activerecord 7.0.3 → 7.0.3.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5eadd3ac082cbc3b4f816198ddbd229f92346a77e9cc29d2410f1a9d1e726705
4
- data.tar.gz: c3cf3a52ebe5659ea0032e88379f6f0a642d9cd5e1e3866a84bc65b801fecc12
3
+ metadata.gz: 3f2f45fa92947b78ba64cfc800a729cfcab5b893255efef679b686a37c50cd00
4
+ data.tar.gz: 2bcca713bf8426cf4ffd22e1b832cde62a6cd6caad0f1f9b19996916e88922d5
5
5
  SHA512:
6
- metadata.gz: fa2df41f5f52609acfdd306ef594bd2e7a914fa3830a413d94a061041afe17be283f339e2e16bb47569884893c405d436cc0f56b2be5a57fe09ed3d02b7cdac5
7
- data.tar.gz: c846af2dfd2f225fb83632b71154da368cbd20da52276b7dafa7517196f33f9123573d3d610e563b00df08a3d2851e7bba86d08bf29babeb50994c321b2c81e9
6
+ metadata.gz: 17fdc443b9f36e8dcba05e56b6c07e88e97266f7c12accb8ac084b37dbf2c134a696fc57b71171fc488ed10fc72fba952672960b7507d14762a1a41f25623df1
7
+ data.tar.gz: 4dc59bd725e08e3cdf63d5145f2038f6e5c65b5eb40e611a18ef422c516543aa2acfbc893b68f25f39d304111bafd70a131928c4c1e0692e4274e5fdb1567e53
data/CHANGELOG.md CHANGED
@@ -1,3 +1,31 @@
1
+ ## Rails 7.0.3.1 (July 12, 2022) ##
2
+
3
+ * Change ActiveRecord::Coders::YAMLColumn default to safe_load
4
+
5
+ This adds two new configuration options The configuration options are as
6
+ follows:
7
+
8
+ * `config.active_storage.use_yaml_unsafe_load`
9
+
10
+ When set to true, this configuration option tells Rails to use the old
11
+ "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
12
+ the possible escalation vulnerability in place. Setting this option to true
13
+ is *not* recommended, but can aid in upgrading.
14
+
15
+ * `config.active_record.yaml_column_permitted_classes`
16
+
17
+ The "safe YAML" loading method does not allow all classes to be deserialized
18
+ by default. This option allows you to specify classes deemed "safe" in your
19
+ application. For example, if your application uses Symbol and Time in
20
+ serialized data, you can add Symbol and Time to the allowed list as follows:
21
+
22
+ ```
23
+ config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
24
+ ```
25
+
26
+ [CVE-2022-32224]
27
+
28
+
1
29
  ## Rails 7.0.3 (May 09, 2022) ##
2
30
 
3
31
  * Some internal housekeeping on reloads could break custom `respond_to?`
@@ -45,13 +45,15 @@ module ActiveRecord
45
45
  raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
46
46
  end
47
47
 
48
- if YAML.respond_to?(:unsafe_load)
49
- def yaml_load(payload)
50
- YAML.unsafe_load(payload)
51
- end
52
- else
53
- def yaml_load(payload)
54
- YAML.load(payload)
48
+ def yaml_load(payload)
49
+ if !ActiveRecord.use_yaml_unsafe_load
50
+ YAML.safe_load(payload, permitted_classes: ActiveRecord.yaml_column_permitted_classes, aliases: true)
51
+ else
52
+ if YAML.respond_to?(:unsafe_load)
53
+ YAML.unsafe_load(payload)
54
+ else
55
+ YAML.load(payload)
56
+ end
55
57
  end
56
58
  end
57
59
  end
@@ -10,7 +10,7 @@ module ActiveRecord
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 3
13
- PRE = nil
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -403,5 +403,23 @@ To keep using the current cache store, you can turn off cache versioning entirel
403
403
  end
404
404
  end
405
405
  end
406
+
407
+ initializer "active_record.use_yaml_unsafe_load" do |app|
408
+ config.after_initialize do
409
+ unless app.config.active_record.use_yaml_unsafe_load.nil?
410
+ ActiveRecord.use_yaml_unsafe_load =
411
+ app.config.active_record.use_yaml_unsafe_load
412
+ end
413
+ end
414
+ end
415
+
416
+ initializer "active_record.yaml_column_permitted_classes" do |app|
417
+ config.after_initialize do
418
+ unless app.config.active_record.yaml_column_permitted_classes.nil?
419
+ ActiveRecord.yaml_column_permitted_classes =
420
+ app.config.active_record.yaml_column_permitted_classes
421
+ end
422
+ end
423
+ end
406
424
  end
407
425
  end
data/lib/active_record.rb CHANGED
@@ -340,6 +340,20 @@ module ActiveRecord
340
340
  singleton_class.attr_accessor :query_transformers
341
341
  self.query_transformers = []
342
342
 
343
+ ##
344
+ # :singleton-method:
345
+ # Application configurable boolean that instructs the YAML Coder to use
346
+ # an unsafe load if set to true.
347
+ singleton_class.attr_accessor :use_yaml_unsafe_load
348
+ self.use_yaml_unsafe_load = false
349
+
350
+ ##
351
+ # :singleton-method:
352
+ # Application configurable array that provides additional permitted classes
353
+ # to Psych safe_load in the YAML Coder
354
+ singleton_class.attr_accessor :yaml_column_permitted_classes
355
+ self.yaml_column_permitted_classes = []
356
+
343
357
  def self.eager_load!
344
358
  super
345
359
  ActiveRecord::Locking.eager_load!
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activerecord
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.3
4
+ version: 7.0.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-05-09 00:00:00.000000000 Z
11
+ date: 2022-07-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.3
19
+ version: 7.0.3.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.3
26
+ version: 7.0.3.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 7.0.3
33
+ version: 7.0.3.1
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 7.0.3
40
+ version: 7.0.3.1
41
41
  description: Databases on Rails. Build a persistent domain model by mapping database
42
42
  tables to Ruby classes. Strong conventions for associations, validations, aggregations,
43
43
  migrations, and testing come baked-in.
@@ -434,10 +434,10 @@ licenses:
434
434
  - MIT
435
435
  metadata:
436
436
  bug_tracker_uri: https://github.com/rails/rails/issues
437
- changelog_uri: https://github.com/rails/rails/blob/v7.0.3/activerecord/CHANGELOG.md
438
- documentation_uri: https://api.rubyonrails.org/v7.0.3/
437
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.3.1/activerecord/CHANGELOG.md
438
+ documentation_uri: https://api.rubyonrails.org/v7.0.3.1/
439
439
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
440
- source_code_uri: https://github.com/rails/rails/tree/v7.0.3/activerecord
440
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.3.1/activerecord
441
441
  rubygems_mfa_required: 'true'
442
442
  post_install_message:
443
443
  rdoc_options:
@@ -456,7 +456,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
456
456
  - !ruby/object:Gem::Version
457
457
  version: '0'
458
458
  requirements: []
459
- rubygems_version: 3.3.7
459
+ rubygems_version: 3.3.3
460
460
  signing_key:
461
461
  specification_version: 4
462
462
  summary: Object-relational mapper framework (part of Rails).