activerecord 6.1.6.1 → 6.1.7.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2093e13defc611f0ec1e62d7efd445bcd1c5b182d8aab24f3dd3625047ce2f9f
4
- data.tar.gz: 8d3e9a6daab9d0026cc1826d1caf2f24fee239d05b63cbb0eac866b1daded767
3
+ metadata.gz: 7ec4eda45d1e8e0c9fddeae0ff2a3669ac9e8a2b0c90abaf05446db92476268c
4
+ data.tar.gz: da031bd64708f1a910f8b1945272bcfbd4eefe7c592c6756791216e1fa5efa33
5
5
  SHA512:
6
- metadata.gz: 3e6be64f1492b2441290abac0af6cde31950acef133ccdd98202b2ab719dc48b0f969eda318b4712c508cde2f29b3a6c381c27c6e7467b4ee25ec97209717d7a
7
- data.tar.gz: 924c8bcbbaa608deb02263437e76947737b041b39a86818585e3d087530f0d1e3fdc537fc10d1177fe6cf2413deaf47f655342435312a5d473a4789e7a35631f
6
+ metadata.gz: 788d6b0d99b8e228bdb8382082682775ea483b828decdd74dcb1b1f8682160b289194e278a4870432c053f8df994e713236e81c533859a606b786b92d5dfad18
7
+ data.tar.gz: 98863969baa8cf720741a24b1e45b2fd148a07d872579a39535e75d3927e4816efc757284c39af269dd4708cd3ece6846607c6580b3546bf2da82b9ff7adeebe
data/CHANGELOG.md CHANGED
@@ -1,3 +1,77 @@
1
+ ## Rails 6.1.7.6 (August 22, 2023) ##
2
+
3
+ * No changes.
4
+
5
+
6
+ ## Rails 6.1.7.5 (August 22, 2023) ##
7
+
8
+ * No changes.
9
+
10
+
11
+ ## Rails 6.1.7.4 (June 26, 2023) ##
12
+
13
+ * No changes.
14
+
15
+
16
+ ## Rails 6.1.7.3 (March 13, 2023) ##
17
+
18
+ * No changes.
19
+
20
+
21
+ ## Rails 6.1.7.2 (January 24, 2023) ##
22
+
23
+ * No changes.
24
+
25
+
26
+ ## Rails 6.1.7.1 (January 17, 2023) ##
27
+
28
+ * Make sanitize_as_sql_comment more strict
29
+
30
+ Though this method was likely never meant to take user input, it was
31
+ attempting sanitization. That sanitization could be bypassed with
32
+ carefully crafted input.
33
+
34
+ This commit makes the sanitization more robust by replacing any
35
+ occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
36
+ first pass to remove one surrounding comment to avoid compatibility
37
+ issues for users relying on the existing removal.
38
+
39
+ This also clarifies in the documentation of annotate that it should not
40
+ be provided user input.
41
+
42
+ [CVE-2023-22794]
43
+
44
+ * Added integer width check to PostgreSQL::Quoting
45
+
46
+ Given a value outside the range for a 64bit signed integer type
47
+ PostgreSQL will treat the column type as numeric. Comparing
48
+ integer values against numeric values can result in a slow
49
+ sequential scan.
50
+
51
+ This behavior is configurable via
52
+ ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
53
+
54
+ [CVE-2022-44566]
55
+
56
+ ## Rails 6.1.7 (September 09, 2022) ##
57
+
58
+ * Symbol is allowed by default for YAML columns
59
+
60
+ *Étienne Barrié*
61
+
62
+ * Fix `ActiveRecord::Store` to serialize as a regular Hash
63
+
64
+ Previously it would serialize as an `ActiveSupport::HashWithIndifferentAccess`
65
+ which is wasteful and cause problem with YAML safe_load.
66
+
67
+ *Jean Boussier*
68
+
69
+ * Fix PG.connect keyword arguments deprecation warning on ruby 2.7
70
+
71
+ Fixes #44307.
72
+
73
+ *Nikita Vasilevsky*
74
+
1
75
  ## Rails 6.1.6.1 (July 12, 2022) ##
2
76
 
3
77
  * Change ActiveRecord::Coders::YAMLColumn default to safe_load
@@ -26,6 +100,11 @@
26
100
  [CVE-2022-32224]
27
101
 
28
102
 
103
+ ## Rails 6.1.6 (May 09, 2022) ##
104
+
105
+ * No changes.
106
+
107
+
29
108
  ## Rails 6.1.5.1 (April 26, 2022) ##
30
109
 
31
110
  * No changes.
@@ -45,14 +45,24 @@ module ActiveRecord
45
45
  raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
46
46
  end
47
47
 
48
- def yaml_load(payload)
49
- if !ActiveRecord::Base.use_yaml_unsafe_load
50
- YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
51
- else
52
- if YAML.respond_to?(:unsafe_load)
48
+ if YAML.respond_to?(:unsafe_load)
49
+ def yaml_load(payload)
50
+ if ActiveRecord::Base.use_yaml_unsafe_load
53
51
  YAML.unsafe_load(payload)
52
+ elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
53
+ YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
54
54
  else
55
+ YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
56
+ end
57
+ end
58
+ else
59
+ def yaml_load(payload)
60
+ if ActiveRecord::Base.use_yaml_unsafe_load
55
61
  YAML.load(payload)
62
+ elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
63
+ YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
64
+ else
65
+ YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
56
66
  end
57
67
  end
58
68
  end
@@ -138,7 +138,16 @@ module ActiveRecord
138
138
  end
139
139
 
140
140
  def sanitize_as_sql_comment(value) # :nodoc:
141
- value.to_s.gsub(%r{ (/ (?: | \g<1>) \*) \+? \s* | \s* (\* (?: | \g<2>) /) }x, "")
141
+ # Sanitize a string to appear within a SQL comment
142
+ # For compatibility, this also surrounding "/*+", "/*", and "*/"
143
+ # charcacters, possibly with single surrounding space.
144
+ # Then follows that by replacing any internal "*/" or "/ *" with
145
+ # "* /" or "/ *"
146
+ comment = value.to_s.dup
147
+ comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
148
+ comment.gsub!("*/", "* /")
149
+ comment.gsub!("/*", "/ *")
150
+ comment
142
151
  end
143
152
 
144
153
  def column_name_matcher # :nodoc:
@@ -4,6 +4,12 @@ module ActiveRecord
4
4
  module ConnectionAdapters
5
5
  module PostgreSQL
6
6
  module Quoting
7
+ class IntegerOutOf64BitRange < StandardError
8
+ def initialize(msg)
9
+ super(msg)
10
+ end
11
+ end
12
+
7
13
  # Escapes binary strings for bytea input to the database.
8
14
  def escape_bytea(value)
9
15
  @connection.escape_bytea(value) if value
@@ -120,7 +126,27 @@ module ActiveRecord
120
126
  super(query_value("SELECT #{quote(sql_type)}::regtype::oid", "SCHEMA").to_i)
121
127
  end
122
128
 
129
+ def check_int_in_range(value)
130
+ if value.to_int > 9223372036854775807 || value.to_int < -9223372036854775808
131
+ exception = <<~ERROR
132
+ Provided value outside of the range of a signed 64bit integer.
133
+
134
+ PostgreSQL will treat the column type in question as a numeric.
135
+ This may result in a slow sequential scan due to a comparison
136
+ being performed between an integer or bigint value and a numeric value.
137
+
138
+ To allow for this potentially unwanted behavior, set
139
+ ActiveRecord::Base.raise_int_wider_than_64bit to false.
140
+ ERROR
141
+ raise IntegerOutOf64BitRange.new exception
142
+ end
143
+ end
144
+
123
145
  def _quote(value)
146
+ if ActiveRecord::Base.raise_int_wider_than_64bit && value.is_a?(Integer)
147
+ check_int_in_range(value)
148
+ end
149
+
124
150
  case value
125
151
  when OID::Xml::Data
126
152
  "xml '#{quote_string(value.to_s)}'"
@@ -75,7 +75,7 @@ module ActiveRecord
75
75
 
76
76
  class << self
77
77
  def new_client(conn_params)
78
- PG.connect(conn_params)
78
+ PG.connect(**conn_params)
79
79
  rescue ::PG::Error => error
80
80
  if conn_params && conn_params[:dbname] && error.message.include?(conn_params[:dbname])
81
81
  raise ActiveRecord::NoDatabaseError
@@ -247,7 +247,7 @@ module ActiveRecord
247
247
  def initialize(connection, logger, connection_parameters, config)
248
248
  super(connection, logger, config)
249
249
 
250
- @connection_parameters = connection_parameters
250
+ @connection_parameters = connection_parameters || {}
251
251
 
252
252
  # @local_tz is initialized as nil to avoid warnings when connect tries to use it
253
253
  @local_tz = nil
@@ -161,7 +161,14 @@ module ActiveRecord
161
161
 
162
162
  # Application configurable array that provides additional permitted classes
163
163
  # to Psych safe_load in the YAML Coder
164
- mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
164
+ mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: [Symbol]
165
+
166
+ ##
167
+ # :singleton-method:
168
+ # Application configurable boolean that denotes whether or not to raise
169
+ # an exception when the PostgreSQLAdapter is provided with an integer that is
170
+ # wider than signed 64bit representation
171
+ mattr_accessor :raise_int_wider_than_64bit, instance_writer: false, default: true
165
172
 
166
173
  self.filter_attributes = []
167
174
 
@@ -9,8 +9,8 @@ module ActiveRecord
9
9
  module VERSION
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
- TINY = 6
13
- PRE = "1"
12
+ TINY = 7
13
+ PRE = "6"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -279,23 +279,5 @@ To keep using the current cache store, you can turn off cache versioning entirel
279
279
  self.signed_id_verifier_secret ||= -> { Rails.application.key_generator.generate_key("active_record/signed_id") }
280
280
  end
281
281
  end
282
-
283
- initializer "active_record.use_yaml_unsafe_load" do |app|
284
- config.after_initialize do
285
- unless app.config.active_record.use_yaml_unsafe_load.nil?
286
- ActiveRecord::Base.use_yaml_unsafe_load =
287
- app.config.active_record.use_yaml_unsafe_load
288
- end
289
- end
290
- end
291
-
292
- initializer "active_record.yaml_column_permitted_classes" do |app|
293
- config.after_initialize do
294
- unless app.config.active_record.yaml_column_permitted_classes.nil?
295
- ActiveRecord::Base.yaml_column_permitted_classes =
296
- app.config.active_record.yaml_column_permitted_classes
297
- end
298
- end
299
- end
300
282
  end
301
283
  end
@@ -1035,6 +1035,8 @@ module ActiveRecord
1035
1035
  # # SELECT "users"."name" FROM "users" /* selecting */ /* user */ /* names */
1036
1036
  #
1037
1037
  # The SQL block comment delimiters, "/*" and "*/", will be added automatically.
1038
+ #
1039
+ # Some escaping is performed, however untrusted user input should not be used.
1038
1040
  def annotate(*args)
1039
1041
  check_if_method_has_arguments!(:annotate, args)
1040
1042
  spawn.annotate!(*args)
@@ -268,7 +268,7 @@ module ActiveRecord
268
268
  end
269
269
 
270
270
  def dump(obj)
271
- @coder.dump self.class.as_indifferent_hash(obj)
271
+ @coder.dump as_regular_hash(obj)
272
272
  end
273
273
 
274
274
  def load(yaml)
@@ -285,6 +285,11 @@ module ActiveRecord
285
285
  ActiveSupport::HashWithIndifferentAccess.new
286
286
  end
287
287
  end
288
+
289
+ private
290
+ def as_regular_hash(obj)
291
+ obj.respond_to?(:to_hash) ? obj.to_hash : {}
292
+ end
288
293
  end
289
294
  end
290
295
  end
@@ -134,7 +134,7 @@ module ActiveRecord
134
134
  @connection_subscriber = ActiveSupport::Notifications.subscribe("!connection.active_record") do |_, _, _, _, payload|
135
135
  spec_name = payload[:spec_name] if payload.key?(:spec_name)
136
136
  shard = payload[:shard] if payload.key?(:shard)
137
- setup_shared_connection_pool
137
+ setup_shared_connection_pool if ActiveRecord::Base.legacy_connection_handling
138
138
 
139
139
  if spec_name
140
140
  begin
@@ -143,10 +143,14 @@ module ActiveRecord
143
143
  connection = nil
144
144
  end
145
145
 
146
- if connection && !@fixture_connections.include?(connection)
147
- connection.begin_transaction joinable: false, _lazy: false
148
- connection.pool.lock_thread = true if lock_threads
149
- @fixture_connections << connection
146
+ if connection
147
+ setup_shared_connection_pool unless ActiveRecord::Base.legacy_connection_handling
148
+
149
+ if !@fixture_connections.include?(connection)
150
+ connection.begin_transaction joinable: false, _lazy: false
151
+ connection.pool.lock_thread = true if lock_threads
152
+ @fixture_connections << connection
153
+ end
150
154
  end
151
155
  end
152
156
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activerecord
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.6.1
4
+ version: 6.1.7.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-07-12 00:00:00.000000000 Z
11
+ date: 2023-08-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.6.1
19
+ version: 6.1.7.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.6.1
26
+ version: 6.1.7.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 6.1.6.1
33
+ version: 6.1.7.6
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 6.1.6.1
40
+ version: 6.1.7.6
41
41
  description: Databases on Rails. Build a persistent domain model by mapping database
42
42
  tables to Ruby classes. Strong conventions for associations, validations, aggregations,
43
43
  migrations, and testing come baked-in.
@@ -390,10 +390,10 @@ licenses:
390
390
  - MIT
391
391
  metadata:
392
392
  bug_tracker_uri: https://github.com/rails/rails/issues
393
- changelog_uri: https://github.com/rails/rails/blob/v6.1.6.1/activerecord/CHANGELOG.md
394
- documentation_uri: https://api.rubyonrails.org/v6.1.6.1/
393
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.7.6/activerecord/CHANGELOG.md
394
+ documentation_uri: https://api.rubyonrails.org/v6.1.7.6/
395
395
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
396
- source_code_uri: https://github.com/rails/rails/tree/v6.1.6.1/activerecord
396
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.7.6/activerecord
397
397
  rubygems_mfa_required: 'true'
398
398
  post_install_message:
399
399
  rdoc_options: