mongoid 9.0.9 → 9.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5dca0df68ed7086b6c641b1021e556812e23872d5bd52a9777093e2d8cf1e64
-  data.tar.gz: 24630d19104369a922b3a5a152012ae8eba3719576ef3c9e5f97304b6896a1c4
+  metadata.gz: fefd49681b6f78b222f201fbaea83af9f1599464034e52a73117c0ae94e201f2
+  data.tar.gz: d86f966109921d2a0f1a4ce0b78d81e0d722123c1d420f0f695385ca43687626
 SHA512:
-  metadata.gz: 03013a0c28cda90cfc3b99c26d22e7672e8ce1c6449e599d7ae39a42d19ba742f37dea7510411ca004c7d5d5f25af80e9230bac63fef8ce43515711d7f669343
-  data.tar.gz: 8bd5b0c4faa4f5f16fcc56ff612bae5a14fd40fa01513fda545469d225c6cd4909022c066719950147dc116dc1a7bdb79b69d48ad40454aabdb45481994dd69b
+  metadata.gz: '09799846ca2a44c7dc4d7aff76fba0f9fdcbe38c5bfb001dccd08eb467800f8fac675cecfa06be94eb76ca35f6f1b57b64557ed171e9c0040bcbe0a701d7827f'
+  data.tar.gz: bc0a741e2e26a84e84238f1461a26a29ae13584d9bd050dffc1ccd04f70e4e6a7fa63b20e7dcda8137ce3c37d383a5ae916b0d72ff950d4f330e66e0635ea89c

data/lib/mongoid/attributes.rb

@@ -104,7 +104,8 @@ module Mongoid
     # @api private
     def process_raw_attribute(name, raw, field)
       value = field ? field.demongoize(raw) : raw
-      attribute_will_change!(name) if value.resizable?
+      is_relation = relations.key?(name)
+      attribute_will_change!(name) if value.resizable? && !is_relation
       value
     end
 

data/lib/mongoid/clients/factory.rb

@@ -131,6 +131,10 @@ module Mongoid
             [MONGOID_WRAPPING_LIBRARY] + options[:wrapping_libraries]
           else
             [MONGOID_WRAPPING_LIBRARY]
+          end.tap do |wrap|
+            if defined?(::Rails) && ::Rails.respond_to?(:version)
+              wrap << { name: 'Rails', version: ::Rails.version }
+            end
           end
           options[:wrapping_libraries] = wrap_lib
         end

data/lib/mongoid/criteria.rb

@@ -41,24 +41,57 @@ module Mongoid
     include Clients::Sessions
     include Options
 
+    # Allowed methods for from_hash to prevent arbitrary method execution.
+    # Only query-building methods are allowed, not execution or modification methods.
+    ALLOWED_FROM_HASH_METHODS = %i[
+      all all_in all_of and any_in any_of asc ascending
+      batch_size between
+      collation comment cursor_type
+      desc descending
+      elem_match eq exists extras
+      geo_spatial group gt gte
+      hint
+      in includes
+      limit lt lte
+      max_distance max_scan max_time_ms merge mod
+      ne near near_sphere nin no_timeout none none_of nor not not_in
+      offset only or order order_by
+      project
+      raw read reorder
+      scoped skip slice snapshot
+      text_search type
+      unscoped unwind
+      where with_size with_type without
+    ].freeze
+
     class << self
       # Convert the given hash to a criteria. Will iterate over each keys in the
-      # hash which must correspond to method on a criteria object. The hash
-      # must also include a "klass" key.
+      # hash which must correspond to an allowed method on a criteria object. The hash
+      # can include a "klass" key that specifies the model class for the criteria.
       #
       # @example Convert the hash to a criteria.
       #   Criteria.from_hash({ klass: Band, where: { name: "Depeche Mode" })
       #
+      # @deprecated This method is deprecated and will
+      #  be removed in a future release.
+      #
       # @param [ Hash ] hash The hash to convert.
       #
       # @return [ Criteria ] The criteria.
+      #
+      # @raise [ ArgumentError ] If a method is not allowed in from_hash.
       def from_hash(hash)
         criteria = Criteria.new(hash.delete(:klass) || hash.delete('klass'))
         hash.each_pair do |method, args|
-          criteria = criteria.__send__(method, args)
+          method_sym = method.to_sym
+          unless ALLOWED_FROM_HASH_METHODS.include?(method_sym)
+            raise ArgumentError, "Method '#{method}' is not allowed in from_hash"
+          end
+          criteria = criteria.public_send(method_sym, args)
         end
         criteria
       end
+      Mongoid.deprecate(self, :from_hash)
     end
 
     # Static array used to check with method missing - we only need to ever
@@ -246,7 +279,8 @@ module Mongoid
     #   criteria.merge(other_criteria)
     #
     # @example Merge the criteria with a hash. The hash must contain a klass
-    #   key and the key/value pairs correspond to method names/args.
+    #   key that specifies the model class for the criteria and the key/value
+    #   pairs correspond to method names/args.
     #
     #   criteria.merge({
     #     klass: Band,
@@ -254,7 +288,7 @@ module Mongoid
     #     order_by: { name: 1 }
     #   })
     #
-    # @param [ Criteria ] other The other criterion to merge with.
+    # @param [ Criteria | Hash ] other The other criterion to merge with.
     #
     # @return [ Criteria ] A cloned self.
     def merge(other)

data/lib/mongoid/version.rb

@@ -5,5 +5,5 @@ module Mongoid
   #
   # Note that this file is automatically updated via `rake candidate:create`.
   # Manual changes to this file will be overwritten by that rake task.
-  VERSION = '9.0.9'
+  VERSION = '9.0.10'
 end

data/spec/mongoid/attributes_spec.rb

@@ -2722,7 +2722,23 @@ describe Mongoid::Attributes do
     end
   end
 
-  context "when modifiying a set referenced with the [] notation" do
+  context "when accessing an embedded document with the attribute accessor" do
+    let(:band) { Band.create! }
+
+    before do
+      Band.where(id: band.id).update_all({
+        :$push => {records: { _id: BSON::ObjectId.new }}
+      })
+    end
+
+    it "does not throw a conflicting update error" do
+      b1 = Band.find(band.id)
+      b1[:records].is_a?(Array).should be true
+      expect { b1.save! }.not_to raise_error
+    end
+  end
+
+  context "when modifying a set referenced with the [] notation" do
     let(:catalog) { Catalog.create!(set_field: [ 1 ].to_set) }
 
     before do

data/spec/mongoid/clients/factory_spec.rb

@@ -30,6 +30,34 @@ describe Mongoid::Clients::Factory do
     end
   end
 
+  shared_examples_for 'includes rails wrapping library' do
+    context 'when Rails is available' do
+      around do |example|
+        rails_was_defined = defined?(::Rails)
+
+        if !rails_was_defined
+          module ::Rails
+            def self.version
+              '6.1.0'
+            end
+          end
+        end
+
+        example.run
+
+        if !rails_was_defined
+          Object.send(:remove_const, :Rails) if defined?(::Rails)
+        end
+      end
+
+      it 'adds Rails as another wrapping library' do
+        expect(client.options[:wrapping_libraries]).to include(
+          {'name' => 'Rails', 'version' => '6.1.0'},
+        )
+      end
+    end
+  end
+
   describe ".create" do
 
     context "when provided a name" do
@@ -89,6 +117,8 @@ describe Mongoid::Clients::Factory do
               Mongoid::Clients::Factory::MONGOID_WRAPPING_LIBRARY)]
           end
 
+          it_behaves_like 'includes rails wrapping library'
+
           context 'when configuration specifies a wrapping library' do
 
             let(:config) do
@@ -110,6 +140,8 @@ describe Mongoid::Clients::Factory do
                 {'name' => 'Foo'},
               ]
             end
+
+            it_behaves_like 'includes rails wrapping library'
           end
         end
 

data/spec/mongoid/criteria_spec.rb

@@ -3250,5 +3250,201 @@ describe Mongoid::Criteria do
         expect(criteria.selector).to eq({ 'name' => 'Songs Ohia' })
       end
     end
+
+    context 'with allowed methods' do
+      context 'when using multiple query methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            where: { active: true },
+            limit: 10,
+            skip: 5,
+            order_by: { name: 1 }
+          }
+        end
+
+        it 'applies all methods successfully' do
+          expect(criteria.selector).to eq({ 'active' => true })
+          expect(criteria.options[:limit]).to eq(10)
+          expect(criteria.options[:skip]).to eq(5)
+          expect(criteria.options[:sort]).to eq({ 'name' => 1 })
+        end
+      end
+
+      context 'when using query selector methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            gt: { members: 2 },
+            in: { genre: ['rock', 'metal'] }
+          }
+        end
+
+        it 'applies selector methods' do
+          expect(criteria.selector['members']).to eq({ '$gt' => 2 })
+          expect(criteria.selector['genre']).to eq({ '$in' => ['rock', 'metal'] })
+        end
+      end
+
+      context 'when using aggregation methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            project: { name: 1, members: 1 }
+          }
+        end
+
+        it 'applies aggregation methods' do
+          expect { criteria }.not_to raise_error
+        end
+      end
+    end
+
+    context 'with disallowed methods' do
+      context 'when attempting to call create' do
+        let(:hash) do
+          { klass: Band, create: { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create' is not allowed in from_hash")
+        end
+      end
+
+      context 'when attempting to call create!' do
+        let(:hash) do
+          { klass: Band, 'create!': { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create!' is not allowed in from_hash")
+        end
+      end
+
+      context 'when attempting to call build' do
+        let(:hash) do
+          { klass: Band, build: { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'build' is not allowed in from_hash")
+        end
+      end
+
+      context 'when attempting to call find' do
+        let(:hash) do
+          { klass: Band, find: 'some_id' }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'find' is not allowed in from_hash")
+        end
+      end
+
+      context 'when attempting to call execute_or_raise' do
+        let(:hash) do
+          { klass: Band, execute_or_raise: ['id1', 'id2'] }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'execute_or_raise' is not allowed in from_hash")
+        end
+      end
+
+      context 'when attempting to call new' do
+        let(:hash) do
+          { klass: Band, new: { name: 'Test' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'new' is not allowed in from_hash")
+        end
+      end
+
+      context 'when allowed method is combined with disallowed method' do
+        let(:hash) do
+          {
+            klass: Band,
+            where: { active: true },
+            create: { name: 'Malicious' }
+          }
+        end
+
+        it 'raises ArgumentError before executing any methods' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create' is not allowed in from_hash")
+        end
+      end
+    end
+
+    context 'security validation' do
+      # This test ensures that ALL public methods not in the allowlist are blocked
+      it 'blocks all dangerous public methods' do
+        dangerous_methods = %i[
+          build create create! new
+          find find_or_create_by find_or_create_by! find_or_initialize_by
+          first_or_create first_or_create! first_or_initialize
+          execute_or_raise multiple_from_db for_ids
+          documents= inclusions= scoping_options=
+          initialize freeze as_json
+        ]
+
+        dangerous_methods.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { described_class.from_hash(hash) }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in from_hash"
+          ), "Expected method '#{method}' to be blocked but it was allowed"
+        end
+      end
+
+      it 'blocks dangerous inherited methods from Object' do
+        # Critical security test: block send, instance_eval, etc.
+        inherited_dangerous = %i[
+          send __send__ instance_eval instance_exec
+          instance_variable_set method
+        ]
+
+        inherited_dangerous.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { described_class.from_hash(hash) }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in from_hash"
+          ), "Expected inherited method '#{method}' to be blocked"
+        end
+      end
+
+      it 'blocks Enumerable execution methods' do
+        # from_hash should build queries, not execute them
+        enumerable_methods = %i[each map select count sum]
+
+        enumerable_methods.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { described_class.from_hash(hash) }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in from_hash"
+          ), "Expected Enumerable method '#{method}' to be blocked"
+        end
+      end
+
+      it 'allows all whitelisted methods' do
+        # Sample of allowed methods from each category
+        allowed_sample = {
+          where: { name: 'Test' },      # Query selector
+          limit: 10,                     # Query option
+          skip: 5,                       # Query option
+          gt: { age: 18 },              # Query selector
+          in: { status: ['active'] },   # Query selector
+          ascending: :name,              # Sorting
+          includes: :notes,            # Eager loading
+          merge: { klass: Band },        # Merge
+        }
+
+        allowed_sample.each do |method, args|
+          hash = { klass: Band, method => args }
+          expect { described_class.from_hash(hash) }.not_to raise_error,
+            "Expected method '#{method}' to be allowed but it was blocked"
+        end
+      end
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mongoid
 version: !ruby/object:Gem::Version
-  version: 9.0.9
+  version: 9.0.10
 platform: ruby
 authors:
 - The MongoDB Ruby Team
@@ -1231,7 +1231,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.6
 requirements: []
-rubygems_version: 4.0.2
+rubygems_version: 4.0.4
 specification_version: 4
 summary: Elegant Persistence in Ruby for MongoDB.
 test_files: