activerecord 6.1.6.1 → 6.1.7.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2093e13defc611f0ec1e62d7efd445bcd1c5b182d8aab24f3dd3625047ce2f9f
4
- data.tar.gz: 8d3e9a6daab9d0026cc1826d1caf2f24fee239d05b63cbb0eac866b1daded767
3
+ metadata.gz: 7ec4eda45d1e8e0c9fddeae0ff2a3669ac9e8a2b0c90abaf05446db92476268c
4
+ data.tar.gz: da031bd64708f1a910f8b1945272bcfbd4eefe7c592c6756791216e1fa5efa33
5
5
  SHA512:
6
- metadata.gz: 3e6be64f1492b2441290abac0af6cde31950acef133ccdd98202b2ab719dc48b0f969eda318b4712c508cde2f29b3a6c381c27c6e7467b4ee25ec97209717d7a
7
- data.tar.gz: 924c8bcbbaa608deb02263437e76947737b041b39a86818585e3d087530f0d1e3fdc537fc10d1177fe6cf2413deaf47f655342435312a5d473a4789e7a35631f
6
+ metadata.gz: 788d6b0d99b8e228bdb8382082682775ea483b828decdd74dcb1b1f8682160b289194e278a4870432c053f8df994e713236e81c533859a606b786b92d5dfad18
7
+ data.tar.gz: 98863969baa8cf720741a24b1e45b2fd148a07d872579a39535e75d3927e4816efc757284c39af269dd4708cd3ece6846607c6580b3546bf2da82b9ff7adeebe
data/CHANGELOG.md CHANGED
@@ -1,3 +1,77 @@
1
+ ## Rails 6.1.7.6 (August 22, 2023) ##
2
+
3
+ * No changes.
4
+
5
+
6
+ ## Rails 6.1.7.5 (August 22, 2023) ##
7
+
8
+ * No changes.
9
+
10
+
11
+ ## Rails 6.1.7.4 (June 26, 2023) ##
12
+
13
+ * No changes.
14
+
15
+
16
+ ## Rails 6.1.7.3 (March 13, 2023) ##
17
+
18
+ * No changes.
19
+
20
+
21
+ ## Rails 6.1.7.2 (January 24, 2023) ##
22
+
23
+ * No changes.
24
+
25
+
26
+ ## Rails 6.1.7.1 (January 17, 2023) ##
27
+
28
+ * Make sanitize_as_sql_comment more strict
29
+
30
+ Though this method was likely never meant to take user input, it was
31
+ attempting sanitization. That sanitization could be bypassed with
32
+ carefully crafted input.
33
+
34
+ This commit makes the sanitization more robust by replacing any
35
+ occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
36
+ first pass to remove one surrounding comment to avoid compatibility
37
+ issues for users relying on the existing removal.
38
+
39
+ This also clarifies in the documentation of annotate that it should not
40
+ be provided user input.
41
+
42
+ [CVE-2023-22794]
43
+
44
+ * Added integer width check to PostgreSQL::Quoting
45
+
46
+ Given a value outside the range for a 64bit signed integer type
47
+ PostgreSQL will treat the column type as numeric. Comparing
48
+ integer values against numeric values can result in a slow
49
+ sequential scan.
50
+
51
+ This behavior is configurable via
52
+ ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
53
+
54
+ [CVE-2022-44566]
55
+
56
+ ## Rails 6.1.7 (September 09, 2022) ##
57
+
58
+ * Symbol is allowed by default for YAML columns
59
+
60
+ *Étienne Barrié*
61
+
62
+ * Fix `ActiveRecord::Store` to serialize as a regular Hash
63
+
64
+ Previously it would serialize as an `ActiveSupport::HashWithIndifferentAccess`
65
+ which is wasteful and cause problem with YAML safe_load.
66
+
67
+ *Jean Boussier*
68
+
69
+ * Fix PG.connect keyword arguments deprecation warning on ruby 2.7
70
+
71
+ Fixes #44307.
72
+
73
+ *Nikita Vasilevsky*
74
+
1
75
  ## Rails 6.1.6.1 (July 12, 2022) ##
2
76
 
3
77
  * Change ActiveRecord::Coders::YAMLColumn default to safe_load
@@ -26,6 +100,11 @@
26
100
  [CVE-2022-32224]
27
101
 
28
102
 
103
+ ## Rails 6.1.6 (May 09, 2022) ##
104
+
105
+ * No changes.
106
+
107
+
29
108
  ## Rails 6.1.5.1 (April 26, 2022) ##
30
109
 
31
110
  * No changes.
@@ -45,14 +45,24 @@ module ActiveRecord
45
45
  raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
46
46
  end
47
47
 
48
- def yaml_load(payload)
49
- if !ActiveRecord::Base.use_yaml_unsafe_load
50
- YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
51
- else
52
- if YAML.respond_to?(:unsafe_load)
48
+ if YAML.respond_to?(:unsafe_load)
49
+ def yaml_load(payload)
50
+ if ActiveRecord::Base.use_yaml_unsafe_load
53
51
  YAML.unsafe_load(payload)
52
+ elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
53
+ YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
54
54
  else
55
+ YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
56
+ end
57
+ end
58
+ else
59
+ def yaml_load(payload)
60
+ if ActiveRecord::Base.use_yaml_unsafe_load
55
61
  YAML.load(payload)
62
+ elsif YAML.method(:safe_load).parameters.include?([:key, :permitted_classes])
63
+ YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
64
+ else
65
+ YAML.safe_load(payload, ActiveRecord::Base.yaml_column_permitted_classes, [], true)
56
66
  end
57
67
  end
58
68
  end
@@ -138,7 +138,16 @@ module ActiveRecord
138
138
  end
139
139
 
140
140
  def sanitize_as_sql_comment(value) # :nodoc:
141
- value.to_s.gsub(%r{ (/ (?: | \g<1>) \*) \+? \s* | \s* (\* (?: | \g<2>) /) }x, "")
141
+ # Sanitize a string to appear within a SQL comment
142
+ # For compatibility, this also surrounding "/*+", "/*", and "*/"
143
+ # charcacters, possibly with single surrounding space.
144
+ # Then follows that by replacing any internal "*/" or "/ *" with
145
+ # "* /" or "/ *"
146
+ comment = value.to_s.dup
147
+ comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
148
+ comment.gsub!("*/", "* /")
149
+ comment.gsub!("/*", "/ *")
150
+ comment
142
151
  end
143
152
 
144
153
  def column_name_matcher # :nodoc:
@@ -4,6 +4,12 @@ module ActiveRecord
4
4
  module ConnectionAdapters
5
5
  module PostgreSQL
6
6
  module Quoting
7
+ class IntegerOutOf64BitRange < StandardError
8
+ def initialize(msg)
9
+ super(msg)
10
+ end
11
+ end
12
+
7
13
  # Escapes binary strings for bytea input to the database.
8
14
  def escape_bytea(value)
9
15
  @connection.escape_bytea(value) if value
@@ -120,7 +126,27 @@ module ActiveRecord
120
126
  super(query_value("SELECT #{quote(sql_type)}::regtype::oid", "SCHEMA").to_i)
121
127
  end
122
128
 
129
+ def check_int_in_range(value)
130
+ if value.to_int > 9223372036854775807 || value.to_int < -9223372036854775808
131
+ exception = <<~ERROR
132
+ Provided value outside of the range of a signed 64bit integer.
133
+
134
+ PostgreSQL will treat the column type in question as a numeric.
135
+ This may result in a slow sequential scan due to a comparison
136
+ being performed between an integer or bigint value and a numeric value.
137
+
138
+ To allow for this potentially unwanted behavior, set
139
+ ActiveRecord::Base.raise_int_wider_than_64bit to false.
140
+ ERROR
141
+ raise IntegerOutOf64BitRange.new exception
142
+ end
143
+ end
144
+
123
145
  def _quote(value)
146
+ if ActiveRecord::Base.raise_int_wider_than_64bit && value.is_a?(Integer)
147
+ check_int_in_range(value)
148
+ end
149
+
124
150
  case value
125
151
  when OID::Xml::Data
126
152
  "xml '#{quote_string(value.to_s)}'"
@@ -75,7 +75,7 @@ module ActiveRecord
75
75
 
76
76
  class << self
77
77
  def new_client(conn_params)
78
- PG.connect(conn_params)
78
+ PG.connect(**conn_params)
79
79
  rescue ::PG::Error => error
80
80
  if conn_params && conn_params[:dbname] && error.message.include?(conn_params[:dbname])
81
81
  raise ActiveRecord::NoDatabaseError
@@ -247,7 +247,7 @@ module ActiveRecord
247
247
  def initialize(connection, logger, connection_parameters, config)
248
248
  super(connection, logger, config)
249
249
 
250
- @connection_parameters = connection_parameters
250
+ @connection_parameters = connection_parameters || {}
251
251
 
252
252
  # @local_tz is initialized as nil to avoid warnings when connect tries to use it
253
253
  @local_tz = nil
@@ -161,7 +161,14 @@ module ActiveRecord
161
161
 
162
162
  # Application configurable array that provides additional permitted classes
163
163
  # to Psych safe_load in the YAML Coder
164
- mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
164
+ mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: [Symbol]
165
+
166
+ ##
167
+ # :singleton-method:
168
+ # Application configurable boolean that denotes whether or not to raise
169
+ # an exception when the PostgreSQLAdapter is provided with an integer that is
170
+ # wider than signed 64bit representation
171
+ mattr_accessor :raise_int_wider_than_64bit, instance_writer: false, default: true
165
172
 
166
173
  self.filter_attributes = []
167
174
 
@@ -9,8 +9,8 @@ module ActiveRecord
9
9
  module VERSION
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
- TINY = 6
13
- PRE = "1"
12
+ TINY = 7
13
+ PRE = "6"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -279,23 +279,5 @@ To keep using the current cache store, you can turn off cache versioning entirel
279
279
  self.signed_id_verifier_secret ||= -> { Rails.application.key_generator.generate_key("active_record/signed_id") }
280
280
  end
281
281
  end
282
-
283
- initializer "active_record.use_yaml_unsafe_load" do |app|
284
- config.after_initialize do
285
- unless app.config.active_record.use_yaml_unsafe_load.nil?
286
- ActiveRecord::Base.use_yaml_unsafe_load =
287
- app.config.active_record.use_yaml_unsafe_load
288
- end
289
- end
290
- end
291
-
292
- initializer "active_record.yaml_column_permitted_classes" do |app|
293
- config.after_initialize do
294
- unless app.config.active_record.yaml_column_permitted_classes.nil?
295
- ActiveRecord::Base.yaml_column_permitted_classes =
296
- app.config.active_record.yaml_column_permitted_classes
297
- end
298
- end
299
- end
300
282
  end
301
283
  end
@@ -1035,6 +1035,8 @@ module ActiveRecord
1035
1035
  # # SELECT "users"."name" FROM "users" /* selecting */ /* user */ /* names */
1036
1036
  #
1037
1037
  # The SQL block comment delimiters, "/*" and "*/", will be added automatically.
1038
+ #
1039
+ # Some escaping is performed, however untrusted user input should not be used.
1038
1040
  def annotate(*args)
1039
1041
  check_if_method_has_arguments!(:annotate, args)
1040
1042
  spawn.annotate!(*args)
@@ -268,7 +268,7 @@ module ActiveRecord
268
268
  end
269
269
 
270
270
  def dump(obj)
271
- @coder.dump self.class.as_indifferent_hash(obj)
271
+ @coder.dump as_regular_hash(obj)
272
272
  end
273
273
 
274
274
  def load(yaml)
@@ -285,6 +285,11 @@ module ActiveRecord
285
285
  ActiveSupport::HashWithIndifferentAccess.new
286
286
  end
287
287
  end
288
+
289
+ private
290
+ def as_regular_hash(obj)
291
+ obj.respond_to?(:to_hash) ? obj.to_hash : {}
292
+ end
288
293
  end
289
294
  end
290
295
  end
@@ -134,7 +134,7 @@ module ActiveRecord
134
134
  @connection_subscriber = ActiveSupport::Notifications.subscribe("!connection.active_record") do |_, _, _, _, payload|
135
135
  spec_name = payload[:spec_name] if payload.key?(:spec_name)
136
136
  shard = payload[:shard] if payload.key?(:shard)
137
- setup_shared_connection_pool
137
+ setup_shared_connection_pool if ActiveRecord::Base.legacy_connection_handling
138
138
 
139
139
  if spec_name
140
140
  begin
@@ -143,10 +143,14 @@ module ActiveRecord
143
143
  connection = nil
144
144
  end
145
145
 
146
- if connection && !@fixture_connections.include?(connection)
147
- connection.begin_transaction joinable: false, _lazy: false
148
- connection.pool.lock_thread = true if lock_threads
149
- @fixture_connections << connection
146
+ if connection
147
+ setup_shared_connection_pool unless ActiveRecord::Base.legacy_connection_handling
148
+
149
+ if !@fixture_connections.include?(connection)
150
+ connection.begin_transaction joinable: false, _lazy: false
151
+ connection.pool.lock_thread = true if lock_threads
152
+ @fixture_connections << connection
153
+ end
150
154
  end
151
155
  end
152
156
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activerecord
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.6.1
4
+ version: 6.1.7.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-07-12 00:00:00.000000000 Z
11
+ date: 2023-08-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.6.1
19
+ version: 6.1.7.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.6.1
26
+ version: 6.1.7.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 6.1.6.1
33
+ version: 6.1.7.6
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 6.1.6.1
40
+ version: 6.1.7.6
41
41
  description: Databases on Rails. Build a persistent domain model by mapping database
42
42
  tables to Ruby classes. Strong conventions for associations, validations, aggregations,
43
43
  migrations, and testing come baked-in.
@@ -390,10 +390,10 @@ licenses:
390
390
  - MIT
391
391
  metadata:
392
392
  bug_tracker_uri: https://github.com/rails/rails/issues
393
- changelog_uri: https://github.com/rails/rails/blob/v6.1.6.1/activerecord/CHANGELOG.md
394
- documentation_uri: https://api.rubyonrails.org/v6.1.6.1/
393
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.7.6/activerecord/CHANGELOG.md
394
+ documentation_uri: https://api.rubyonrails.org/v6.1.7.6/
395
395
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
396
- source_code_uri: https://github.com/rails/rails/tree/v6.1.6.1/activerecord
396
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.7.6/activerecord
397
397
  rubygems_mfa_required: 'true'
398
398
  post_install_message:
399
399
  rdoc_options: