activerecord 7.0.3 → 7.0.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +28 -0
- data/lib/active_record/coders/yaml_column.rb +9 -7
- data/lib/active_record/gem_version.rb +1 -1
- data/lib/active_record/railtie.rb +18 -0
- data/lib/active_record.rb +14 -0
- metadata +10 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3f2f45fa92947b78ba64cfc800a729cfcab5b893255efef679b686a37c50cd00
|
|
4
|
+
data.tar.gz: 2bcca713bf8426cf4ffd22e1b832cde62a6cd6caad0f1f9b19996916e88922d5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 17fdc443b9f36e8dcba05e56b6c07e88e97266f7c12accb8ac084b37dbf2c134a696fc57b71171fc488ed10fc72fba952672960b7507d14762a1a41f25623df1
|
|
7
|
+
data.tar.gz: 4dc59bd725e08e3cdf63d5145f2038f6e5c65b5eb40e611a18ef422c516543aa2acfbc893b68f25f39d304111bafd70a131928c4c1e0692e4274e5fdb1567e53
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,31 @@
|
|
|
1
|
+
## Rails 7.0.3.1 (July 12, 2022) ##
|
|
2
|
+
|
|
3
|
+
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
|
|
4
|
+
|
|
5
|
+
This adds two new configuration options The configuration options are as
|
|
6
|
+
follows:
|
|
7
|
+
|
|
8
|
+
* `config.active_storage.use_yaml_unsafe_load`
|
|
9
|
+
|
|
10
|
+
When set to true, this configuration option tells Rails to use the old
|
|
11
|
+
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
|
|
12
|
+
the possible escalation vulnerability in place. Setting this option to true
|
|
13
|
+
is *not* recommended, but can aid in upgrading.
|
|
14
|
+
|
|
15
|
+
* `config.active_record.yaml_column_permitted_classes`
|
|
16
|
+
|
|
17
|
+
The "safe YAML" loading method does not allow all classes to be deserialized
|
|
18
|
+
by default. This option allows you to specify classes deemed "safe" in your
|
|
19
|
+
application. For example, if your application uses Symbol and Time in
|
|
20
|
+
serialized data, you can add Symbol and Time to the allowed list as follows:
|
|
21
|
+
|
|
22
|
+
```
|
|
23
|
+
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
[CVE-2022-32224]
|
|
27
|
+
|
|
28
|
+
|
|
1
29
|
## Rails 7.0.3 (May 09, 2022) ##
|
|
2
30
|
|
|
3
31
|
* Some internal housekeeping on reloads could break custom `respond_to?`
|
|
@@ -45,13 +45,15 @@ module ActiveRecord
|
|
|
45
45
|
raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
|
|
46
46
|
end
|
|
47
47
|
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
YAML.
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
48
|
+
def yaml_load(payload)
|
|
49
|
+
if !ActiveRecord.use_yaml_unsafe_load
|
|
50
|
+
YAML.safe_load(payload, permitted_classes: ActiveRecord.yaml_column_permitted_classes, aliases: true)
|
|
51
|
+
else
|
|
52
|
+
if YAML.respond_to?(:unsafe_load)
|
|
53
|
+
YAML.unsafe_load(payload)
|
|
54
|
+
else
|
|
55
|
+
YAML.load(payload)
|
|
56
|
+
end
|
|
55
57
|
end
|
|
56
58
|
end
|
|
57
59
|
end
|
|
@@ -403,5 +403,23 @@ To keep using the current cache store, you can turn off cache versioning entirel
|
|
|
403
403
|
end
|
|
404
404
|
end
|
|
405
405
|
end
|
|
406
|
+
|
|
407
|
+
initializer "active_record.use_yaml_unsafe_load" do |app|
|
|
408
|
+
config.after_initialize do
|
|
409
|
+
unless app.config.active_record.use_yaml_unsafe_load.nil?
|
|
410
|
+
ActiveRecord.use_yaml_unsafe_load =
|
|
411
|
+
app.config.active_record.use_yaml_unsafe_load
|
|
412
|
+
end
|
|
413
|
+
end
|
|
414
|
+
end
|
|
415
|
+
|
|
416
|
+
initializer "active_record.yaml_column_permitted_classes" do |app|
|
|
417
|
+
config.after_initialize do
|
|
418
|
+
unless app.config.active_record.yaml_column_permitted_classes.nil?
|
|
419
|
+
ActiveRecord.yaml_column_permitted_classes =
|
|
420
|
+
app.config.active_record.yaml_column_permitted_classes
|
|
421
|
+
end
|
|
422
|
+
end
|
|
423
|
+
end
|
|
406
424
|
end
|
|
407
425
|
end
|
data/lib/active_record.rb
CHANGED
|
@@ -340,6 +340,20 @@ module ActiveRecord
|
|
|
340
340
|
singleton_class.attr_accessor :query_transformers
|
|
341
341
|
self.query_transformers = []
|
|
342
342
|
|
|
343
|
+
##
|
|
344
|
+
# :singleton-method:
|
|
345
|
+
# Application configurable boolean that instructs the YAML Coder to use
|
|
346
|
+
# an unsafe load if set to true.
|
|
347
|
+
singleton_class.attr_accessor :use_yaml_unsafe_load
|
|
348
|
+
self.use_yaml_unsafe_load = false
|
|
349
|
+
|
|
350
|
+
##
|
|
351
|
+
# :singleton-method:
|
|
352
|
+
# Application configurable array that provides additional permitted classes
|
|
353
|
+
# to Psych safe_load in the YAML Coder
|
|
354
|
+
singleton_class.attr_accessor :yaml_column_permitted_classes
|
|
355
|
+
self.yaml_column_permitted_classes = []
|
|
356
|
+
|
|
343
357
|
def self.eager_load!
|
|
344
358
|
super
|
|
345
359
|
ActiveRecord::Locking.eager_load!
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: activerecord
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.0.3
|
|
4
|
+
version: 7.0.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-07-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,28 +16,28 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 7.0.3
|
|
19
|
+
version: 7.0.3.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 7.0.3
|
|
26
|
+
version: 7.0.3.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: activemodel
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
31
|
- - '='
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 7.0.3
|
|
33
|
+
version: 7.0.3.1
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - '='
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 7.0.3
|
|
40
|
+
version: 7.0.3.1
|
|
41
41
|
description: Databases on Rails. Build a persistent domain model by mapping database
|
|
42
42
|
tables to Ruby classes. Strong conventions for associations, validations, aggregations,
|
|
43
43
|
migrations, and testing come baked-in.
|
|
@@ -434,10 +434,10 @@ licenses:
|
|
|
434
434
|
- MIT
|
|
435
435
|
metadata:
|
|
436
436
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
437
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.3/activerecord/CHANGELOG.md
|
|
438
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.3/
|
|
437
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.3.1/activerecord/CHANGELOG.md
|
|
438
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.3.1/
|
|
439
439
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
440
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.3/activerecord
|
|
440
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.3.1/activerecord
|
|
441
441
|
rubygems_mfa_required: 'true'
|
|
442
442
|
post_install_message:
|
|
443
443
|
rdoc_options:
|
|
@@ -456,7 +456,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
456
456
|
- !ruby/object:Gem::Version
|
|
457
457
|
version: '0'
|
|
458
458
|
requirements: []
|
|
459
|
-
rubygems_version: 3.3.
|
|
459
|
+
rubygems_version: 3.3.3
|
|
460
460
|
signing_key:
|
|
461
461
|
specification_version: 4
|
|
462
462
|
summary: Object-relational mapper framework (part of Rails).
|