activerecord 6.1.7 → 6.1.7.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f11907365b78163229d5724a47f9a99b84ad5d8adbb8092b05d7fcc657b3068e
4
- data.tar.gz: e495d26d1c679db2ab9a91e81112ae6b22d3466702601e645bfc43067166efa2
3
+ metadata.gz: '09a11c6e190ba1511552e4b5a9fe588f8249df1cb20637e6968df53d96664892'
4
+ data.tar.gz: 0fef11bd4289d949121ff585d462ce3e2bac9d76fe1f0780b49ac91737abbd81
5
5
  SHA512:
6
- metadata.gz: 688b39dd7ca026c860efd8311df6ed968abd37ed4655fd04816abd3aa03f625fe63026f66cbac20d3db3c60c449dd4fd0621e6705c8f22f5b68025f9fa83eee7
7
- data.tar.gz: 58fdf458ec41d07a4eff8aee4f79b636d2347460f28a2bbc99fc475a96bb3ae0c4961f558603f237e3e838f3d69ba320d9583b8c5c78bfe470585561ff16f48c
6
+ metadata.gz: 332d9b4ee85a42d09271048a13230a840b52e130c707cd58ded59f15eaa8a39281a6f1d19ab2a3f34c1781c34137eb844dae900f43fe97b28b3667fa299cf2dc
7
+ data.tar.gz: 280d7d523395a9bff3e17bdc82b366fa5bf9149482866c482de8917ba711bdef0f7fac53645e65d183ba26114ff81a3b844e373bdc9a5432fc3ef0238035a343
data/CHANGELOG.md CHANGED
@@ -1,3 +1,38 @@
1
+ ## Rails 6.1.7.2 (January 24, 2023) ##
2
+
3
+ * No changes.
4
+
5
+
6
+ ## Rails 6.1.7.1 (January 17, 2023) ##
7
+
8
+ * Make sanitize_as_sql_comment more strict
9
+
10
+ Though this method was likely never meant to take user input, it was
11
+ attempting sanitization. That sanitization could be bypassed with
12
+ carefully crafted input.
13
+
14
+ This commit makes the sanitization more robust by replacing any
15
+ occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
16
+ first pass to remove one surrounding comment to avoid compatibility
17
+ issues for users relying on the existing removal.
18
+
19
+ This also clarifies in the documentation of annotate that it should not
20
+ be provided user input.
21
+
22
+ [CVE-2023-22794]
23
+
24
+ * Added integer width check to PostgreSQL::Quoting
25
+
26
+ Given a value outside the range for a 64bit signed integer type
27
+ PostgreSQL will treat the column type as numeric. Comparing
28
+ integer values against numeric values can result in a slow
29
+ sequential scan.
30
+
31
+ This behavior is configurable via
32
+ ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
33
+
34
+ [CVE-2022-44566]
35
+
1
36
  ## Rails 6.1.7 (September 09, 2022) ##
2
37
 
3
38
  * Symbol is allowed by default for YAML columns
@@ -138,7 +138,16 @@ module ActiveRecord
138
138
  end
139
139
 
140
140
  def sanitize_as_sql_comment(value) # :nodoc:
141
- value.to_s.gsub(%r{ (/ (?: | \g<1>) \*) \+? \s* | \s* (\* (?: | \g<2>) /) }x, "")
141
+ # Sanitize a string to appear within a SQL comment
142
+ # For compatibility, this also surrounding "/*+", "/*", and "*/"
143
+ # charcacters, possibly with single surrounding space.
144
+ # Then follows that by replacing any internal "*/" or "/ *" with
145
+ # "* /" or "/ *"
146
+ comment = value.to_s.dup
147
+ comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
148
+ comment.gsub!("*/", "* /")
149
+ comment.gsub!("/*", "/ *")
150
+ comment
142
151
  end
143
152
 
144
153
  def column_name_matcher # :nodoc:
@@ -4,6 +4,12 @@ module ActiveRecord
4
4
  module ConnectionAdapters
5
5
  module PostgreSQL
6
6
  module Quoting
7
+ class IntegerOutOf64BitRange < StandardError
8
+ def initialize(msg)
9
+ super(msg)
10
+ end
11
+ end
12
+
7
13
  # Escapes binary strings for bytea input to the database.
8
14
  def escape_bytea(value)
9
15
  @connection.escape_bytea(value) if value
@@ -120,7 +126,27 @@ module ActiveRecord
120
126
  super(query_value("SELECT #{quote(sql_type)}::regtype::oid", "SCHEMA").to_i)
121
127
  end
122
128
 
129
+ def check_int_in_range(value)
130
+ if value.to_int > 9223372036854775807 || value.to_int < -9223372036854775808
131
+ exception = <<~ERROR
132
+ Provided value outside of the range of a signed 64bit integer.
133
+
134
+ PostgreSQL will treat the column type in question as a numeric.
135
+ This may result in a slow sequential scan due to a comparison
136
+ being performed between an integer or bigint value and a numeric value.
137
+
138
+ To allow for this potentially unwanted behavior, set
139
+ ActiveRecord::Base.raise_int_wider_than_64bit to false.
140
+ ERROR
141
+ raise IntegerOutOf64BitRange.new exception
142
+ end
143
+ end
144
+
123
145
  def _quote(value)
146
+ if ActiveRecord::Base.raise_int_wider_than_64bit && value.is_a?(Integer)
147
+ check_int_in_range(value)
148
+ end
149
+
124
150
  case value
125
151
  when OID::Xml::Data
126
152
  "xml '#{quote_string(value.to_s)}'"
@@ -163,6 +163,13 @@ module ActiveRecord
163
163
  # to Psych safe_load in the YAML Coder
164
164
  mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: [Symbol]
165
165
 
166
+ ##
167
+ # :singleton-method:
168
+ # Application configurable boolean that denotes whether or not to raise
169
+ # an exception when the PostgreSQLAdapter is provided with an integer that is
170
+ # wider than signed 64bit representation
171
+ mattr_accessor :raise_int_wider_than_64bit, instance_writer: false, default: true
172
+
166
173
  self.filter_attributes = []
167
174
 
168
175
  def self.connection_handler
@@ -10,7 +10,7 @@ module ActiveRecord
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
12
  TINY = 7
13
- PRE = nil
13
+ PRE = "2"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -1035,6 +1035,8 @@ module ActiveRecord
1035
1035
  # # SELECT "users"."name" FROM "users" /* selecting */ /* user */ /* names */
1036
1036
  #
1037
1037
  # The SQL block comment delimiters, "/*" and "*/", will be added automatically.
1038
+ #
1039
+ # Some escaping is performed, however untrusted user input should not be used.
1038
1040
  def annotate(*args)
1039
1041
  check_if_method_has_arguments!(:annotate, args)
1040
1042
  spawn.annotate!(*args)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activerecord
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.7
4
+ version: 6.1.7.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-09-09 00:00:00.000000000 Z
11
+ date: 2023-01-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.7
19
+ version: 6.1.7.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.7
26
+ version: 6.1.7.2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 6.1.7
33
+ version: 6.1.7.2
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 6.1.7
40
+ version: 6.1.7.2
41
41
  description: Databases on Rails. Build a persistent domain model by mapping database
42
42
  tables to Ruby classes. Strong conventions for associations, validations, aggregations,
43
43
  migrations, and testing come baked-in.
@@ -390,10 +390,10 @@ licenses:
390
390
  - MIT
391
391
  metadata:
392
392
  bug_tracker_uri: https://github.com/rails/rails/issues
393
- changelog_uri: https://github.com/rails/rails/blob/v6.1.7/activerecord/CHANGELOG.md
394
- documentation_uri: https://api.rubyonrails.org/v6.1.7/
393
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.7.2/activerecord/CHANGELOG.md
394
+ documentation_uri: https://api.rubyonrails.org/v6.1.7.2/
395
395
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
396
- source_code_uri: https://github.com/rails/rails/tree/v6.1.7/activerecord
396
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.7.2/activerecord
397
397
  rubygems_mfa_required: 'true'
398
398
  post_install_message:
399
399
  rdoc_options:
@@ -412,7 +412,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
412
412
  - !ruby/object:Gem::Version
413
413
  version: '0'
414
414
  requirements: []
415
- rubygems_version: 3.3.3
415
+ rubygems_version: 3.4.3
416
416
  signing_key:
417
417
  specification_version: 4
418
418
  summary: Object-relational mapper framework (part of Rails).