activerecord 7.0.3 → 7.0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5eadd3ac082cbc3b4f816198ddbd229f92346a77e9cc29d2410f1a9d1e726705
-  data.tar.gz: c3cf3a52ebe5659ea0032e88379f6f0a642d9cd5e1e3866a84bc65b801fecc12
+  metadata.gz: 3f2f45fa92947b78ba64cfc800a729cfcab5b893255efef679b686a37c50cd00
+  data.tar.gz: 2bcca713bf8426cf4ffd22e1b832cde62a6cd6caad0f1f9b19996916e88922d5
 SHA512:
-  metadata.gz: fa2df41f5f52609acfdd306ef594bd2e7a914fa3830a413d94a061041afe17be283f339e2e16bb47569884893c405d436cc0f56b2be5a57fe09ed3d02b7cdac5
-  data.tar.gz: c846af2dfd2f225fb83632b71154da368cbd20da52276b7dafa7517196f33f9123573d3d610e563b00df08a3d2851e7bba86d08bf29babeb50994c321b2c81e9
+  metadata.gz: 17fdc443b9f36e8dcba05e56b6c07e88e97266f7c12accb8ac084b37dbf2c134a696fc57b71171fc488ed10fc72fba952672960b7507d14762a1a41f25623df1
+  data.tar.gz: 4dc59bd725e08e3cdf63d5145f2038f6e5c65b5eb40e611a18ef422c516543aa2acfbc893b68f25f39d304111bafd70a131928c4c1e0692e4274e5fdb1567e53

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+## Rails 7.0.3.1 (July 12, 2022) ##
+
+*   Change ActiveRecord::Coders::YAMLColumn default to safe_load
+
+    This adds two new configuration options The configuration options are as
+    follows:
+    
+    * `config.active_storage.use_yaml_unsafe_load`
+    
+    When set to true, this configuration option tells Rails to use the old
+    "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
+    the possible escalation vulnerability in place.  Setting this option to true
+    is *not* recommended, but can aid in upgrading.
+    
+    * `config.active_record.yaml_column_permitted_classes`
+    
+    The "safe YAML" loading method does not allow all classes to be deserialized
+    by default.  This option allows you to specify classes deemed "safe" in your
+    application.  For example, if your application uses Symbol and Time in
+    serialized data, you can add Symbol and Time to the allowed list as follows:
+    
+    ```
+    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
+    ```
+
+    [CVE-2022-32224]
+
+
 ## Rails 7.0.3 (May 09, 2022) ##
 
 *   Some internal housekeeping on reloads could break custom `respond_to?`

data/lib/active_record/coders/yaml_column.rb

@@ -45,13 +45,15 @@ module ActiveRecord
           raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
         end
 
-        if YAML.respond_to?(:unsafe_load)
-          def yaml_load(payload)
-            YAML.unsafe_load(payload)
-          end
-        else
-          def yaml_load(payload)
-            YAML.load(payload)
+        def yaml_load(payload)
+          if !ActiveRecord.use_yaml_unsafe_load
+            YAML.safe_load(payload, permitted_classes: ActiveRecord.yaml_column_permitted_classes, aliases: true)
+          else
+            if YAML.respond_to?(:unsafe_load)
+              YAML.unsafe_load(payload)
+            else
+              YAML.load(payload)
+            end
           end
         end
     end

data/lib/active_record/gem_version.rb

@@ -10,7 +10,7 @@ module ActiveRecord
     MAJOR = 7
     MINOR = 0
     TINY  = 3
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_record/railtie.rb

@@ -403,5 +403,23 @@ To keep using the current cache store, you can turn off cache versioning entirel
         end
       end
     end
+
+    initializer "active_record.use_yaml_unsafe_load" do |app|
+      config.after_initialize do
+        unless app.config.active_record.use_yaml_unsafe_load.nil?
+          ActiveRecord.use_yaml_unsafe_load =
+            app.config.active_record.use_yaml_unsafe_load
+        end
+      end
+    end
+
+    initializer "active_record.yaml_column_permitted_classes" do |app|
+      config.after_initialize do
+        unless app.config.active_record.yaml_column_permitted_classes.nil?
+          ActiveRecord.yaml_column_permitted_classes =
+            app.config.active_record.yaml_column_permitted_classes
+        end
+      end
+    end
   end
 end

data/lib/active_record.rb

@@ -340,6 +340,20 @@ module ActiveRecord
   singleton_class.attr_accessor :query_transformers
   self.query_transformers = []
 
+  ##
+  # :singleton-method:
+  # Application configurable boolean that instructs the YAML Coder to use
+  # an unsafe load if set to true.
+  singleton_class.attr_accessor :use_yaml_unsafe_load
+  self.use_yaml_unsafe_load = false
+
+  ##
+  # :singleton-method:
+  # Application configurable array that provides additional permitted classes
+  # to Psych safe_load in the YAML Coder
+  singleton_class.attr_accessor :yaml_column_permitted_classes
+  self.yaml_column_permitted_classes = []
+
   def self.eager_load!
     super
     ActiveRecord::Locking.eager_load!

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activerecord
 version: !ruby/object:Gem::Version
-  version: 7.0.3
+  version: 7.0.3.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-09 00:00:00.000000000 Z
+date: 2022-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.3
+        version: 7.0.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.3
+        version: 7.0.3.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.3
+        version: 7.0.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.3
+        version: 7.0.3.1
 description: Databases on Rails. Build a persistent domain model by mapping database
   tables to Ruby classes. Strong conventions for associations, validations, aggregations,
   migrations, and testing come baked-in.
@@ -434,10 +434,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.0.3/activerecord/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.0.3/
+  changelog_uri: https://github.com/rails/rails/blob/v7.0.3.1/activerecord/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.0.3.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.0.3/activerecord
+  source_code_uri: https://github.com/rails/rails/tree/v7.0.3.1/activerecord
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options:
@@ -456,7 +456,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
 summary: Object-relational mapper framework (part of Rails).