activerecord 7.0.3 → 7.0.3.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of activerecord might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +28 -0
- data/lib/active_record/coders/yaml_column.rb +9 -7
- data/lib/active_record/gem_version.rb +1 -1
- data/lib/active_record/railtie.rb +18 -0
- data/lib/active_record.rb +14 -0
- metadata +10 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3f2f45fa92947b78ba64cfc800a729cfcab5b893255efef679b686a37c50cd00
|
|
4
|
+
data.tar.gz: 2bcca713bf8426cf4ffd22e1b832cde62a6cd6caad0f1f9b19996916e88922d5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 17fdc443b9f36e8dcba05e56b6c07e88e97266f7c12accb8ac084b37dbf2c134a696fc57b71171fc488ed10fc72fba952672960b7507d14762a1a41f25623df1
|
|
7
|
+
data.tar.gz: 4dc59bd725e08e3cdf63d5145f2038f6e5c65b5eb40e611a18ef422c516543aa2acfbc893b68f25f39d304111bafd70a131928c4c1e0692e4274e5fdb1567e53
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,31 @@
|
|
|
1
|
+
## Rails 7.0.3.1 (July 12, 2022) ##
|
|
2
|
+
|
|
3
|
+
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
|
|
4
|
+
|
|
5
|
+
This adds two new configuration options The configuration options are as
|
|
6
|
+
follows:
|
|
7
|
+
|
|
8
|
+
* `config.active_storage.use_yaml_unsafe_load`
|
|
9
|
+
|
|
10
|
+
When set to true, this configuration option tells Rails to use the old
|
|
11
|
+
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
|
|
12
|
+
the possible escalation vulnerability in place. Setting this option to true
|
|
13
|
+
is *not* recommended, but can aid in upgrading.
|
|
14
|
+
|
|
15
|
+
* `config.active_record.yaml_column_permitted_classes`
|
|
16
|
+
|
|
17
|
+
The "safe YAML" loading method does not allow all classes to be deserialized
|
|
18
|
+
by default. This option allows you to specify classes deemed "safe" in your
|
|
19
|
+
application. For example, if your application uses Symbol and Time in
|
|
20
|
+
serialized data, you can add Symbol and Time to the allowed list as follows:
|
|
21
|
+
|
|
22
|
+
```
|
|
23
|
+
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
[CVE-2022-32224]
|
|
27
|
+
|
|
28
|
+
|
|
1
29
|
## Rails 7.0.3 (May 09, 2022) ##
|
|
2
30
|
|
|
3
31
|
* Some internal housekeeping on reloads could break custom `respond_to?`
|
|
@@ -45,13 +45,15 @@ module ActiveRecord
|
|
|
45
45
|
raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
|
|
46
46
|
end
|
|
47
47
|
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
YAML.
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
48
|
+
def yaml_load(payload)
|
|
49
|
+
if !ActiveRecord.use_yaml_unsafe_load
|
|
50
|
+
YAML.safe_load(payload, permitted_classes: ActiveRecord.yaml_column_permitted_classes, aliases: true)
|
|
51
|
+
else
|
|
52
|
+
if YAML.respond_to?(:unsafe_load)
|
|
53
|
+
YAML.unsafe_load(payload)
|
|
54
|
+
else
|
|
55
|
+
YAML.load(payload)
|
|
56
|
+
end
|
|
55
57
|
end
|
|
56
58
|
end
|
|
57
59
|
end
|
|
@@ -403,5 +403,23 @@ To keep using the current cache store, you can turn off cache versioning entirel
|
|
|
403
403
|
end
|
|
404
404
|
end
|
|
405
405
|
end
|
|
406
|
+
|
|
407
|
+
initializer "active_record.use_yaml_unsafe_load" do |app|
|
|
408
|
+
config.after_initialize do
|
|
409
|
+
unless app.config.active_record.use_yaml_unsafe_load.nil?
|
|
410
|
+
ActiveRecord.use_yaml_unsafe_load =
|
|
411
|
+
app.config.active_record.use_yaml_unsafe_load
|
|
412
|
+
end
|
|
413
|
+
end
|
|
414
|
+
end
|
|
415
|
+
|
|
416
|
+
initializer "active_record.yaml_column_permitted_classes" do |app|
|
|
417
|
+
config.after_initialize do
|
|
418
|
+
unless app.config.active_record.yaml_column_permitted_classes.nil?
|
|
419
|
+
ActiveRecord.yaml_column_permitted_classes =
|
|
420
|
+
app.config.active_record.yaml_column_permitted_classes
|
|
421
|
+
end
|
|
422
|
+
end
|
|
423
|
+
end
|
|
406
424
|
end
|
|
407
425
|
end
|
data/lib/active_record.rb
CHANGED
|
@@ -340,6 +340,20 @@ module ActiveRecord
|
|
|
340
340
|
singleton_class.attr_accessor :query_transformers
|
|
341
341
|
self.query_transformers = []
|
|
342
342
|
|
|
343
|
+
##
|
|
344
|
+
# :singleton-method:
|
|
345
|
+
# Application configurable boolean that instructs the YAML Coder to use
|
|
346
|
+
# an unsafe load if set to true.
|
|
347
|
+
singleton_class.attr_accessor :use_yaml_unsafe_load
|
|
348
|
+
self.use_yaml_unsafe_load = false
|
|
349
|
+
|
|
350
|
+
##
|
|
351
|
+
# :singleton-method:
|
|
352
|
+
# Application configurable array that provides additional permitted classes
|
|
353
|
+
# to Psych safe_load in the YAML Coder
|
|
354
|
+
singleton_class.attr_accessor :yaml_column_permitted_classes
|
|
355
|
+
self.yaml_column_permitted_classes = []
|
|
356
|
+
|
|
343
357
|
def self.eager_load!
|
|
344
358
|
super
|
|
345
359
|
ActiveRecord::Locking.eager_load!
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: activerecord
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.0.3
|
|
4
|
+
version: 7.0.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-07-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,28 +16,28 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 7.0.3
|
|
19
|
+
version: 7.0.3.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 7.0.3
|
|
26
|
+
version: 7.0.3.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: activemodel
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
31
|
- - '='
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 7.0.3
|
|
33
|
+
version: 7.0.3.1
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - '='
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 7.0.3
|
|
40
|
+
version: 7.0.3.1
|
|
41
41
|
description: Databases on Rails. Build a persistent domain model by mapping database
|
|
42
42
|
tables to Ruby classes. Strong conventions for associations, validations, aggregations,
|
|
43
43
|
migrations, and testing come baked-in.
|
|
@@ -434,10 +434,10 @@ licenses:
|
|
|
434
434
|
- MIT
|
|
435
435
|
metadata:
|
|
436
436
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
437
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.3/activerecord/CHANGELOG.md
|
|
438
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.3/
|
|
437
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.3.1/activerecord/CHANGELOG.md
|
|
438
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.3.1/
|
|
439
439
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
440
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.3/activerecord
|
|
440
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.3.1/activerecord
|
|
441
441
|
rubygems_mfa_required: 'true'
|
|
442
442
|
post_install_message:
|
|
443
443
|
rdoc_options:
|
|
@@ -456,7 +456,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
456
456
|
- !ruby/object:Gem::Version
|
|
457
457
|
version: '0'
|
|
458
458
|
requirements: []
|
|
459
|
-
rubygems_version: 3.3.
|
|
459
|
+
rubygems_version: 3.3.3
|
|
460
460
|
signing_key:
|
|
461
461
|
specification_version: 4
|
|
462
462
|
summary: Object-relational mapper framework (part of Rails).
|