activerecord 6.1.7 → 6.1.7.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/lib/active_record/connection_adapters/abstract/quoting.rb +10 -1
- data/lib/active_record/connection_adapters/postgresql/quoting.rb +26 -0
- data/lib/active_record/core.rb +7 -0
- data/lib/active_record/gem_version.rb +1 -1
- data/lib/active_record/relation/query_methods.rb +2 -0
- metadata +10 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: '09a11c6e190ba1511552e4b5a9fe588f8249df1cb20637e6968df53d96664892'
|
|
4
|
+
data.tar.gz: 0fef11bd4289d949121ff585d462ce3e2bac9d76fe1f0780b49ac91737abbd81
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 332d9b4ee85a42d09271048a13230a840b52e130c707cd58ded59f15eaa8a39281a6f1d19ab2a3f34c1781c34137eb844dae900f43fe97b28b3667fa299cf2dc
|
|
7
|
+
data.tar.gz: 280d7d523395a9bff3e17bdc82b366fa5bf9149482866c482de8917ba711bdef0f7fac53645e65d183ba26114ff81a3b844e373bdc9a5432fc3ef0238035a343
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,38 @@
|
|
|
1
|
+
## Rails 6.1.7.2 (January 24, 2023) ##
|
|
2
|
+
|
|
3
|
+
* No changes.
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
## Rails 6.1.7.1 (January 17, 2023) ##
|
|
7
|
+
|
|
8
|
+
* Make sanitize_as_sql_comment more strict
|
|
9
|
+
|
|
10
|
+
Though this method was likely never meant to take user input, it was
|
|
11
|
+
attempting sanitization. That sanitization could be bypassed with
|
|
12
|
+
carefully crafted input.
|
|
13
|
+
|
|
14
|
+
This commit makes the sanitization more robust by replacing any
|
|
15
|
+
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
|
|
16
|
+
first pass to remove one surrounding comment to avoid compatibility
|
|
17
|
+
issues for users relying on the existing removal.
|
|
18
|
+
|
|
19
|
+
This also clarifies in the documentation of annotate that it should not
|
|
20
|
+
be provided user input.
|
|
21
|
+
|
|
22
|
+
[CVE-2023-22794]
|
|
23
|
+
|
|
24
|
+
* Added integer width check to PostgreSQL::Quoting
|
|
25
|
+
|
|
26
|
+
Given a value outside the range for a 64bit signed integer type
|
|
27
|
+
PostgreSQL will treat the column type as numeric. Comparing
|
|
28
|
+
integer values against numeric values can result in a slow
|
|
29
|
+
sequential scan.
|
|
30
|
+
|
|
31
|
+
This behavior is configurable via
|
|
32
|
+
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
|
|
33
|
+
|
|
34
|
+
[CVE-2022-44566]
|
|
35
|
+
|
|
1
36
|
## Rails 6.1.7 (September 09, 2022) ##
|
|
2
37
|
|
|
3
38
|
* Symbol is allowed by default for YAML columns
|
|
@@ -138,7 +138,16 @@ module ActiveRecord
|
|
|
138
138
|
end
|
|
139
139
|
|
|
140
140
|
def sanitize_as_sql_comment(value) # :nodoc:
|
|
141
|
-
|
|
141
|
+
# Sanitize a string to appear within a SQL comment
|
|
142
|
+
# For compatibility, this also surrounding "/*+", "/*", and "*/"
|
|
143
|
+
# charcacters, possibly with single surrounding space.
|
|
144
|
+
# Then follows that by replacing any internal "*/" or "/ *" with
|
|
145
|
+
# "* /" or "/ *"
|
|
146
|
+
comment = value.to_s.dup
|
|
147
|
+
comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
|
|
148
|
+
comment.gsub!("*/", "* /")
|
|
149
|
+
comment.gsub!("/*", "/ *")
|
|
150
|
+
comment
|
|
142
151
|
end
|
|
143
152
|
|
|
144
153
|
def column_name_matcher # :nodoc:
|
|
@@ -4,6 +4,12 @@ module ActiveRecord
|
|
|
4
4
|
module ConnectionAdapters
|
|
5
5
|
module PostgreSQL
|
|
6
6
|
module Quoting
|
|
7
|
+
class IntegerOutOf64BitRange < StandardError
|
|
8
|
+
def initialize(msg)
|
|
9
|
+
super(msg)
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
|
|
7
13
|
# Escapes binary strings for bytea input to the database.
|
|
8
14
|
def escape_bytea(value)
|
|
9
15
|
@connection.escape_bytea(value) if value
|
|
@@ -120,7 +126,27 @@ module ActiveRecord
|
|
|
120
126
|
super(query_value("SELECT #{quote(sql_type)}::regtype::oid", "SCHEMA").to_i)
|
|
121
127
|
end
|
|
122
128
|
|
|
129
|
+
def check_int_in_range(value)
|
|
130
|
+
if value.to_int > 9223372036854775807 || value.to_int < -9223372036854775808
|
|
131
|
+
exception = <<~ERROR
|
|
132
|
+
Provided value outside of the range of a signed 64bit integer.
|
|
133
|
+
|
|
134
|
+
PostgreSQL will treat the column type in question as a numeric.
|
|
135
|
+
This may result in a slow sequential scan due to a comparison
|
|
136
|
+
being performed between an integer or bigint value and a numeric value.
|
|
137
|
+
|
|
138
|
+
To allow for this potentially unwanted behavior, set
|
|
139
|
+
ActiveRecord::Base.raise_int_wider_than_64bit to false.
|
|
140
|
+
ERROR
|
|
141
|
+
raise IntegerOutOf64BitRange.new exception
|
|
142
|
+
end
|
|
143
|
+
end
|
|
144
|
+
|
|
123
145
|
def _quote(value)
|
|
146
|
+
if ActiveRecord::Base.raise_int_wider_than_64bit && value.is_a?(Integer)
|
|
147
|
+
check_int_in_range(value)
|
|
148
|
+
end
|
|
149
|
+
|
|
124
150
|
case value
|
|
125
151
|
when OID::Xml::Data
|
|
126
152
|
"xml '#{quote_string(value.to_s)}'"
|
data/lib/active_record/core.rb
CHANGED
|
@@ -163,6 +163,13 @@ module ActiveRecord
|
|
|
163
163
|
# to Psych safe_load in the YAML Coder
|
|
164
164
|
mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: [Symbol]
|
|
165
165
|
|
|
166
|
+
##
|
|
167
|
+
# :singleton-method:
|
|
168
|
+
# Application configurable boolean that denotes whether or not to raise
|
|
169
|
+
# an exception when the PostgreSQLAdapter is provided with an integer that is
|
|
170
|
+
# wider than signed 64bit representation
|
|
171
|
+
mattr_accessor :raise_int_wider_than_64bit, instance_writer: false, default: true
|
|
172
|
+
|
|
166
173
|
self.filter_attributes = []
|
|
167
174
|
|
|
168
175
|
def self.connection_handler
|
|
@@ -1035,6 +1035,8 @@ module ActiveRecord
|
|
|
1035
1035
|
# # SELECT "users"."name" FROM "users" /* selecting */ /* user */ /* names */
|
|
1036
1036
|
#
|
|
1037
1037
|
# The SQL block comment delimiters, "/*" and "*/", will be added automatically.
|
|
1038
|
+
#
|
|
1039
|
+
# Some escaping is performed, however untrusted user input should not be used.
|
|
1038
1040
|
def annotate(*args)
|
|
1039
1041
|
check_if_method_has_arguments!(:annotate, args)
|
|
1040
1042
|
spawn.annotate!(*args)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: activerecord
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.1.7
|
|
4
|
+
version: 6.1.7.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-01-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,28 +16,28 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 6.1.7
|
|
19
|
+
version: 6.1.7.2
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 6.1.7
|
|
26
|
+
version: 6.1.7.2
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: activemodel
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
31
|
- - '='
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 6.1.7
|
|
33
|
+
version: 6.1.7.2
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - '='
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 6.1.7
|
|
40
|
+
version: 6.1.7.2
|
|
41
41
|
description: Databases on Rails. Build a persistent domain model by mapping database
|
|
42
42
|
tables to Ruby classes. Strong conventions for associations, validations, aggregations,
|
|
43
43
|
migrations, and testing come baked-in.
|
|
@@ -390,10 +390,10 @@ licenses:
|
|
|
390
390
|
- MIT
|
|
391
391
|
metadata:
|
|
392
392
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
393
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.1.7/activerecord/CHANGELOG.md
|
|
394
|
-
documentation_uri: https://api.rubyonrails.org/v6.1.7/
|
|
393
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.1.7.2/activerecord/CHANGELOG.md
|
|
394
|
+
documentation_uri: https://api.rubyonrails.org/v6.1.7.2/
|
|
395
395
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
396
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.1.7/activerecord
|
|
396
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.1.7.2/activerecord
|
|
397
397
|
rubygems_mfa_required: 'true'
|
|
398
398
|
post_install_message:
|
|
399
399
|
rdoc_options:
|
|
@@ -412,7 +412,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
412
412
|
- !ruby/object:Gem::Version
|
|
413
413
|
version: '0'
|
|
414
414
|
requirements: []
|
|
415
|
-
rubygems_version: 3.
|
|
415
|
+
rubygems_version: 3.4.3
|
|
416
416
|
signing_key:
|
|
417
417
|
specification_version: 4
|
|
418
418
|
summary: Object-relational mapper framework (part of Rails).
|