activerecord 6.0.5 → 6.0.5.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activerecord might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3b924984d698eccbd8d5220f19aea7ec6adc25ebffd166df8952a4725ecf6e92
4
- data.tar.gz: dcd92d322eb2ea79de53237472aad6ce7bba4d49004bb7efbd4b5745e69687d7
3
+ metadata.gz: 8ea0b87ad16a3ed676492be593b8278b33ef3399e6c439763805809bd3fb04e1
4
+ data.tar.gz: bf40b7a7aa6cbfb55455b3731ffad825e9091b43c7e3e616a4c4c6b106b8008f
5
5
  SHA512:
6
- metadata.gz: 3809f3a8db911d86b1a3f650e3b851907c692207e281ee03221817c08ef54b3a963855d95727a876db78687caa1da6f2b90d6c917d0006e862711d04e8b89164
7
- data.tar.gz: 6cca66d11a39d09266d8376efec65a0b13b0f4afe68363dc0d12a52b6b6c745d8dbd2f011085f73fc6344c8e604626560f24a1a9484c06deae4a044fac39afc3
6
+ metadata.gz: 43e01975ab59ba04e4a3530ad8b4201655ce0cad7b282ffeb95c58e9304e97c41290bc517f96080c2a832d87ad6edd310c1f625597c7aec28d5291ec47f90c22
7
+ data.tar.gz: f042ff5e68d069a577f8b3233c05bc03e453429cf7f7d89be189a65ce22825117d36f4c94cf5526e5aeebe036cc624fe2cbf09e89bc9a64e766f9f27fa8f68fe
data/CHANGELOG.md CHANGED
@@ -1,3 +1,31 @@
1
+ ## Rails 6.0.5.1 (July 12, 2022) ##
2
+
3
+ * Change ActiveRecord::Coders::YAMLColumn default to safe_load
4
+
5
+ This adds two new configuration options The configuration options are as
6
+ follows:
7
+
8
+ * `config.active_storage.use_yaml_unsafe_load`
9
+
10
+ When set to true, this configuration option tells Rails to use the old
11
+ "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
12
+ the possible escalation vulnerability in place. Setting this option to true
13
+ is *not* recommended, but can aid in upgrading.
14
+
15
+ * `config.active_record.yaml_column_permitted_classes`
16
+
17
+ The "safe YAML" loading method does not allow all classes to be deserialized
18
+ by default. This option allows you to specify classes deemed "safe" in your
19
+ application. For example, if your application uses Symbol and Time in
20
+ serialized data, you can add Symbol and Time to the allowed list as follows:
21
+
22
+ ```
23
+ config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
24
+ ```
25
+
26
+ [CVE-2022-32224]
27
+
28
+
1
29
  ## Rails 6.0.5 (May 09, 2022) ##
2
30
 
3
31
  * No changes.
@@ -23,7 +23,7 @@ module ActiveRecord
23
23
  def load(yaml)
24
24
  return object_class.new if object_class != Object && yaml.nil?
25
25
  return yaml unless yaml.is_a?(String) && /^---/.match?(yaml)
26
- obj = YAML.load(yaml)
26
+ obj = yaml_load(yaml)
27
27
 
28
28
  assert_valid_value(obj, action: "load")
29
29
  obj ||= object_class.new if object_class != Object
@@ -44,6 +44,18 @@ module ActiveRecord
44
44
  rescue ArgumentError
45
45
  raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
46
46
  end
47
+
48
+ def yaml_load(payload)
49
+ if !ActiveRecord::Base.use_yaml_unsafe_load
50
+ YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
51
+ else
52
+ if YAML.respond_to?(:unsafe_load)
53
+ YAML.unsafe_load(payload)
54
+ else
55
+ YAML.load(payload)
56
+ end
57
+ end
58
+ end
47
59
  end
48
60
  end
49
61
  end
@@ -128,6 +128,16 @@ module ActiveRecord
128
128
 
129
129
  mattr_accessor :reading_role, instance_accessor: false, default: :reading
130
130
 
131
+ ##
132
+ # :singleton-method:
133
+ # Application configurable boolean that instructs the YAML Coder to use
134
+ # an unsafe load if set to true.
135
+ mattr_accessor :use_yaml_unsafe_load, instance_writer: false, default: false
136
+
137
+ # Application configurable array that provides additional permitted classes
138
+ # to Psych safe_load in the YAML Coder
139
+ mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
140
+
131
141
  class_attribute :default_connection_handler, instance_writer: false
132
142
 
133
143
  self.filter_attributes = []
@@ -10,7 +10,7 @@ module ActiveRecord
10
10
  MAJOR = 6
11
11
  MINOR = 0
12
12
  TINY = 5
13
- PRE = nil
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -259,5 +259,23 @@ To keep using the current cache store, you can turn off cache versioning entirel
259
259
  self.filter_attributes += Rails.application.config.filter_parameters
260
260
  end
261
261
  end
262
+
263
+ initializer "active_record.use_yaml_unsafe_load" do |app|
264
+ config.after_initialize do
265
+ unless app.config.active_record.use_yaml_unsafe_load.nil?
266
+ ActiveRecord::Base.use_yaml_unsafe_load =
267
+ app.config.active_record.use_yaml_unsafe_load
268
+ end
269
+ end
270
+ end
271
+
272
+ initializer "active_record.yaml_column_permitted_classes" do |app|
273
+ config.after_initialize do
274
+ unless app.config.active_record.yaml_column_permitted_classes.nil?
275
+ ActiveRecord::Base.yaml_column_permitted_classes =
276
+ app.config.active_record.yaml_column_permitted_classes
277
+ end
278
+ end
279
+ end
262
280
  end
263
281
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activerecord
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.5
4
+ version: 6.0.5.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-05-09 00:00:00.000000000 Z
11
+ date: 2022-07-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.0.5
19
+ version: 6.0.5.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.0.5
26
+ version: 6.0.5.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 6.0.5
33
+ version: 6.0.5.1
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 6.0.5
40
+ version: 6.0.5.1
41
41
  description: Databases on Rails. Build a persistent domain model by mapping database
42
42
  tables to Ruby classes. Strong conventions for associations, validations, aggregations,
43
43
  migrations, and testing come baked-in.
@@ -391,10 +391,10 @@ licenses:
391
391
  - MIT
392
392
  metadata:
393
393
  bug_tracker_uri: https://github.com/rails/rails/issues
394
- changelog_uri: https://github.com/rails/rails/blob/v6.0.5/activerecord/CHANGELOG.md
395
- documentation_uri: https://api.rubyonrails.org/v6.0.5/
394
+ changelog_uri: https://github.com/rails/rails/blob/v6.0.5.1/activerecord/CHANGELOG.md
395
+ documentation_uri: https://api.rubyonrails.org/v6.0.5.1/
396
396
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
397
- source_code_uri: https://github.com/rails/rails/tree/v6.0.5/activerecord
397
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.5.1/activerecord
398
398
  rubygems_mfa_required: 'true'
399
399
  post_install_message:
400
400
  rdoc_options:
@@ -413,7 +413,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
413
413
  - !ruby/object:Gem::Version
414
414
  version: '0'
415
415
  requirements: []
416
- rubygems_version: 3.3.7
416
+ rubygems_version: 3.3.3
417
417
  signing_key:
418
418
  specification_version: 4
419
419
  summary: Object-relational mapper framework (part of Rails).