activerecord 7.0.4 → 7.0.4.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 18986b8f256d988204ff7b48287980a88e138a4280d637cf28310e551082987d
4
- data.tar.gz: 8054f80c87f48a264d08f006b789e2c3680155e0ed7fb5a5698d962f7ff0d8bb
3
+ metadata.gz: 3a5c0c6f9ce9d898d0ec937ec3d4c6ea37ae02637d8aee9cf219ac5acdec5236
4
+ data.tar.gz: 2d19932b94835dcbd398676c2528177c11f9437edc7068f44f314449ccb5abe0
5
5
  SHA512:
6
- metadata.gz: 8a01f7c0f730da3cfc0bfcda6f7c9a2e3f4d2747137f87175671d79021643f09f34fcf373cb400f247159d6551589f51de73241f10ac3373159865db6e04f0fc
7
- data.tar.gz: a4aa9659e71f1e8c11914727eacd07061128f8d68b0f609c08b272025c9923419a3a58f6d789da6a467258cad69795e3e0aa265f34ffcce4b39d8bd0cb5d8386
6
+ metadata.gz: f3746715cb1a4b90ed3ce96f4826006657d450215af9f96179e53ad32b967dbad06d0328e6c18e0eedf3a576fe5efedc9c546c07149801b90c4e5eb537a3962c
7
+ data.tar.gz: a5cf64d8fbaf1023b35d22865468a824ae13a3c243b3c1084bbfafcad432a84df322346b9143a6e98273202da674bf0d3e521d903ad450209fc014998127e223
data/CHANGELOG.md CHANGED
@@ -1,3 +1,34 @@
1
+ ## Rails 7.0.4.1 (January 17, 2023) ##
2
+
3
+ * Make sanitize_as_sql_comment more strict
4
+
5
+ Though this method was likely never meant to take user input, it was
6
+ attempting sanitization. That sanitization could be bypassed with
7
+ carefully crafted input.
8
+
9
+ This commit makes the sanitization more robust by replacing any
10
+ occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
11
+ first pass to remove one surrounding comment to avoid compatibility
12
+ issues for users relying on the existing removal.
13
+
14
+ This also clarifies in the documentation of annotate that it should not
15
+ be provided user input.
16
+
17
+ [CVE-2023-22794]
18
+
19
+ * Added integer width check to PostgreSQL::Quoting
20
+
21
+ Given a value outside the range for a 64bit signed integer type
22
+ PostgreSQL will treat the column type as numeric. Comparing
23
+ integer values against numeric values can result in a slow
24
+ sequential scan.
25
+
26
+ This behavior is configurable via
27
+ ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
28
+
29
+ [CVE-2022-44566]
30
+
31
+
1
32
  ## Rails 7.0.4 (September 09, 2022) ##
2
33
 
3
34
  * Symbol is allowed by default for YAML columns
@@ -146,7 +146,16 @@ module ActiveRecord
146
146
  end
147
147
 
148
148
  def sanitize_as_sql_comment(value) # :nodoc:
149
- value.to_s.gsub(%r{ (/ (?: | \g<1>) \*) \+? \s* | \s* (\* (?: | \g<2>) /) }x, "")
149
+ # Sanitize a string to appear within a SQL comment
150
+ # For compatibility, this also surrounding "/*+", "/*", and "*/"
151
+ # charcacters, possibly with single surrounding space.
152
+ # Then follows that by replacing any internal "*/" or "/ *" with
153
+ # "* /" or "/ *"
154
+ comment = value.to_s.dup
155
+ comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
156
+ comment.gsub!("*/", "* /")
157
+ comment.gsub!("/*", "/ *")
158
+ comment
150
159
  end
151
160
 
152
161
  def column_name_matcher # :nodoc:
@@ -4,6 +4,12 @@ module ActiveRecord
4
4
  module ConnectionAdapters
5
5
  module PostgreSQL
6
6
  module Quoting
7
+ class IntegerOutOf64BitRange < StandardError
8
+ def initialize(msg)
9
+ super(msg)
10
+ end
11
+ end
12
+
7
13
  # Escapes binary strings for bytea input to the database.
8
14
  def escape_bytea(value)
9
15
  @connection.escape_bytea(value) if value
@@ -16,7 +22,27 @@ module ActiveRecord
16
22
  @connection.unescape_bytea(value) if value
17
23
  end
18
24
 
25
+ def check_int_in_range(value)
26
+ if value.to_int > 9223372036854775807 || value.to_int < -9223372036854775808
27
+ exception = <<~ERROR
28
+ Provided value outside of the range of a signed 64bit integer.
29
+
30
+ PostgreSQL will treat the column type in question as a numeric.
31
+ This may result in a slow sequential scan due to a comparison
32
+ being performed between an integer or bigint value and a numeric value.
33
+
34
+ To allow for this potentially unwanted behavior, set
35
+ ActiveRecord.raise_int_wider_than_64bit to false.
36
+ ERROR
37
+ raise IntegerOutOf64BitRange.new exception
38
+ end
39
+ end
40
+
19
41
  def quote(value) # :nodoc:
42
+ if ActiveRecord.raise_int_wider_than_64bit && value.is_a?(Integer)
43
+ check_int_in_range(value)
44
+ end
45
+
20
46
  case value
21
47
  when OID::Xml::Data
22
48
  "xml '#{quote_string(value.to_s)}'"
@@ -10,7 +10,7 @@ module ActiveRecord
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 4
13
- PRE = nil
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -33,6 +33,8 @@ module ActiveRecord
33
33
  # want to add to the comment. Dynamic content can be created by setting a proc or lambda value in a hash,
34
34
  # and can reference any value stored in the +context+ object.
35
35
  #
36
+ # Escaping is performed on the string returned, however untrusted user input should not be used.
37
+ #
36
38
  # Example:
37
39
  #
38
40
  # tags = [
@@ -109,7 +111,16 @@ module ActiveRecord
109
111
  end
110
112
 
111
113
  def escape_sql_comment(content)
112
- content.to_s.gsub(%r{ (/ (?: | \g<1>) \*) \+? \s* | \s* (\* (?: | \g<2>) /) }x, "")
114
+ # Sanitize a string to appear within a SQL comment
115
+ # For compatibility, this also surrounding "/*+", "/*", and "*/"
116
+ # charcacters, possibly with single surrounding space.
117
+ # Then follows that by replacing any internal "*/" or "/ *" with
118
+ # "* /" or "/ *"
119
+ comment = content.to_s.dup
120
+ comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
121
+ comment.gsub!("*/", "* /")
122
+ comment.gsub!("/*", "/ *")
123
+ comment
113
124
  end
114
125
 
115
126
  def tag_content
@@ -1216,6 +1216,8 @@ module ActiveRecord
1216
1216
  # # SELECT "users"."name" FROM "users" /* selecting */ /* user */ /* names */
1217
1217
  #
1218
1218
  # The SQL block comment delimiters, "/*" and "*/", will be added automatically.
1219
+ #
1220
+ # Some escaping is performed, however untrusted user input should not be used.
1219
1221
  def annotate(*args)
1220
1222
  check_if_method_has_arguments!(__callee__, args)
1221
1223
  spawn.annotate!(*args)
data/lib/active_record.rb CHANGED
@@ -347,6 +347,14 @@ module ActiveRecord
347
347
  singleton_class.attr_accessor :use_yaml_unsafe_load
348
348
  self.use_yaml_unsafe_load = false
349
349
 
350
+ ##
351
+ # :singleton-method:
352
+ # Application configurable boolean that denotes whether or not to raise
353
+ # an exception when the PostgreSQLAdapter is provided with an integer that
354
+ # is wider than signed 64bit representation
355
+ singleton_class.attr_accessor :raise_int_wider_than_64bit
356
+ self.raise_int_wider_than_64bit = true
357
+
350
358
  ##
351
359
  # :singleton-method:
352
360
  # Application configurable array that provides additional permitted classes
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activerecord
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.4
4
+ version: 7.0.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-09-09 00:00:00.000000000 Z
11
+ date: 2023-01-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.4
19
+ version: 7.0.4.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.4
26
+ version: 7.0.4.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 7.0.4
33
+ version: 7.0.4.1
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 7.0.4
40
+ version: 7.0.4.1
41
41
  description: Databases on Rails. Build a persistent domain model by mapping database
42
42
  tables to Ruby classes. Strong conventions for associations, validations, aggregations,
43
43
  migrations, and testing come baked-in.
@@ -434,10 +434,10 @@ licenses:
434
434
  - MIT
435
435
  metadata:
436
436
  bug_tracker_uri: https://github.com/rails/rails/issues
437
- changelog_uri: https://github.com/rails/rails/blob/v7.0.4/activerecord/CHANGELOG.md
438
- documentation_uri: https://api.rubyonrails.org/v7.0.4/
437
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.4.1/activerecord/CHANGELOG.md
438
+ documentation_uri: https://api.rubyonrails.org/v7.0.4.1/
439
439
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
440
- source_code_uri: https://github.com/rails/rails/tree/v7.0.4/activerecord
440
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.4.1/activerecord
441
441
  rubygems_mfa_required: 'true'
442
442
  post_install_message:
443
443
  rdoc_options:
@@ -456,7 +456,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
456
456
  - !ruby/object:Gem::Version
457
457
  version: '0'
458
458
  requirements: []
459
- rubygems_version: 3.3.3
459
+ rubygems_version: 3.4.3
460
460
  signing_key:
461
461
  specification_version: 4
462
462
  summary: Object-relational mapper framework (part of Rails).