mongoid 8.0.11 → 8.0.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78040726b40c1709f9218bc28850b802cf5aedfbdd178c2ed90322ffb16ba0ee
-  data.tar.gz: 438d1fee26567d71150518c5df2f764d6671c49ea6cc02c0582a7cd15e80fd7a
+  metadata.gz: f08452ead2923923372a78e2e981543ced23f0353ece5109a3f19411e29a9e29
+  data.tar.gz: 2ec3d115f4be09f2ca9b04704b965bdffc266eb047ca2701ecdc7018353be5fc
 SHA512:
-  metadata.gz: 8420a185b4baf6c1183ff188bc16f5d79fc75f44f1784c37df163836b70939250efbefceaeb53269a9d97f0b7bc9ae997a6586306223bea424db8738a3f2513e
-  data.tar.gz: 1f8dc137d3de2c5bc6ff676f8330471e4a792fe259839e6edec6107e145fd3b81bd4013df64e4b2410a62793ce2d35855069672a4a8784cf2de076f3ac4fda61
+  metadata.gz: 88300684eb21ca82ff1a43c58dcb5dbe0d45d8d5c187d569c31b6e1653293ffedbcc699bccf92941a47eb83ce9d11a9dcb1c1c51a2db5af70d1a1ed0db459a3a
+  data.tar.gz: 2b6207d2c5b2d94bcd24b7299ed4dc47bc1f5df5035c887253b4aa456dabe4653b19de6da5db094b109aea5ea2455754c15c8e19a6c84231102fe613d562948f

data/lib/mongoid/clients/factory.rb

@@ -95,6 +95,10 @@ module Mongoid
             [MONGOID_WRAPPING_LIBRARY] + options[:wrapping_libraries]
           else
             [MONGOID_WRAPPING_LIBRARY]
+          end.tap do |wrap|
+            if defined?(::Rails) && ::Rails.respond_to?(:version)
+              wrap << { name: 'Rails', version: ::Rails.version }
+            end
           end
           options[:wrapping_libraries] = wrap_lib
         end

data/lib/mongoid/extensions/hash.rb

@@ -167,6 +167,28 @@ module Mongoid
         true
       end
 
+      ALLOWED_TO_CRITERIA_METHODS = %i[
+        all all_in all_of and any_in any_of asc ascending
+        batch_size between
+        collation comment cursor_type
+        desc descending
+        elem_match eq exists extras
+        geo_spatial group gt gte
+        hint
+        in includes
+        limit lt lte
+        max_distance max_scan max_time_ms merge mod
+        ne near near_sphere nin no_timeout none none_of nor not not_in
+        offset only or order order_by
+        project
+        raw read reorder
+        scoped skip slice snapshot
+        text_search type
+        unscoped unwind
+        where with_size with_type without
+      ].freeze
+      private_constant :ALLOWED_TO_CRITERIA_METHODS
+
       # Convert this hash to a criteria. Will iterate over each keys in the
       # hash which must correspond to method on a criteria object. The hash
       # must also include a "klass" key.
@@ -178,7 +200,11 @@ module Mongoid
       def to_criteria
         criteria = Criteria.new(delete(:klass) || delete("klass"))
         each_pair do |method, args|
-          criteria = criteria.__send__(method, args)
+          method_sym = method.to_sym
+          unless ALLOWED_TO_CRITERIA_METHODS.include?(method_sym)
+            raise ArgumentError, "Method '#{method}' is not allowed in to_criteria"
+          end
+          criteria = criteria.public_send(method_sym, args)
         end
         criteria
       end

data/lib/mongoid/version.rb

@@ -5,5 +5,5 @@ module Mongoid
   #
   # Note that this file is automatically updated via `rake candidate:create`.
   # Manual changes to this file will be overwritten by that rake task.
-  VERSION = '8.0.11'
+  VERSION = '8.0.12'
 end

data/spec/mongoid/clients/factory_spec.rb

@@ -29,6 +29,32 @@ describe Mongoid::Clients::Factory do
     end
   end
 
+  shared_examples_for 'includes rails wrapping library' do
+    context 'when Rails is available' do
+      around do |example|
+        original_rails_constant = defined?(::Rails) ? ::Rails : nil
+        Object.send(:remove_const, :Rails) if original_rails_constant
+
+        module ::Rails
+          def self.version
+            '6.1.0'
+          end
+        end
+
+        example.run
+
+        Object.send(:remove_const, :Rails) if defined?(::Rails)
+        Object.const_set(:Rails, original_rails_constant)
+      end
+
+      it 'adds Rails as another wrapping library' do
+        expect(client.options[:wrapping_libraries]).to include(
+          {'name' => 'Rails', 'version' => '6.1.0'},
+        )
+      end
+    end
+  end
+
   describe ".create" do
 
     context "when provided a name" do
@@ -88,6 +114,8 @@ describe Mongoid::Clients::Factory do
               Mongoid::Clients::Factory::MONGOID_WRAPPING_LIBRARY)]
           end
 
+          it_behaves_like 'includes rails wrapping library'
+
           context 'when configuration specifies a wrapping library' do
 
             let(:config) do
@@ -109,6 +137,8 @@ describe Mongoid::Clients::Factory do
                 {'name' => 'Foo'},
               ]
             end
+
+            it_behaves_like 'includes rails wrapping library'
           end
         end
 

data/spec/mongoid/criteria/queryable/extensions/bignum_spec.rb

@@ -2,7 +2,8 @@
 
 require "spec_helper"
 
-describe Bignum do
+describe 'Bignum' do
+  ruby_version_lt "2.4"
 
   describe ".evolve" do
 

data/spec/mongoid/criteria/queryable/extensions/fixnum_spec.rb

@@ -2,7 +2,8 @@
 
 require "spec_helper"
 
-describe Fixnum do
+describe 'Fixnum' do
+  ruby_version_lt "2.4"
 
   describe ".evolve" do
 

data/spec/mongoid/extensions/hash_spec.rb

@@ -497,4 +497,240 @@ describe Mongoid::Extensions::Hash do
 
     it_behaves_like 'unsatisfiable criteria method'
   end
+
+  describe '#to_criteria' do
+    subject(:criteria) { hash.to_criteria }
+
+    context 'when klass is specified' do
+      let(:hash) do
+        { klass: Band, where: { name: 'Songs Ohia' } }
+      end
+
+      it 'returns a criteria' do
+        expect(criteria).to be_a(Mongoid::Criteria)
+      end
+
+      it 'sets the klass' do
+        expect(criteria.klass).to eq(Band)
+      end
+
+      it 'sets the selector' do
+        expect(criteria.selector).to eq({ 'name' => 'Songs Ohia' })
+      end
+    end
+
+    context 'when klass is missing' do
+      let(:hash) do
+        { where: { name: 'Songs Ohia' } }
+      end
+
+      it 'returns a criteria' do
+        expect(criteria).to be_a(Mongoid::Criteria)
+      end
+
+      it 'has klass nil' do
+        expect(criteria.klass).to be_nil
+      end
+
+      it 'sets the selector' do
+        expect(criteria.selector).to eq({ 'name' => 'Songs Ohia' })
+      end
+    end
+
+    context 'with allowed methods' do
+      context 'when using multiple query methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            where: { active: true },
+            limit: 10,
+            skip: 5,
+            order_by: { name: 1 }
+          }
+        end
+
+        it 'applies all methods successfully' do
+          expect(criteria.selector).to eq({ 'active' => true })
+          expect(criteria.options[:limit]).to eq(10)
+          expect(criteria.options[:skip]).to eq(5)
+          expect(criteria.options[:sort]).to eq({ 'name' => 1 })
+        end
+      end
+
+      context 'when using query selector methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            gt: { members: 2 },
+            in: { genre: ['rock', 'metal'] }
+          }
+        end
+
+        it 'applies selector methods' do
+          expect(criteria.selector['members']).to eq({ '$gt' => 2 })
+          expect(criteria.selector['genre']).to eq({ '$in' => ['rock', 'metal'] })
+        end
+      end
+
+      context 'when using aggregation methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            project: { name: 1, members: 1 }
+          }
+        end
+
+        it 'applies aggregation methods' do
+          expect { criteria }.not_to raise_error
+        end
+      end
+    end
+
+    context 'with disallowed methods' do
+      context 'when attempting to call create' do
+        let(:hash) do
+          { klass: Band, create: { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when attempting to call create!' do
+        let(:hash) do
+          { klass: Band, 'create!': { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create!' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when attempting to call build' do
+        let(:hash) do
+          { klass: Band, build: { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'build' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when attempting to call find' do
+        let(:hash) do
+          { klass: Band, find: 'some_id' }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'find' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when attempting to call execute_or_raise' do
+        let(:hash) do
+          { klass: Band, execute_or_raise: ['id1', 'id2'] }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'execute_or_raise' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when attempting to call new' do
+        let(:hash) do
+          { klass: Band, new: { name: 'Test' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'new' is not allowed in to_criteria")
+        end
+      end
+
+      context 'when allowed method is combined with disallowed method' do
+        let(:hash) do
+          {
+            klass: Band,
+            where: { active: true },
+            create: { name: 'Malicious' }
+          }
+        end
+
+        it 'raises ArgumentError before executing any methods' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create' is not allowed in to_criteria")
+        end
+      end
+    end
+
+    context 'security validation' do
+      # This test ensures that ALL public methods not in the allowlist are blocked
+      it 'blocks all dangerous public methods' do
+        dangerous_methods = %i[
+          build create create! new
+          find find_or_create_by find_or_create_by! find_or_initialize_by
+          first_or_create first_or_create! first_or_initialize
+          execute_or_raise multiple_from_db for_ids
+          documents= inclusions= scoping_options=
+          initialize freeze as_json
+        ]
+
+        dangerous_methods.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { hash.to_criteria }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in to_criteria"
+          ), "Expected method '#{method}' to be blocked but it was allowed"
+        end
+      end
+
+      it 'blocks dangerous inherited methods from Object' do
+        # Critical security test: block send, instance_eval, etc.
+        inherited_dangerous = %i[
+          send __send__ instance_eval instance_exec
+          instance_variable_set method
+        ]
+
+        inherited_dangerous.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { hash.to_criteria }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in to_criteria"
+          ), "Expected inherited method '#{method}' to be blocked"
+        end
+      end
+
+      it 'blocks Enumerable execution methods' do
+        # to_criteria should build queries, not execute them
+        enumerable_methods = %i[each map select count sum]
+
+        enumerable_methods.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { hash.to_criteria }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in to_criteria"
+          ), "Expected Enumerable method '#{method}' to be blocked"
+        end
+      end
+
+      it 'allows all whitelisted methods' do
+        # Sample of allowed methods from each category
+        allowed_sample = {
+          where: { name: 'Test' },      # Query selector
+          limit: 10,                     # Query option
+          skip: 5,                       # Query option
+          gt: { age: 18 },              # Query selector
+          in: { status: ['active'] },   # Query selector
+          ascending: :name,              # Sorting
+          includes: :notes,            # Eager loading
+          merge: { klass: Band },        # Merge
+        }
+
+        allowed_sample.each do |method, args|
+          hash = { klass: Band, method => args }
+          expect { hash.to_criteria }.not_to raise_error,
+            "Expected method '#{method}' to be allowed but it was blocked"
+        end
+      end
+    end
+  end
 end

data/spec/shared/CANDIDATE.md

@@ -0,0 +1,28 @@
+# Candidate Tasks
+
+When using the `candidate` rake tasks, you must make sure:
+
+1. You are using at least `git` version 2.49.0.
+2. You have the `gh` CLI tool installed.
+3. You are logged into `gh` with an account that has collaborator access to the repository.
+4. You have run `gh repo set-default` from the root of your local checkout to set the default repository to the canonical MongoDB repo.
+5. The `origin` remote for your local checkout is set to your own fork.
+6. The `upstream` remote for your local checkout is set to the canonical
+   MongoDB repo.
+
+Once configured, you can use the following commands:
+
+1. `rake candidate:prs` - This will list all pull requests that will be included in the next release. Any with `[?]` are unlabelled (or are not labelled with a recognized label). Otherwise, `[b]` means `bug`, `[f]` means `feature`, and `[x]` means `bcbreak`.
+2. `rake candidate:preview` - This will generate and display the release notes for the next release, based on the associated pull requests.
+3. `rake candidate:create` - This will create a new PR against the default repository, using the generated release notes as the description. The new PR will be given the `release-candidate` label.
+
+Then, after the release candidate PR is approved and merged, the release process will automatically bundle, sign, and release the new version.
+
+Once you've merged the PR, you can switch to the "Actions" tab for the repository on GitHub and look for the "Release" workflow (might be named differently), which should have triggered automatically. You can monitor the progress of the release there. If there are any problems, the workflow is generally safe to re-run after you've addressed them.
+
+Things to do after the release succeeds:
+
+1. Copy the release notes from the PR and create a new release announcement on the forums (https://www.mongodb.com/community/forums/c/announcements/driver-releases/110).
+2. If the release was not automatically announced in #ruby, copy a link to the GitHub release or MongoDB forum post there.
+3. Close the release in Jira.
+

data/spec/shared/lib/mrss/spec_organizer.rb

@@ -25,19 +25,19 @@ module Mrss
     end
 
     def initialize(root: nil, classifiers:, priority_order:,
-      spec_root: nil, rspec_json_path: nil, rspec_all_json_path: nil,
-      randomize: false
+      spec_root: nil, rspec_json_path: nil, rspec_all_json_path: nil, rspec_xml_path: nil, randomize: false
     )
       @spec_root = spec_root || File.join(root, 'spec')
       @classifiers = classifiers
       @priority_order = priority_order
       @rspec_json_path = rspec_json_path || File.join(root, 'tmp/rspec.json')
       @rspec_all_json_path = rspec_all_json_path || File.join(root, 'tmp/rspec-all.json')
+      @rspec_xml_path = rspec_xml_path || File.join(root, 'tmp/rspec.xml')
       @randomize = !!randomize
     end
 
     attr_reader :spec_root, :classifiers, :priority_order
-    attr_reader :rspec_json_path, :rspec_all_json_path
+    attr_reader :rspec_json_path, :rspec_all_json_path, :rspec_xml_path
 
     def randomize?
       @randomize
@@ -47,6 +47,25 @@ module Mrss
       @seed ||= (rand * 100_000).to_i
     end
 
+    # Remove all XML files from tmp directory before running tests
+    def cleanup_xml_files
+      xml_pattern = File.join(File.dirname(rspec_xml_path), '*.xml')
+      Dir.glob(xml_pattern).each do |xml_file|
+        FileUtils.rm_f(xml_file)
+      end
+    end
+
+    # Move the XML file to a timestamped version for evergreen upload
+    def archive_xml_file(category)
+      return unless File.exist?(rspec_xml_path)
+
+      timestamp = Time.now.strftime('%Y%m%d_%H%M%S_%3N')
+      archived_path = rspec_xml_path.sub(/\.xml$/, "-#{category}-#{timestamp}.xml")
+
+      FileUtils.mv(rspec_xml_path, archived_path)
+      puts "Archived XML results to #{archived_path}"
+    end
+
     def buckets
       @buckets ||= {}.tap do |buckets|
         Find.find(spec_root) do |path|
@@ -96,6 +115,8 @@ module Mrss
 
     def run_buckets(*buckets)
       FileUtils.rm_f(rspec_all_json_path)
+      # Clean up all XML files before starting test runs
+      cleanup_xml_files
 
       buckets.each do |bucket|
         if bucket && !self.buckets[bucket]
@@ -131,7 +152,12 @@ module Mrss
     def run_files(category, paths)
       puts "Running #{category.to_s.gsub('_', ' ')} tests"
       FileUtils.rm_f(rspec_json_path)
+      FileUtils.rm_f(rspec_xml_path)  # Clean up XML file before running this bucket
+
       cmd = %w(rspec) + paths
+      # Add junit formatter for XML output
+      cmd += ['--format', 'Rfc::Riff', '--format', 'RspecJunitFormatter', '--out', rspec_xml_path]
+
       if randomize?
         cmd += %W(--order rand:#{seed})
       end
@@ -147,6 +173,9 @@ module Mrss
             FileUtils.cp(rspec_json_path, rspec_all_json_path)
           end
         end
+
+        # Archive XML file after running this bucket
+        archive_xml_file(category)
       end
 
       true

data/spec/shared/shlib/server.sh

@@ -78,7 +78,7 @@ install_mlaunch_venv() {
     # Debian11/Ubuntu2204 have venv installed, but it is nonfunctional unless
     # the python3-venv package is also installed (it lacks the ensurepip
     # module).
-    sudo apt-get install --yes python3-venv
+    sudo apt-get update && sudo apt-get install --yes python3-venv
   fi
   if test "$USE_SYSTEM_PYTHON_PACKAGES" = 1 &&
     python3 -m pip list |grep mtools

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mongoid
 version: !ruby/object:Gem::Version
-  version: 8.0.11
+  version: 8.0.12
 platform: ruby
 authors:
 - The MongoDB Ruby Team
@@ -831,6 +831,7 @@ files:
 - spec/mongoid_spec.rb
 - spec/rails/controller_extension/controller_runtime_spec.rb
 - spec/rails/mongoid_spec.rb
+- spec/shared/CANDIDATE.md
 - spec/shared/LICENSE
 - spec/shared/bin/get-mongodb-download-url
 - spec/shared/bin/s3-copy
@@ -1154,7 +1155,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.6
 requirements: []
-rubygems_version: 3.7.1
+rubygems_version: 4.0.4
 specification_version: 4
 summary: Elegant Persistence in Ruby for MongoDB.
 test_files:
@@ -1548,6 +1549,7 @@ test_files:
 - spec/mongoid_spec.rb
 - spec/rails/controller_extension/controller_runtime_spec.rb
 - spec/rails/mongoid_spec.rb
+- spec/shared/CANDIDATE.md
 - spec/shared/LICENSE
 - spec/shared/bin/get-mongodb-download-url
 - spec/shared/bin/s3-copy