attempting sanitization. That sanitization could be bypassed with
|
32
|
+
carefully crafted input.
|
33
|
+
|
34
|
+
This commit makes the sanitization more robust by replacing any
|
35
|
+
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
|
36
|
+
first pass to remove one surrounding comment to avoid compatibility
|
37
|
+
issues for users relying on the existing removal.
|
38
|
+
|
39
|
+
This also clarifies in the documentation of annotate that it should not
|
40
|
+
be provided user input.
|
41
|
+
|
42
|
+
[CVE-2023-22794]
|
43
|
+
|
44
|
+
* Added integer width check to PostgreSQL::Quoting
|
45
|
+
|
46
|
+
Given a value outside the range for a 64bit signed integer type
|
47
|
+
PostgreSQL will treat the column type as numeric. Comparing
|
48
|
+
integer values against numeric values can result in a slow
|
49
|
+
sequential scan.
|
50
|
+
|
51
|
+
This behavior is configurable via
|
52
|
+
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
|
53
|
+
|
54
|
+
[CVE-2022-44566]
|
55
|
+
|
56
|
+
## Rails 6.1.7 (September 09, 2022) ##
|
57
|
+
|
58
|
+
* Symbol is allowed by default for YAML columns
|
59
|
+
|
60
|
+
*Étienne Barrié*
|
61
|
+
|
62
|
+
* Fix `ActiveRecord::Store` to serialize as a regular Hash
|
63
|
+
|
64
|
+
Previously it would serialize as an `ActiveSupport::HashWithIndifferentAccess`
|
65
|
+
which is wasteful and cause problem with YAML safe_load.
|
66
|
+
|
67
|
+
*Jean Boussier*
|
68
|
+
|
69
|
+
* Fix PG.connect keyword arguments deprecation warning on ruby 2.7
|
70
|
+
|
71
|
+
Fixes #44307.
|
72
|
+
|
73
|
+
*Nikita Vasilevsky*
|
74
|
+
|
1
75
|
## Rails 6.1.6.1 (July 12, 2022) ##
|
2
76
|
|
3
77
|
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
|
@@ -26,6 +100,11 @@
|
|
26
100
|
[CVE-2022-32224]
|
27
101
|
|
28
102
|
|
103
|
+
## Rails 6.1.6 (May 09, 2022) ##
|
104
|
+
|
105
|
+
* No changes.
|
106
|
+
|
107
|
+
|
29
108
|
## Rails 6.1.5.1 (April 26, 2022) ##
|
30
109
|
|
31
110
|
* No changes.
|
@@ -45,14 +45,24 @@ module ActiveRecord
|
|
45
45
|
raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
|
46
46
|
end
|
47
47
|
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
else
|
52
|
-
if YAML.respond_to?(:unsafe_load)
|
48
|
+
if YAML.respond_to?(:unsafe_load)
|
49
|
+
def yaml_load(payload)
|
50
|
+
if ActiveRecord::Base.use_yaml_unsafe_load
|
53
51
|
YAML.unsafe_load(payload)
|
52
|
+
elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
|
53
|
+
YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
|
54
54
|
else
|
55
|
+
YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
|
56
|
+
end
|
57
|
+
end
|
58
|
+
else
|
59
|
+
def yaml_load(payload)
|
60
|
+
if ActiveRecord::Base.use_yaml_unsafe_load
|
55
61
|
YAML.load(payload)
|
62
|
+
elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
|
63
|
+
YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
|
64
|
+
else
|
65
|
+
YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
|
56
66
|
end
|
57
67
|
end
|
58
68
|
end
|
@@ -138,7 +138,16 @@ module ActiveRecord
|
|
138
138
|
end
|
139
139
|
|
140
140
|
def sanitize_as_sql_comment(value) # :nodoc:
|
141
|
-
|
141
|
+
# Sanitize a string to appear within a SQL comment
|
142
|
+
# For compatibility, this also surrounding "/*+", "/*", and "*/"
|
143
|
+
# charcacters, possibly with single surrounding space.
|
144
|
+
# Then follows that by replacing any internal "*/" or "/ *" with
|
145
|
+
# "* /" or "/ *"
|
146
|
+
comment = value.to_s.dup
|
147
|
+
comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
|
148
|
+
comment.gsub!("*/", "* /")
|
149
|
+
comment.gsub!("/*", "/ *")
|
150
|
+
comment
|
142
151
|
end
|
143
152
|
|
144
153
|
def column_name_matcher # :nodoc:
|
@@ -4,6 +4,12 @@ module ActiveRecord
|
|
4
4
|
module ConnectionAdapters
|
5
5
|
module PostgreSQL
|
6
6
|
module Quoting
|
7
|
+
class IntegerOutOf64BitRange < StandardError
|
8
|
+
def initialize(msg)
|
9
|
+
super(msg)
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
7
13
|
# Escapes binary strings for bytea input to the database.
|
8
14
|
def escape_bytea(value)
|
9
15
|
@connection.escape_bytea(value) if value
|
@@ -120,7 +126,27 @@ module ActiveRecord
|
|
120
126
|
super(query_value("SELECT #{quote(sql_type)}::regtype::oid", "SCHEMA").to_i)
|
121
127
|
end
|
122
128
|
|
129
|
+
def check_int_in_range(value)
|
130
|
+
if value.to_int > 9223372036854775807 || value.to_int < -9223372036854775808
|
131
|
+
exception = <<~ERROR
|
132
|
+
Provided value outside of the range of a signed 64bit integer.
|
133
|
+
|
134
|
+
PostgreSQL will treat the column type in question as a numeric.
|
135
|
+
This may result in a slow sequential scan due to a comparison
|
136
|
+
being performed between an integer or bigint value and a numeric value.
|
137
|
+
|
138
|
+
To allow for this potentially unwanted behavior, set
|
139
|
+
ActiveRecord::Base.raise_int_wider_than_64bit to false.
|
140
|
+
ERROR
|
141
|
+
raise IntegerOutOf64BitRange.new exception
|
142
|
+
end
|
143
|
+
end
|
144
|
+
|
123
145
|
def _quote(value)
|
146
|
+
if ActiveRecord::Base.raise_int_wider_than_64bit && value.is_a?(Integer)
|
147
|
+
check_int_in_range(value)
|
148
|
+
end
|
149
|
+
|
124
150
|
case value
|
125
151
|
when OID::Xml::Data
|
126
152
|
"xml '#{quote_string(value.to_s)}'"
|
@@ -75,7 +75,7 @@ module ActiveRecord
|
|
75
75
|
|
76
76
|
class << self
|
77
77
|
def new_client(conn_params)
|
78
|
-
PG.connect(conn_params)
|
78
|
+
PG.connect(**conn_params)
|
79
79
|
rescue ::PG::Error => error
|
80
80
|
if conn_params && conn_params[:dbname] && error.message.include?(conn_params[:dbname])
|
81
81
|
raise ActiveRecord::NoDatabaseError
|
@@ -247,7 +247,7 @@ module ActiveRecord
|
|
247
247
|
def initialize(connection, logger, connection_parameters, config)
|
248
248
|
super(connection, logger, config)
|
249
249
|
|
250
|
-
@connection_parameters = connection_parameters
|
250
|
+
@connection_parameters = connection_parameters || {}
|
251
251
|
|
252
252
|
# @local_tz is initialized as nil to avoid warnings when connect tries to use it
|
253
253
|
@local_tz = nil
|
data/lib/active_record/core.rb
CHANGED
@@ -161,7 +161,14 @@ module ActiveRecord
|
|
161
161
|
|
162
162
|
# Application configurable array that provides additional permitted classes
|
163
163
|
# to Psych safe_load in the YAML Coder
|
164
|
-
mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
|
164
|
+
mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: [Symbol]
|
165
|
+
|
166
|
+
##
|
167
|
+
# :singleton-method:
|
168
|
+
# Application configurable boolean that denotes whether or not to raise
|
169
|
+
# an exception when the PostgreSQLAdapter is provided with an integer that is
|
170
|
+
# wider than signed 64bit representation
|
171
|
+
mattr_accessor :raise_int_wider_than_64bit, instance_writer: false, default: true
|
165
172
|
|
166
173
|
self.filter_attributes = []
|
167
174
|
|
@@ -279,23 +279,5 @@ To keep using the current cache store, you can turn off cache versioning entirel
|
|
279
279
|
self.signed_id_verifier_secret ||= -> { Rails.application.key_generator.generate_key("active_record/signed_id") }
|
280
280
|
end
|
281
281
|
end
|
282
|
-
|
283
|
-
initializer "active_record.use_yaml_unsafe_load" do |app|
|
284
|
-
config.after_initialize do
|
285
|
-
unless app.config.active_record.use_yaml_unsafe_load.nil?
|
286
|
-
ActiveRecord::Base.use_yaml_unsafe_load =
|
287
|
-
app.config.active_record.use_yaml_unsafe_load
|
288
|
-
end
|
289
|
-
end
|
290
|
-
end
|
291
|
-
|
292
|
-
initializer "active_record.yaml_column_permitted_classes" do |app|
|
293
|
-
config.after_initialize do
|
294
|
-
unless app.config.active_record.yaml_column_permitted_classes.nil?
|
295
|
-
ActiveRecord::Base.yaml_column_permitted_classes =
|
296
|
-
app.config.active_record.yaml_column_permitted_classes
|
297
|
-
end
|
298
|
-
end
|
299
|
-
end
|
300
282
|
end
|
301
283
|
end
|
@@ -1035,6 +1035,8 @@ module ActiveRecord
|
|
1035
1035
|
# # SELECT "users"."name" FROM "users" /* selecting */ /* user */ /* names */
|
1036
1036
|
#
|
1037
1037
|
# The SQL block comment delimiters, "/*" and "*/", will be added automatically.
|
1038
|
+
#
|
1039
|
+
# Some escaping is performed, however untrusted user input should not be used.
|
1038
1040
|
def annotate(*args)
|
1039
1041
|
check_if_method_has_arguments!(:annotate, args)
|
1040
1042
|
spawn.annotate!(*args)
|
data/lib/active_record/store.rb
CHANGED
@@ -268,7 +268,7 @@ module ActiveRecord
|
|
268
268
|
end
|
269
269
|
|
270
270
|
def dump(obj)
|
271
|
-
@coder.dump
|
271
|
+
@coder.dump as_regular_hash(obj)
|
272
272
|
end
|
273
273
|
|
274
274
|
def load(yaml)
|
@@ -285,6 +285,11 @@ module ActiveRecord
|
|
285
285
|
ActiveSupport::HashWithIndifferentAccess.new
|
286
286
|
end
|
287
287
|
end
|
288
|
+
|
289
|
+
private
|
290
|
+
def as_regular_hash(obj)
|
291
|
+
obj.respond_to?(:to_hash) ? obj.to_hash : {}
|
292
|
+
end
|
288
293
|
end
|
289
294
|
end
|
290
295
|
end
|
@@ -134,7 +134,7 @@ module ActiveRecord
|
|
134
134
|
@connection_subscriber = ActiveSupport::Notifications.subscribe("!connection.active_record") do |_, _, _, _, payload|
|
135
135
|
spec_name = payload[:spec_name] if payload.key?(:spec_name)
|
136
136
|
shard = payload[:shard] if payload.key?(:shard)
|
137
|
-
setup_shared_connection_pool
|
137
|
+
setup_shared_connection_pool if ActiveRecord::Base.legacy_connection_handling
|
138
138
|
|
139
139
|
if spec_name
|
140
140
|
begin
|
@@ -143,10 +143,14 @@ module ActiveRecord
|
|
143
143
|
connection = nil
|
144
144
|
end
|
145
145
|
|
146
|
-
if connection
|
147
|
-
|
148
|
-
|
149
|
-
|
146
|
+
if connection
|
147
|
+
setup_shared_connection_pool unless ActiveRecord::Base.legacy_connection_handling
|
148
|
+
|
149
|
+
if !@fixture_connections.include?(connection)
|
150
|
+
connection.begin_transaction joinable: false, _lazy: false
|
151
|
+
connection.pool.lock_thread = true if lock_threads
|
152
|
+
@fixture_connections << connection
|
153
|
+
end
|
150
154
|
end
|
151
155
|
end
|
152
156
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: activerecord
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.1.6
|
4
|
+
version: 6.1.7.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-08-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 6.1.6
|
19
|
+
version: 6.1.7.6
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 6.1.6
|
26
|
+
version: 6.1.7.6
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: activemodel
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - '='
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 6.1.6
|
33
|
+
version: 6.1.7.6
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - '='
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 6.1.6
|
40
|
+
version: 6.1.7.6
|
41
41
|
description: Databases on Rails. Build a persistent domain model by mapping database
|
42
42
|
tables to Ruby classes. Strong conventions for associations, validations, aggregations,
|
43
43
|
migrations, and testing come baked-in.
|
@@ -390,10 +390,10 @@ licenses:
|
|
390
390
|
- MIT
|
391
391
|
metadata:
|
392
392
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
393
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.1.6
|
394
|
-
documentation_uri: https://api.rubyonrails.org/v6.1.6
|
393
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.1.7.6/activerecord/CHANGELOG.md
|
394
|
+
documentation_uri: https://api.rubyonrails.org/v6.1.7.6/
|
395
395
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
396
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.1.6
|
396
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.1.7.6/activerecord
|
397
397
|
rubygems_mfa_required: 'true'
|
398
398
|
post_install_message:
|
399
399
|
rdoc_options:
|