activerecord 7.0.3 → 7.0.3.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activerecord might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5eadd3ac082cbc3b4f816198ddbd229f92346a77e9cc29d2410f1a9d1e726705
4
- data.tar.gz: c3cf3a52ebe5659ea0032e88379f6f0a642d9cd5e1e3866a84bc65b801fecc12
3
+ metadata.gz: 3f2f45fa92947b78ba64cfc800a729cfcab5b893255efef679b686a37c50cd00
4
+ data.tar.gz: 2bcca713bf8426cf4ffd22e1b832cde62a6cd6caad0f1f9b19996916e88922d5
5
5
  SHA512:
6
- metadata.gz: fa2df41f5f52609acfdd306ef594bd2e7a914fa3830a413d94a061041afe17be283f339e2e16bb47569884893c405d436cc0f56b2be5a57fe09ed3d02b7cdac5
7
- data.tar.gz: c846af2dfd2f225fb83632b71154da368cbd20da52276b7dafa7517196f33f9123573d3d610e563b00df08a3d2851e7bba86d08bf29babeb50994c321b2c81e9
6
+ metadata.gz: 17fdc443b9f36e8dcba05e56b6c07e88e97266f7c12accb8ac084b37dbf2c134a696fc57b71171fc488ed10fc72fba952672960b7507d14762a1a41f25623df1
7
+ data.tar.gz: 4dc59bd725e08e3cdf63d5145f2038f6e5c65b5eb40e611a18ef422c516543aa2acfbc893b68f25f39d304111bafd70a131928c4c1e0692e4274e5fdb1567e53
data/CHANGELOG.md CHANGED
@@ -1,3 +1,31 @@
1
+ ## Rails 7.0.3.1 (July 12, 2022) ##
2
+
3
+ * Change ActiveRecord::Coders::YAMLColumn default to safe_load
4
+
5
+ This adds two new configuration options The configuration options are as
6
+ follows:
7
+
8
+ * `config.active_storage.use_yaml_unsafe_load`
9
+
10
+ When set to true, this configuration option tells Rails to use the old
11
+ "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
12
+ the possible escalation vulnerability in place. Setting this option to true
13
+ is *not* recommended, but can aid in upgrading.
14
+
15
+ * `config.active_record.yaml_column_permitted_classes`
16
+
17
+ The "safe YAML" loading method does not allow all classes to be deserialized
18
+ by default. This option allows you to specify classes deemed "safe" in your
19
+ application. For example, if your application uses Symbol and Time in
20
+ serialized data, you can add Symbol and Time to the allowed list as follows:
21
+
22
+ ```
23
+ config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
24
+ ```
25
+
26
+ [CVE-2022-32224]
27
+
28
+
1
29
  ## Rails 7.0.3 (May 09, 2022) ##
2
30
 
3
31
  * Some internal housekeeping on reloads could break custom `respond_to?`
@@ -45,13 +45,15 @@ module ActiveRecord
45
45
  raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
46
46
  end
47
47
 
48
- if YAML.respond_to?(:unsafe_load)
49
- def yaml_load(payload)
50
- YAML.unsafe_load(payload)
51
- end
52
- else
53
- def yaml_load(payload)
54
- YAML.load(payload)
48
+ def yaml_load(payload)
49
+ if !ActiveRecord.use_yaml_unsafe_load
50
+ YAML.safe_load(payload, permitted_classes: ActiveRecord.yaml_column_permitted_classes, aliases: true)
51
+ else
52
+ if YAML.respond_to?(:unsafe_load)
53
+ YAML.unsafe_load(payload)
54
+ else
55
+ YAML.load(payload)
56
+ end
55
57
  end
56
58
  end
57
59
  end
@@ -10,7 +10,7 @@ module ActiveRecord
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 3
13
- PRE = nil
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -403,5 +403,23 @@ To keep using the current cache store, you can turn off cache versioning entirel
403
403
  end
404
404
  end
405
405
  end
406
+
407
+ initializer "active_record.use_yaml_unsafe_load" do |app|
408
+ config.after_initialize do
409
+ unless app.config.active_record.use_yaml_unsafe_load.nil?
410
+ ActiveRecord.use_yaml_unsafe_load =
411
+ app.config.active_record.use_yaml_unsafe_load
412
+ end
413
+ end
414
+ end
415
+
416
+ initializer "active_record.yaml_column_permitted_classes" do |app|
417
+ config.after_initialize do
418
+ unless app.config.active_record.yaml_column_permitted_classes.nil?
419
+ ActiveRecord.yaml_column_permitted_classes =
420
+ app.config.active_record.yaml_column_permitted_classes
421
+ end
422
+ end
423
+ end
406
424
  end
407
425
  end
data/lib/active_record.rb CHANGED
@@ -340,6 +340,20 @@ module ActiveRecord
340
340
  singleton_class.attr_accessor :query_transformers
341
341
  self.query_transformers = []
342
342
 
343
+ ##
344
+ # :singleton-method:
345
+ # Application configurable boolean that instructs the YAML Coder to use
346
+ # an unsafe load if set to true.
347
+ singleton_class.attr_accessor :use_yaml_unsafe_load
348
+ self.use_yaml_unsafe_load = false
349
+
350
+ ##
351
+ # :singleton-method:
352
+ # Application configurable array that provides additional permitted classes
353
+ # to Psych safe_load in the YAML Coder
354
+ singleton_class.attr_accessor :yaml_column_permitted_classes
355
+ self.yaml_column_permitted_classes = []
356
+
343
357
  def self.eager_load!
344
358
  super
345
359
  ActiveRecord::Locking.eager_load!
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activerecord
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.3
4
+ version: 7.0.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-05-09 00:00:00.000000000 Z
11
+ date: 2022-07-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.3
19
+ version: 7.0.3.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.3
26
+ version: 7.0.3.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 7.0.3
33
+ version: 7.0.3.1
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 7.0.3
40
+ version: 7.0.3.1
41
41
  description: Databases on Rails. Build a persistent domain model by mapping database
42
42
  tables to Ruby classes. Strong conventions for associations, validations, aggregations,
43
43
  migrations, and testing come baked-in.
@@ -434,10 +434,10 @@ licenses:
434
434
  - MIT
435
435
  metadata:
436
436
  bug_tracker_uri: https://github.com/rails/rails/issues
437
- changelog_uri: https://github.com/rails/rails/blob/v7.0.3/activerecord/CHANGELOG.md
438
- documentation_uri: https://api.rubyonrails.org/v7.0.3/
437
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.3.1/activerecord/CHANGELOG.md
438
+ documentation_uri: https://api.rubyonrails.org/v7.0.3.1/
439
439
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
440
- source_code_uri: https://github.com/rails/rails/tree/v7.0.3/activerecord
440
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.3.1/activerecord
441
441
  rubygems_mfa_required: 'true'
442
442
  post_install_message:
443
443
  rdoc_options:
@@ -456,7 +456,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
456
456
  - !ruby/object:Gem::Version
457
457
  version: '0'
458
458
  requirements: []
459
- rubygems_version: 3.3.7
459
+ rubygems_version: 3.3.3
460
460
  signing_key:
461
461
  specification_version: 4
462
462
  summary: Object-relational mapper framework (part of Rails).