activerecord 6.0.5 → 6.0.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3b924984d698eccbd8d5220f19aea7ec6adc25ebffd166df8952a4725ecf6e92
-  data.tar.gz: dcd92d322eb2ea79de53237472aad6ce7bba4d49004bb7efbd4b5745e69687d7
+  metadata.gz: 8ea0b87ad16a3ed676492be593b8278b33ef3399e6c439763805809bd3fb04e1
+  data.tar.gz: bf40b7a7aa6cbfb55455b3731ffad825e9091b43c7e3e616a4c4c6b106b8008f
 SHA512:
-  metadata.gz: 3809f3a8db911d86b1a3f650e3b851907c692207e281ee03221817c08ef54b3a963855d95727a876db78687caa1da6f2b90d6c917d0006e862711d04e8b89164
-  data.tar.gz: 6cca66d11a39d09266d8376efec65a0b13b0f4afe68363dc0d12a52b6b6c745d8dbd2f011085f73fc6344c8e604626560f24a1a9484c06deae4a044fac39afc3
+  metadata.gz: 43e01975ab59ba04e4a3530ad8b4201655ce0cad7b282ffeb95c58e9304e97c41290bc517f96080c2a832d87ad6edd310c1f625597c7aec28d5291ec47f90c22
+  data.tar.gz: f042ff5e68d069a577f8b3233c05bc03e453429cf7f7d89be189a65ce22825117d36f4c94cf5526e5aeebe036cc624fe2cbf09e89bc9a64e766f9f27fa8f68fe

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+## Rails 6.0.5.1 (July 12, 2022) ##
+
+*   Change ActiveRecord::Coders::YAMLColumn default to safe_load
+
+    This adds two new configuration options The configuration options are as
+    follows:
+    
+    * `config.active_storage.use_yaml_unsafe_load`
+    
+    When set to true, this configuration option tells Rails to use the old
+    "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
+    the possible escalation vulnerability in place.  Setting this option to true
+    is *not* recommended, but can aid in upgrading.
+    
+    * `config.active_record.yaml_column_permitted_classes`
+    
+    The "safe YAML" loading method does not allow all classes to be deserialized
+    by default.  This option allows you to specify classes deemed "safe" in your
+    application.  For example, if your application uses Symbol and Time in
+    serialized data, you can add Symbol and Time to the allowed list as follows:
+    
+    ```
+    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
+    ```
+
+    [CVE-2022-32224]
+
+
 ## Rails 6.0.5 (May 09, 2022) ##
 
 *   No changes.

data/lib/active_record/coders/yaml_column.rb

@@ -23,7 +23,7 @@ module ActiveRecord
       def load(yaml)
         return object_class.new if object_class != Object && yaml.nil?
         return yaml unless yaml.is_a?(String) && /^---/.match?(yaml)
-        obj = YAML.load(yaml)
+        obj = yaml_load(yaml)
 
         assert_valid_value(obj, action: "load")
         obj ||= object_class.new if object_class != Object
@@ -44,6 +44,18 @@ module ActiveRecord
         rescue ArgumentError
           raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
         end
+
+        def yaml_load(payload)
+          if !ActiveRecord::Base.use_yaml_unsafe_load
+            YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
+          else
+            if YAML.respond_to?(:unsafe_load)
+              YAML.unsafe_load(payload)
+            else
+              YAML.load(payload)
+            end
+          end
+        end
     end
   end
 end

data/lib/active_record/core.rb

@@ -128,6 +128,16 @@ module ActiveRecord
 
       mattr_accessor :reading_role, instance_accessor: false, default: :reading
 
+      ##
+      # :singleton-method:
+      # Application configurable boolean that instructs the YAML Coder to use
+      # an unsafe load if set to true.
+      mattr_accessor :use_yaml_unsafe_load, instance_writer: false, default: false
+
+      # Application configurable array that provides additional permitted classes
+      # to Psych safe_load in the YAML Coder
+      mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
+
       class_attribute :default_connection_handler, instance_writer: false
 
       self.filter_attributes = []

data/lib/active_record/gem_version.rb

@@ -10,7 +10,7 @@ module ActiveRecord
     MAJOR = 6
     MINOR = 0
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_record/railtie.rb

@@ -259,5 +259,23 @@ To keep using the current cache store, you can turn off cache versioning entirel
         self.filter_attributes += Rails.application.config.filter_parameters
       end
     end
+
+    initializer "active_record.use_yaml_unsafe_load" do |app|
+      config.after_initialize do
+        unless app.config.active_record.use_yaml_unsafe_load.nil?
+          ActiveRecord::Base.use_yaml_unsafe_load =
+            app.config.active_record.use_yaml_unsafe_load
+        end
+      end
+    end
+
+    initializer "active_record.yaml_column_permitted_classes" do |app|
+      config.after_initialize do
+        unless app.config.active_record.yaml_column_permitted_classes.nil?
+          ActiveRecord::Base.yaml_column_permitted_classes =
+            app.config.active_record.yaml_column_permitted_classes
+        end
+      end
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activerecord
 version: !ruby/object:Gem::Version
-  version: 6.0.5
+  version: 6.0.5.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-09 00:00:00.000000000 Z
+date: 2022-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.5
+        version: 6.0.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.5
+        version: 6.0.5.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.5
+        version: 6.0.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.5
+        version: 6.0.5.1
 description: Databases on Rails. Build a persistent domain model by mapping database
   tables to Ruby classes. Strong conventions for associations, validations, aggregations,
   migrations, and testing come baked-in.
@@ -391,10 +391,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.0.5/activerecord/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.0.5/
+  changelog_uri: https://github.com/rails/rails/blob/v6.0.5.1/activerecord/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.0.5.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.0.5/activerecord
+  source_code_uri: https://github.com/rails/rails/tree/v6.0.5.1/activerecord
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options:
@@ -413,7 +413,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
 summary: Object-relational mapper framework (part of Rails).