mongoid 7.5.4 → 7.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce7f228fdc033dc1142f46f4771395d36acafc97e0c144599cd063af537c7ae3
-  data.tar.gz: 15f8f0efbb076eb03f25f23898cbe27d044e7441e4a7ae4bc8d22f036838bb98
+  metadata.gz: 7d6b4091f7d54b2e65649f2c41aa1ae9d79ba5d45eda1f25402a977921af378b
+  data.tar.gz: 11c42c8f504d870e6d49a823874855c88bec5cae51254b2e3246d4e6fe3b5992
 SHA512:
-  metadata.gz: 91f40b7136ae729e6831c5033c60c0a1e2207cd98d80bf5caaef50844230d6830efe555748571d9bdef62a101f75ffd21d2a7942278f84b68e2a51fc6a8f20df
-  data.tar.gz: 3555b90da32865e1faadb9efccc6db0262adea620b4dd473d5dc1ee533b00451039dfaacd982ef5c8f6be4009ccff589119b2f512971a1b5ac509bb7ae4aa96e
+  metadata.gz: 42b67f419f6e4632f25d6b498e774627d0f7111c7d05cdab5d02fe9f33189448a7abb572b2c351d97d2ce97a22cf2cdc3e96e61b3163337a6d4e6f921c69522a
+  data.tar.gz: 48991d86f760c6f3a1b5cd87b8a19f501a1c7ebbb5cf07c5f9164c116e999ae0e4304b92b55225e7b3ca1252ee9675e4987f5998cd627f0fa1db451ddf524b50

data/README.md

@@ -19,9 +19,9 @@ Compatibility
 
 Mongoid supports and is tested against:
 
-- MRI 2.5 - 3.1
-- JRuby 9.2
-- MongoDB server 2.6 - 6.0
+- MRI 2.7 - 3.1
+- JRuby 9.3
+- MongoDB server 3.6 - 8.0
 
 Issues
 ------
@@ -40,7 +40,7 @@ License
 -------
 
 Copyright (c) 2009-2016 Durran Jordan
-Copyright (c) 2015-2020 MongoDB, Inc.
+Copyright (c) 2015-present MongoDB, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/Rakefile

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
+# rubocop:todo all
 
 require "bundler"
-require "bundler/gem_tasks"
 Bundler.setup
 
 ROOT = File.expand_path(File.join(File.dirname(__FILE__)))
@@ -10,34 +10,53 @@ $: << File.join(ROOT, 'spec/shared/lib')
 
 require "rake"
 require "rspec/core/rake_task"
-require 'mrss/spec_organizer'
-require 'rubygems/package'
-require 'rubygems/security/policies'
-
-def signed_gem?(path_to_gem)
-  Gem::Package.new(path_to_gem, Gem::Security::HighSecurity).verify
-  true
-rescue Gem::Security::Exception => e
-  false
-end
-
-$LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
-require "mongoid/version"
 
-tasks = Rake.application.instance_variable_get('@tasks')
-tasks['release:do'] = tasks.delete('release')
+if File.exist?('./spec/shared/lib/tasks/candidate.rake')
+  load 'spec/shared/lib/tasks/candidate.rake'
+end
 
-task :gem => :build
+desc 'Build the gem'
 task :build do
-  system "gem build mongoid.gemspec"
+  command = %w[ gem build ]
+  command << "--output=#{ENV['GEM_FILE_NAME']}" if ENV['GEM_FILE_NAME']
+  command << (ENV['GEMSPEC'] || 'mongoid.gemspec')
+  system(*command)
 end
 
-task :install => :build do
-  system "sudo gem install mongoid-#{Mongoid::VERSION}.gem"
+# `rake version` is used by the deployment system so get the release version
+# of the product beng deployed. It must do nothing more than just print the
+# product version number.
+# 
+# See the mongodb-labs/driver-github-tools/ruby/publish Github action.
+desc "Print the current value of Mongoid::VERSION"
+task :version do
+  require 'mongoid/version'
+
+  puts Mongoid::VERSION
 end
 
+# overrides the default Bundler-provided `release` task, which also
+# builds the gem. Our release process assumes the gem has already
+# been built (and signed via GPG), so we just need `rake release` to
+# push the gem to rubygems.
 task :release do
-  raise "Please use ./release.sh to release"
+  require 'mongoid/version'
+
+  if ENV['GITHUB_ACTION'].nil?
+    abort <<~WARNING
+      `rake release` must be invoked from the `Mongoid Release` GitHub action,
+      and must not be invoked locally. This ensures the gem is properly signed
+      and distributed by the appropriate user.
+
+      Note that it is the `rubygems/release-gem@v1` step in the `Mongoid Release`
+      action that invokes this task. Do not rename or remove this task, or the
+      release-gem step will fail. Reimplement this task with caution.
+
+      mongoid-#{Mongoid::VERSION}.gem was NOT pushed to RubyGems.
+    WARNING
+  end
+
+  system 'gem', 'push', "mongoid-#{Mongoid::VERSION}.gem"
 end
 
 RSpec::Core::RakeTask.new("spec") do |spec|
@@ -49,6 +68,46 @@ RSpec::Core::RakeTask.new('spec:progress') do |spec|
   spec.pattern = "spec/**/*_spec.rb"
 end
 
+desc 'Build and validate the evergreen config'
+task eg: %w[ eg:build eg:validate ]
+
+# 'eg' == 'evergreen', but evergreen is too many letters for convenience
+namespace :eg do
+  desc 'Builds the .evergreen/config.yml file from the templates'
+  task :build do
+    ruby '.evergreen/update-evergreen-configs'
+  end
+
+  desc 'Validates the .evergreen/config.yml file'
+  task :validate do
+    system 'evergreen validate --project mongoid .evergreen/config.yml'
+  end
+
+  desc 'Updates the evergreen executable to the latest available version'
+  task :update do
+    system 'evergreen get-update --install'
+  end
+
+  desc 'Runs the current branch as an evergreen patch'
+  task :patch do
+    system 'evergreen patch --uncommitted --project mongoid --browse --auto-description --yes'
+  end
+end
+
+namespace :generate do
+  desc 'Generates a mongoid.yml from the template'
+  task :config do
+    require 'mongoid'
+    require 'erb'
+
+    template_path = 'lib/rails/generators/mongoid/config/templates/mongoid.yml'
+    database_name = ENV['DATABASE_NAME'] || 'my_db'
+
+    config = ERB.new(File.read(template_path), trim_mode: '-').result(binding)
+    File.write('mongoid.yml', config)
+  end
+end
+
 CLASSIFIERS = [
   [%r,^mongoid/attribute,, :attributes],
   [%r,^mongoid/association/[or],, :associations_referenced],
@@ -64,6 +123,8 @@ RUN_PRIORITY = %i(
 )
 
 def spec_organizer
+  require 'mrss/spec_organizer'
+
   Mrss::SpecOrganizer.new(
     root: ROOT,
     classifiers: CLASSIFIERS,
@@ -97,34 +158,12 @@ desc "Generate all documentation"
 task :docs => 'docs:yard'
 
 namespace :docs do
-  desc "Generate yard documention"
+  desc "Generate yard documentation"
   task :yard do
+    require "mongoid/version"
+
     out = File.join('yard-docs', Mongoid::VERSION)
     FileUtils.rm_rf(out)
     system "yardoc -o #{out} --title mongoid-#{Mongoid::VERSION}"
   end
 end
-
-namespace :release do
-  task :check_private_key do
-    unless File.exist?('gem-private_key.pem')
-      raise "No private key present, cannot release"
-    end
-  end
-end
-
-desc 'Verifies that all built gems in pkg/ are valid'
-task :verify do
-  gems = Dir['pkg/*.gem']
-  if gems.empty?
-    puts 'There are no gems in pkg/ to verify'
-  else
-    gems.each do |gem|
-      if signed_gem?(gem)
-        puts "#{gem} is signed"
-      else
-        abort "#{gem} is not signed"
-      end
-    end
-  end
-end

data/lib/mongoid/clients/factory.rb

@@ -95,6 +95,10 @@ module Mongoid
             [MONGOID_WRAPPING_LIBRARY] + options[:wrapping_libraries]
           else
             [MONGOID_WRAPPING_LIBRARY]
+          end.tap do |wrap|
+            if defined?(::Rails) && ::Rails.respond_to?(:version)
+              wrap << { name: 'Rails', version: ::Rails.version }
+            end
           end
           options[:wrapping_libraries] = wrap_lib
         end

data/lib/mongoid/contextual/mongo.rb

@@ -65,7 +65,14 @@ module Mongoid
       # @return [ Integer ] The number of matches.
       def count(options = {}, &block)
         return super(&block) if block_given?
-        try_cache(:count) { view.count_documents(options) }
+
+        try_cache(:count) do
+          if valid_for_count_documents?
+            view.count_documents(options)
+          else
+            view.count(options)
+          end
+        end
       end
 
       # Get the estimated number of documents matching the query.
@@ -902,6 +909,24 @@ module Mongoid
         docs = eager_load(docs)
         limit ? docs : docs.first
       end
+
+      # Queries whether the current context is valid for use with
+      # the #count_documents? predicate. A context is valid if it
+      # does not include a `$where` operator.
+      #
+      # @return [ true | false ] whether or not the current context
+      #   excludes a `$where` operator.
+      def valid_for_count_documents?(hash = view.filter)
+        # Note that `view.filter` is a BSON::Document, and all keys in a
+        # BSON::Document are strings; we don't need to worry about symbol
+        # representations of `$where`.
+        hash.keys.each do |key|
+          return false if key == '$where'
+          return false if hash[key].is_a?(Hash) && !valid_for_count_documents?(hash[key])
+        end
+
+        true
+      end
     end
   end
 end

data/lib/mongoid/extensions/hash.rb

@@ -163,6 +163,28 @@ module Mongoid
         true
       end
 
+      ALLOWED_TO_CRITERIA_METHODS = %i[
+        all all_in all_of and any_in any_of asc ascending
+        batch_size between
+        collation comment cursor_type
+        desc descending
+        elem_match eq exists extras
+        geo_spatial group gt gte
+        hint
+        in includes
+        limit lt lte
+        max_distance max_scan max_time_ms merge mod
+        ne near near_sphere nin no_timeout none none_of nor not not_in
+        offset only or order order_by
+        project
+        raw read reorder
+        scoped skip slice snapshot
+        text_search type
+        unscoped unwind
+        where with_size with_type without
+      ].freeze
+      private_constant :ALLOWED_TO_CRITERIA_METHODS
+
       # Convert this hash to a criteria. Will iterate over each keys in the
       # hash which must correspond to method on a criteria object. The hash
       # must also include a "klass" key.
@@ -174,7 +196,11 @@ module Mongoid
       def to_criteria
         criteria = Criteria.new(delete(:klass) || delete("klass"))
         each_pair do |method, args|
-          criteria = criteria.__send__(method, args)
+          method_sym = method.to_sym
+          unless ALLOWED_TO_CRITERIA_METHODS.include?(method_sym)
+            raise ArgumentError, "Method '#{method}' is not allowed in to_criteria"
+          end
+          criteria = criteria.public_send(method_sym, args)
         end
         criteria
       end

data/lib/mongoid/version.rb

@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 
 module Mongoid
-  VERSION = "7.5.4"
+  # The current version of Mongoid
+  #
+  # Note that this file is automatically updated via `rake candidate:create`.
+  # Manual changes to this file will be overwritten by that rake task.
+  VERSION = '7.6.1'
 end

data/spec/mongoid/clients/factory_spec.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+# rubocop:todo all
 
 require "spec_helper"
 
@@ -29,6 +30,34 @@ describe Mongoid::Clients::Factory do
     end
   end
 
+  shared_examples_for 'includes rails wrapping library' do
+    context 'when Rails is available' do
+      around do |example|
+        rails_was_defined = defined?(::Rails)
+
+        if !rails_was_defined || !::Rails.respond_to?(:version)
+          module ::Rails
+            def self.version
+              '6.1.0'
+            end
+          end
+        end
+
+        example.run
+
+        if !rails_was_defined
+          Object.send(:remove_const, :Rails) if defined?(::Rails)
+        end
+      end
+
+      it 'adds Rails as another wrapping library' do
+        expect(client.options[:wrapping_libraries]).to include(
+          {'name' => 'Rails', 'version' => '6.1.0'},
+        )
+      end
+    end
+  end
+
   describe ".create" do
 
     context "when provided a name" do
@@ -116,6 +145,8 @@ describe Mongoid::Clients::Factory do
                 ]
               end
             end
+
+            it_behaves_like 'includes rails wrapping library'
           end
         end
 

data/spec/mongoid/config_spec.rb

@@ -558,6 +558,7 @@ describe Mongoid::Config do
 
       # Wrapping libraries are only recognized by driver 2.13.0+.
       min_driver_version '2.13'
+      ruby_version_lt '3.0'
 
       it 'passes uuid to driver' do
         Mongo::Client.should receive(:new).with(SpecConfig.instance.addresses,

data/spec/mongoid/contextual/mongo_spec.rb

@@ -189,6 +189,16 @@ describe Mongoid::Contextual::Mongo do
         end
       end
     end
+
+    context 'when for_js is present' do
+      let(:context) do
+        Band.for_js('this.name == "Depeche Mode"')
+      end
+
+      it 'counts the expected records' do
+        expect(context.count).to eq(1)
+      end
+    end
   end
 
   describe "#estimated_count" do

data/spec/mongoid/copyable_spec.rb

@@ -5,6 +5,7 @@ require "spec_helper"
 require_relative './copyable_spec_models'
 
 describe Mongoid::Copyable do
+  ruby_version_lt "3.0"
 
   [ :clone, :dup ].each do |method|
 

data/spec/mongoid/criteria/queryable/extensions/bignum_spec.rb

@@ -2,7 +2,8 @@
 
 require "spec_helper"
 
-describe Bignum do
+describe "Bignum" do
+  ruby_version_lt "2.4"
 
   describe ".evolve" do
 

data/spec/mongoid/criteria/queryable/extensions/fixnum_spec.rb

@@ -2,7 +2,8 @@
 
 require "spec_helper"
 
-describe Fixnum do
+describe 'Fixnum' do
+  ruby_version_lt "2.4"
 
   describe ".evolve" do
 

data/spec/mongoid/extensions/hash_spec.rb

@@ -467,4 +467,240 @@ describe Mongoid::Extensions::Hash do
 
     it_behaves_like 'unsatisfiable criteria method'
   end
+
+  describe '#to_criteria' do
+    subject(:criteria) { hash.to_criteria }
+
+    context 'when klass is specified' do
+      let(:hash) do
+        { klass: Band, where: { name: 'Songs Ohia' } }
+      end
+
+      it 'returns a criteria' do
+        expect(criteria).to be_a(Mongoid::Criteria)
+      end
+
+      it 'sets the klass' do
+        expect(criteria.klass).to eq(Band)
+      end
+
+      it 'sets the selector' do
+        expect(criteria.selector).to eq({ 'name' => 'Songs Ohia' })
+      end
+    end
+
+    context 'when klass is missing' do
+      let(:hash) do
+        { where: { name: 'Songs Ohia' } }
+      end
+
+      it 'returns a criteria' do
+        expect(criteria).to be_a(Mongoid::Criteria)
+      end
+
+      it 'has klass nil' do
+        expect(criteria.klass).to be_nil
+      end
+
+      it 'sets the selector' do
+        expect(criteria.selector).to eq({ 'name' => 'Songs Ohia' })
+      end
+    end
+
+    context 'with allowed methods' do
+      context 'when using multiple query methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            where: { active: true },
+            limit: 10,
+            skip: 5,
+            order_by: { name: 1 }
+          }
+        end
+
+        it 'applies all methods successfully' do
+          expect(criteria.selector).to eq({ 'active' => true })
+          expect(criteria.options[:limit]).to eq(10)
+          expect(criteria.options[:skip]).to eq(5)
+          expect(criteria.options[:sort]).to eq({ 'name' => 1 })
+        end
+      end
+
+      context 'when using query selector methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            gt: { members: 2 },
+            in: { genre: ['rock', 'metal'] }
+          }
+        end
+
+        it 'applies selector methods' do
+          expect(criteria.selector['members']).to eq({ '$gt' => 2 })
+          expect(criteria.selector['genre']).to eq({ '$in' => ['rock', 'metal'] })
+        end
+      end
+
+      context 'when using aggregation methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            project: { name: 1, members: 1 }
+          }
+        end
+
+        it 'applies aggregation methods' do
+          expect { criteria }.not_to raise_error
+        end
+      end
+    end
+
+    context 'with disallowed methods' do
+      context 'when attempting to call create' do
+        let(:hash) do
+          { klass: Band, create: { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when attempting to call create!' do
+        let(:hash) do
+          { klass: Band, 'create!': { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create!' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when attempting to call build' do
+        let(:hash) do
+          { klass: Band, build: { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'build' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when attempting to call find' do
+        let(:hash) do
+          { klass: Band, find: 'some_id' }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'find' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when attempting to call execute_or_raise' do
+        let(:hash) do
+          { klass: Band, execute_or_raise: ['id1', 'id2'] }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'execute_or_raise' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when attempting to call new' do
+        let(:hash) do
+          { klass: Band, new: { name: 'Test' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'new' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when allowed method is combined with disallowed method' do
+        let(:hash) do
+          {
+            klass: Band,
+            where: { active: true },
+            create: { name: 'Malicious' }
+          }
+        end
+
+        it 'raises ArgumentError before executing any methods' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create' is not allowed in to_criteria")
+        end
+      end
+    end
+
+    context 'security validation' do
+      # This test ensures that ALL public methods not in the allowlist are blocked
+      it 'blocks all dangerous public methods' do
+        dangerous_methods = %i[
+          build create create! new
+          find find_or_create_by find_or_create_by! find_or_initialize_by
+          first_or_create first_or_create! first_or_initialize
+          execute_or_raise multiple_from_db for_ids
+          documents= inclusions= scoping_options=
+          initialize freeze as_json
+        ]
+
+        dangerous_methods.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { hash.to_criteria }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in to_criteria"
+          ), "Expected method '#{method}' to be blocked but it was allowed"
+        end
+      end
+
+      it 'blocks dangerous inherited methods from Object' do
+        # Critical security test: block send, instance_eval, etc.
+        inherited_dangerous = %i[
+          send __send__ instance_eval instance_exec
+          instance_variable_set method
+        ]
+
+        inherited_dangerous.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { hash.to_criteria }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in to_criteria"
+          ), "Expected inherited method '#{method}' to be blocked"
+        end
+      end
+
+      it 'blocks Enumerable execution methods' do
+        # to_criteria should build queries, not execute them
+        enumerable_methods = %i[each map select count sum]
+
+        enumerable_methods.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { hash.to_criteria }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in to_criteria"
+          ), "Expected Enumerable method '#{method}' to be blocked"
+        end
+      end
+
+      it 'allows all whitelisted methods' do
+        # Sample of allowed methods from each category
+        allowed_sample = {
+          where: { name: 'Test' },      # Query selector
+          limit: 10,                     # Query option
+          skip: 5,                       # Query option
+          gt: { age: 18 },              # Query selector
+          in: { status: ['active'] },   # Query selector
+          ascending: :name,              # Sorting
+          includes: :notes,            # Eager loading
+          merge: { klass: Band },        # Merge
+        }
+
+        allowed_sample.each do |method, args|
+          hash = { klass: Band, method => args }
+          expect { hash.to_criteria }.not_to raise_error,
+            "Expected method '#{method}' to be allowed but it was blocked"
+        end
+      end
+    end
+  end
 end

data/spec/mongoid/query_cache_spec.rb

@@ -4,6 +4,7 @@ require "spec_helper"
 require 'mongoid/association/referenced/has_many_models'
 
 describe Mongoid::QueryCache do
+  require_mri
 
   around do |spec|
     Mongoid::QueryCache.clear_cache
@@ -21,7 +22,7 @@ describe Mongoid::QueryCache do
   end
 
   after do
-    Mrss::SessionRegistry.instance.verify_sessions_ended!
+    # Mrss::SessionRegistry.instance.verify_sessions_ended!
   end
 
   let(:reset_legacy_qc_warning) do