activerecord 6.1.7 → 6.1.7.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +40 -0
- data/lib/active_record/connection_adapters/abstract/quoting.rb +10 -1
- data/lib/active_record/connection_adapters/postgresql/quoting.rb +26 -0
- data/lib/active_record/core.rb +7 -0
- data/lib/active_record/gem_version.rb +1 -1
- data/lib/active_record/relation/query_methods.rb +2 -0
- metadata +10 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d32e8d5d2afa7d3a9ec686b5d31b7faa8148c6f16d2aa559425cabc77cb85d7a
|
|
4
|
+
data.tar.gz: 3f8aec78faa2ade21db524f551faba3f72474fc602d5a25ce946439935dcc932
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d3feaf584edfecac51a1e860fc0eee4d5c3a3ce4b8a04a1ecdb788635d33cfbc9eb48a4c02b725bba48efb9fe41e2bd0875c3b8aee067f1233124e251eb2b26a
|
|
7
|
+
data.tar.gz: f49932008c3a80c2b7828ff9ddacb199ca50298c0c798de60d26712920138e7ddf334808ba821826be60aa4be51a06e035e1144f8f4623ce0e99865f348c0d27
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,43 @@
|
|
|
1
|
+
## Rails 6.1.7.3 (March 13, 2023) ##
|
|
2
|
+
|
|
3
|
+
* No changes.
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
## Rails 6.1.7.2 (January 24, 2023) ##
|
|
7
|
+
|
|
8
|
+
* No changes.
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
## Rails 6.1.7.1 (January 17, 2023) ##
|
|
12
|
+
|
|
13
|
+
* Make sanitize_as_sql_comment more strict
|
|
14
|
+
|
|
15
|
+
Though this method was likely never meant to take user input, it was
|
|
16
|
+
attempting sanitization. That sanitization could be bypassed with
|
|
17
|
+
carefully crafted input.
|
|
18
|
+
|
|
19
|
+
This commit makes the sanitization more robust by replacing any
|
|
20
|
+
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
|
|
21
|
+
first pass to remove one surrounding comment to avoid compatibility
|
|
22
|
+
issues for users relying on the existing removal.
|
|
23
|
+
|
|
24
|
+
This also clarifies in the documentation of annotate that it should not
|
|
25
|
+
be provided user input.
|
|
26
|
+
|
|
27
|
+
[CVE-2023-22794]
|
|
28
|
+
|
|
29
|
+
* Added integer width check to PostgreSQL::Quoting
|
|
30
|
+
|
|
31
|
+
Given a value outside the range for a 64bit signed integer type
|
|
32
|
+
PostgreSQL will treat the column type as numeric. Comparing
|
|
33
|
+
integer values against numeric values can result in a slow
|
|
34
|
+
sequential scan.
|
|
35
|
+
|
|
36
|
+
This behavior is configurable via
|
|
37
|
+
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
|
|
38
|
+
|
|
39
|
+
[CVE-2022-44566]
|
|
40
|
+
|
|
1
41
|
## Rails 6.1.7 (September 09, 2022) ##
|
|
2
42
|
|
|
3
43
|
* Symbol is allowed by default for YAML columns
|
|
@@ -138,7 +138,16 @@ module ActiveRecord
|
|
|
138
138
|
end
|
|
139
139
|
|
|
140
140
|
def sanitize_as_sql_comment(value) # :nodoc:
|
|
141
|
-
|
|
141
|
+
# Sanitize a string to appear within a SQL comment
|
|
142
|
+
# For compatibility, this also surrounding "/*+", "/*", and "*/"
|
|
143
|
+
# charcacters, possibly with single surrounding space.
|
|
144
|
+
# Then follows that by replacing any internal "*/" or "/ *" with
|
|
145
|
+
# "* /" or "/ *"
|
|
146
|
+
comment = value.to_s.dup
|
|
147
|
+
comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
|
|
148
|
+
comment.gsub!("*/", "* /")
|
|
149
|
+
comment.gsub!("/*", "/ *")
|
|
150
|
+
comment
|
|
142
151
|
end
|
|
143
152
|
|
|
144
153
|
def column_name_matcher # :nodoc:
|
|
@@ -4,6 +4,12 @@ module ActiveRecord
|
|
|
4
4
|
module ConnectionAdapters
|
|
5
5
|
module PostgreSQL
|
|
6
6
|
module Quoting
|
|
7
|
+
class IntegerOutOf64BitRange < StandardError
|
|
8
|
+
def initialize(msg)
|
|
9
|
+
super(msg)
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
|
|
7
13
|
# Escapes binary strings for bytea input to the database.
|
|
8
14
|
def escape_bytea(value)
|
|
9
15
|
@connection.escape_bytea(value) if value
|
|
@@ -120,7 +126,27 @@ module ActiveRecord
|
|
|
120
126
|
super(query_value("SELECT #{quote(sql_type)}::regtype::oid", "SCHEMA").to_i)
|
|
121
127
|
end
|
|
122
128
|
|
|
129
|
+
def check_int_in_range(value)
|
|
130
|
+
if value.to_int > 9223372036854775807 || value.to_int < -9223372036854775808
|
|
131
|
+
exception = <<~ERROR
|
|
132
|
+
Provided value outside of the range of a signed 64bit integer.
|
|
133
|
+
|
|
134
|
+
PostgreSQL will treat the column type in question as a numeric.
|
|
135
|
+
This may result in a slow sequential scan due to a comparison
|
|
136
|
+
being performed between an integer or bigint value and a numeric value.
|
|
137
|
+
|
|
138
|
+
To allow for this potentially unwanted behavior, set
|
|
139
|
+
ActiveRecord::Base.raise_int_wider_than_64bit to false.
|
|
140
|
+
ERROR
|
|
141
|
+
raise IntegerOutOf64BitRange.new exception
|
|
142
|
+
end
|
|
143
|
+
end
|
|
144
|
+
|
|
123
145
|
def _quote(value)
|
|
146
|
+
if ActiveRecord::Base.raise_int_wider_than_64bit && value.is_a?(Integer)
|
|
147
|
+
check_int_in_range(value)
|
|
148
|
+
end
|
|
149
|
+
|
|
124
150
|
case value
|
|
125
151
|
when OID::Xml::Data
|
|
126
152
|
"xml '#{quote_string(value.to_s)}'"
|
data/lib/active_record/core.rb
CHANGED
|
@@ -163,6 +163,13 @@ module ActiveRecord
|
|
|
163
163
|
# to Psych safe_load in the YAML Coder
|
|
164
164
|
mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: [Symbol]
|
|
165
165
|
|
|
166
|
+
##
|
|
167
|
+
# :singleton-method:
|
|
168
|
+
# Application configurable boolean that denotes whether or not to raise
|
|
169
|
+
# an exception when the PostgreSQLAdapter is provided with an integer that is
|
|
170
|
+
# wider than signed 64bit representation
|
|
171
|
+
mattr_accessor :raise_int_wider_than_64bit, instance_writer: false, default: true
|
|
172
|
+
|
|
166
173
|
self.filter_attributes = []
|
|
167
174
|
|
|
168
175
|
def self.connection_handler
|
|
@@ -1035,6 +1035,8 @@ module ActiveRecord
|
|
|
1035
1035
|
# # SELECT "users"."name" FROM "users" /* selecting */ /* user */ /* names */
|
|
1036
1036
|
#
|
|
1037
1037
|
# The SQL block comment delimiters, "/*" and "*/", will be added automatically.
|
|
1038
|
+
#
|
|
1039
|
+
# Some escaping is performed, however untrusted user input should not be used.
|
|
1038
1040
|
def annotate(*args)
|
|
1039
1041
|
check_if_method_has_arguments!(:annotate, args)
|
|
1040
1042
|
spawn.annotate!(*args)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: activerecord
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.1.7
|
|
4
|
+
version: 6.1.7.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-03-13 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,28 +16,28 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 6.1.7
|
|
19
|
+
version: 6.1.7.3
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 6.1.7
|
|
26
|
+
version: 6.1.7.3
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: activemodel
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
31
|
- - '='
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 6.1.7
|
|
33
|
+
version: 6.1.7.3
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - '='
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 6.1.7
|
|
40
|
+
version: 6.1.7.3
|
|
41
41
|
description: Databases on Rails. Build a persistent domain model by mapping database
|
|
42
42
|
tables to Ruby classes. Strong conventions for associations, validations, aggregations,
|
|
43
43
|
migrations, and testing come baked-in.
|
|
@@ -390,10 +390,10 @@ licenses:
|
|
|
390
390
|
- MIT
|
|
391
391
|
metadata:
|
|
392
392
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
393
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.1.7/activerecord/CHANGELOG.md
|
|
394
|
-
documentation_uri: https://api.rubyonrails.org/v6.1.7/
|
|
393
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.1.7.3/activerecord/CHANGELOG.md
|
|
394
|
+
documentation_uri: https://api.rubyonrails.org/v6.1.7.3/
|
|
395
395
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
396
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.1.7/activerecord
|
|
396
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.1.7.3/activerecord
|
|
397
397
|
rubygems_mfa_required: 'true'
|
|
398
398
|
post_install_message:
|
|
399
399
|
rdoc_options:
|
|
@@ -412,7 +412,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
412
412
|
- !ruby/object:Gem::Version
|
|
413
413
|
version: '0'
|
|
414
414
|
requirements: []
|
|
415
|
-
rubygems_version: 3.
|
|
415
|
+
rubygems_version: 3.4.3
|
|
416
416
|
signing_key:
|
|
417
417
|
specification_version: 4
|
|
418
418
|
summary: Object-relational mapper framework (part of Rails).
|