activerecord 6.1.6 → 6.1.6.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of activerecord might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +28 -0
- data/lib/active_record/coders/yaml_column.rb +9 -7
- data/lib/active_record/core.rb +8 -0
- data/lib/active_record/gem_version.rb +1 -1
- data/lib/active_record/railtie.rb +18 -0
- metadata +10 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2093e13defc611f0ec1e62d7efd445bcd1c5b182d8aab24f3dd3625047ce2f9f
|
|
4
|
+
data.tar.gz: 8d3e9a6daab9d0026cc1826d1caf2f24fee239d05b63cbb0eac866b1daded767
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3e6be64f1492b2441290abac0af6cde31950acef133ccdd98202b2ab719dc48b0f969eda318b4712c508cde2f29b3a6c381c27c6e7467b4ee25ec97209717d7a
|
|
7
|
+
data.tar.gz: 924c8bcbbaa608deb02263437e76947737b041b39a86818585e3d087530f0d1e3fdc537fc10d1177fe6cf2413deaf47f655342435312a5d473a4789e7a35631f
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,31 @@
|
|
|
1
|
+
## Rails 6.1.6.1 (July 12, 2022) ##
|
|
2
|
+
|
|
3
|
+
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
|
|
4
|
+
|
|
5
|
+
This adds two new configuration options The configuration options are as
|
|
6
|
+
follows:
|
|
7
|
+
|
|
8
|
+
* `config.active_storage.use_yaml_unsafe_load`
|
|
9
|
+
|
|
10
|
+
When set to true, this configuration option tells Rails to use the old
|
|
11
|
+
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
|
|
12
|
+
the possible escalation vulnerability in place. Setting this option to true
|
|
13
|
+
is *not* recommended, but can aid in upgrading.
|
|
14
|
+
|
|
15
|
+
* `config.active_record.yaml_column_permitted_classes`
|
|
16
|
+
|
|
17
|
+
The "safe YAML" loading method does not allow all classes to be deserialized
|
|
18
|
+
by default. This option allows you to specify classes deemed "safe" in your
|
|
19
|
+
application. For example, if your application uses Symbol and Time in
|
|
20
|
+
serialized data, you can add Symbol and Time to the allowed list as follows:
|
|
21
|
+
|
|
22
|
+
```
|
|
23
|
+
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
[CVE-2022-32224]
|
|
27
|
+
|
|
28
|
+
|
|
1
29
|
## Rails 6.1.5.1 (April 26, 2022) ##
|
|
2
30
|
|
|
3
31
|
* No changes.
|
|
@@ -45,13 +45,15 @@ module ActiveRecord
|
|
|
45
45
|
raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
|
|
46
46
|
end
|
|
47
47
|
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
YAML.
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
48
|
+
def yaml_load(payload)
|
|
49
|
+
if !ActiveRecord::Base.use_yaml_unsafe_load
|
|
50
|
+
YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
|
|
51
|
+
else
|
|
52
|
+
if YAML.respond_to?(:unsafe_load)
|
|
53
|
+
YAML.unsafe_load(payload)
|
|
54
|
+
else
|
|
55
|
+
YAML.load(payload)
|
|
56
|
+
end
|
|
55
57
|
end
|
|
56
58
|
end
|
|
57
59
|
end
|
data/lib/active_record/core.rb
CHANGED
|
@@ -155,6 +155,14 @@ module ActiveRecord
|
|
|
155
155
|
|
|
156
156
|
mattr_accessor :legacy_connection_handling, instance_writer: false, default: true
|
|
157
157
|
|
|
158
|
+
# Application configurable boolean that instructs the YAML Coder to use
|
|
159
|
+
# an unsafe load if set to true.
|
|
160
|
+
mattr_accessor :use_yaml_unsafe_load, instance_writer: false, default: false
|
|
161
|
+
|
|
162
|
+
# Application configurable array that provides additional permitted classes
|
|
163
|
+
# to Psych safe_load in the YAML Coder
|
|
164
|
+
mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
|
|
165
|
+
|
|
158
166
|
self.filter_attributes = []
|
|
159
167
|
|
|
160
168
|
def self.connection_handler
|
|
@@ -279,5 +279,23 @@ To keep using the current cache store, you can turn off cache versioning entirel
|
|
|
279
279
|
self.signed_id_verifier_secret ||= -> { Rails.application.key_generator.generate_key("active_record/signed_id") }
|
|
280
280
|
end
|
|
281
281
|
end
|
|
282
|
+
|
|
283
|
+
initializer "active_record.use_yaml_unsafe_load" do |app|
|
|
284
|
+
config.after_initialize do
|
|
285
|
+
unless app.config.active_record.use_yaml_unsafe_load.nil?
|
|
286
|
+
ActiveRecord::Base.use_yaml_unsafe_load =
|
|
287
|
+
app.config.active_record.use_yaml_unsafe_load
|
|
288
|
+
end
|
|
289
|
+
end
|
|
290
|
+
end
|
|
291
|
+
|
|
292
|
+
initializer "active_record.yaml_column_permitted_classes" do |app|
|
|
293
|
+
config.after_initialize do
|
|
294
|
+
unless app.config.active_record.yaml_column_permitted_classes.nil?
|
|
295
|
+
ActiveRecord::Base.yaml_column_permitted_classes =
|
|
296
|
+
app.config.active_record.yaml_column_permitted_classes
|
|
297
|
+
end
|
|
298
|
+
end
|
|
299
|
+
end
|
|
282
300
|
end
|
|
283
301
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: activerecord
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.1.6
|
|
4
|
+
version: 6.1.6.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-07-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,28 +16,28 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 6.1.6
|
|
19
|
+
version: 6.1.6.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 6.1.6
|
|
26
|
+
version: 6.1.6.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: activemodel
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
31
|
- - '='
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 6.1.6
|
|
33
|
+
version: 6.1.6.1
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - '='
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 6.1.6
|
|
40
|
+
version: 6.1.6.1
|
|
41
41
|
description: Databases on Rails. Build a persistent domain model by mapping database
|
|
42
42
|
tables to Ruby classes. Strong conventions for associations, validations, aggregations,
|
|
43
43
|
migrations, and testing come baked-in.
|
|
@@ -390,10 +390,10 @@ licenses:
|
|
|
390
390
|
- MIT
|
|
391
391
|
metadata:
|
|
392
392
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
393
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.1.6/activerecord/CHANGELOG.md
|
|
394
|
-
documentation_uri: https://api.rubyonrails.org/v6.1.6/
|
|
393
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.1.6.1/activerecord/CHANGELOG.md
|
|
394
|
+
documentation_uri: https://api.rubyonrails.org/v6.1.6.1/
|
|
395
395
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
396
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.1.6/activerecord
|
|
396
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.1.6.1/activerecord
|
|
397
397
|
rubygems_mfa_required: 'true'
|
|
398
398
|
post_install_message:
|
|
399
399
|
rdoc_options:
|
|
@@ -412,7 +412,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
412
412
|
- !ruby/object:Gem::Version
|
|
413
413
|
version: '0'
|
|
414
414
|
requirements: []
|
|
415
|
-
rubygems_version: 3.3.
|
|
415
|
+
rubygems_version: 3.3.3
|
|
416
416
|
signing_key:
|
|
417
417
|
specification_version: 4
|
|
418
418
|
summary: Object-relational mapper framework (part of Rails).
|