activerecord 5.2.8 → 5.2.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d708273d88fe0d67ef88f0232adb051d7a42acdfaa8fa78a824bdd65a3ac1103
-  data.tar.gz: 72a944a73d7b1e638ea50104caf58494050253b8aa96623505c34b5f459a5dba
+  metadata.gz: 86737eb3187422c20dfc6d14b175ae9d541dfe670178da64a024c0968693ef81
+  data.tar.gz: 767900fd0d4a68dae1536cb7750e5456bc2bac72fde2ce7518ff69b1e5c8c706
 SHA512:
-  metadata.gz: 917953e398afa6764f19aa09b02bff6ada8a89f33b047521f87d5aebffcb7438ae7a95cea2bc3c74737956316b0405f663b8d6692be6a844bf9e5bf8173dc65a
-  data.tar.gz: 93f33e0ff4dec52684acb73914ce73e03771a48823870267a2f2b196bc4a09ff646a1e98725f7d4cbbb82192d0ee5a045397381c61ed0303bcc5ba32b9a8291d
+  metadata.gz: 0af8b7124c2d152f219220f518615b135137bb610d747b520d9c28370c73c966110121c3bede44a3ca0b9c36a4650f7ed300548e658eda7c888f7298b2f45162
+  data.tar.gz: 1a72afb896390c797673d4a100d7d9abd055a63fea21cef26e896a0cb424a64de661e99abb8cd80347643720d5c529dabe92af619dcaa7ff8610f4b3c1782483

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+## Rails 5.2.8.1 (July 12, 2022) ##
+
+*   Change ActiveRecord::Coders::YAMLColumn default to safe_load
+
+    This adds two new configuration options The configuration options are as
+    follows:
+    
+    * `config.active_storage.use_yaml_unsafe_load`
+    
+    When set to true, this configuration option tells Rails to use the old
+    "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
+    the possible escalation vulnerability in place.  Setting this option to true
+    is *not* recommended, but can aid in upgrading.
+    
+    * `config.active_record.yaml_column_permitted_classes`
+    
+    The "safe YAML" loading method does not allow all classes to be deserialized
+    by default.  This option allows you to specify classes deemed "safe" in your
+    application.  For example, if your application uses Symbol and Time in
+    serialized data, you can add Symbol and Time to the allowed list as follows:
+    
+    ```
+    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
+    ```
+
+    [CVE-2022-32224]
+
+
 ## Rails 5.2.8 (May 09, 2022) ##
 
 *   No changes.

data/lib/active_record/coders/yaml_column.rb

@@ -23,7 +23,7 @@ module ActiveRecord
       def load(yaml)
         return object_class.new if object_class != Object && yaml.nil?
         return yaml unless yaml.is_a?(String) && /^---/.match?(yaml)
-        obj = YAML.load(yaml)
+        obj = yaml_load(yaml)
 
         assert_valid_value(obj, action: "load")
         obj ||= object_class.new if object_class != Object
@@ -45,6 +45,18 @@ module ActiveRecord
         rescue ArgumentError
           raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
         end
+
+        def yaml_load(payload)
+          if !ActiveRecord::Base.use_yaml_unsafe_load
+            YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
+          else
+            if YAML.respond_to?(:unsafe_load)
+              YAML.unsafe_load(payload)
+            else
+              YAML.load(payload)
+            end
+          end
+        end
     end
   end
 end

data/lib/active_record/core.rb

@@ -125,6 +125,16 @@ module ActiveRecord
 
       mattr_accessor :belongs_to_required_by_default, instance_accessor: false
 
+      ##
+      # :singleton-method:
+      # Application configurable boolean that instructs the YAML Coder to use
+      # an unsafe load if set to true.
+      mattr_accessor :use_yaml_unsafe_load, instance_writer: false, default: false
+
+      # Application configurable array that provides additional permitted classes
+      # to Psych safe_load in the YAML Coder
+      mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
+
       class_attribute :default_connection_handler, instance_writer: false
 
       def self.connection_handler

data/lib/active_record/gem_version.rb

@@ -10,7 +10,7 @@ module ActiveRecord
     MAJOR = 5
     MINOR = 2
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_record/railtie.rb

@@ -222,5 +222,23 @@ MSG
         end
       end
     end
+    
+    initializer "active_record.use_yaml_unsafe_load" do |app|
+      config.after_initialize do
+        unless app.config.active_record.use_yaml_unsafe_load.nil?
+          ActiveRecord::Base.use_yaml_unsafe_load =
+            app.config.active_record.use_yaml_unsafe_load
+        end
+      end
+    end
+
+    initializer "active_record.yaml_column_permitted_classes" do |app|
+      config.after_initialize do
+        unless app.config.active_record.yaml_column_permitted_classes.nil?
+          ActiveRecord::Base.yaml_column_permitted_classes =
+            app.config.active_record.yaml_column_permitted_classes
+        end
+      end
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activerecord
 version: !ruby/object:Gem::Version
-  version: 5.2.8
+  version: 5.2.8.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-09 00:00:00.000000000 Z
+date: 2022-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.8
+        version: 5.2.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.8
+        version: 5.2.8.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.8
+        version: 5.2.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.8
+        version: 5.2.8.1
 - !ruby/object:Gem::Dependency
   name: arel
   requirement: !ruby/object:Gem::Requirement
@@ -307,9 +307,9 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.8/activerecord
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.8/activerecord/CHANGELOG.md
-post_install_message: 
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.8.1/activerecord
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.8.1/activerecord/CHANGELOG.md
+post_install_message:
 rdoc_options:
 - "--main"
 - README.rdoc
@@ -326,8 +326,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: Object-relational mapper framework (part of Rails).
 test_files: []