RubyGems - mysql-binuuid-rails - Versions diffs - 1.1.0 → 1.1.1 - Mend

mysql-binuuid-rails 1.1.0 → 1.1.1

Files changed (8) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e816b78ae0f3deafefbbbe31a8afd9b2fb3871666ff726743d3a5e73c041d908
-  data.tar.gz: e616712f16e6560b0f6588081d641d7f6fa058f5b3ffd4b122f3d71374048529
+  metadata.gz: 310c74261238918fa745014e63fc25691fd7f6d31baa27a53d7977a079e37bc5
+  data.tar.gz: b6c545315222b4ec9ef21ee38ade3e2044dbe0327955b8673215f05a0904885e
 SHA512:
-  metadata.gz: 6765b2da70182aeb6aa1066d63d609056ecafea9d6fbaecd2249a43d693b8c573c8833f0e1609449903d1d4f14d7386e9df86bd0cc4fbf7cbd72dd17c894d9dc
-  data.tar.gz: 4cd1ff1cd8528da16c662eff37d65e1c7327dcd18f5486d037824f2c4eaf31793b24963fe86f3faf8cc0a07c6e6219bed4876a13a0378c0177fae9445d46001c
+  metadata.gz: 457ab7be14fefda336a4db3e0a20b1d8f2cfe6e0d814337943664a1104fe4d67e13eb0d4a1e4d413fd81b38334cd49980067c5ed4c6556bb8bf7d1fb1f7c58e1
+  data.tar.gz: 74ff493fb8f777c586b6df3810c9cfd125fd71cbbe1fede598ee6feb47380831dc97b418ea0e14c90453bf036c86258f0bb813bab68d2f82c1ae1ad629d732ff

data/.travis.yml CHANGED

@@ -1,14 +1,15 @@
 language: ruby
 cache: bundler
 rvm:
-  - 2.3.7
-  - 2.4.4
-  - 2.5.1
+  - 2.3.8
+  - 2.4.5
+  - 2.5.3
 env:
   matrix:
     - RAILS_VERSION=5.0.5
     - RAILS_VERSION=5.1.6
     - RAILS_VERSION=5.2.0
+    - RAILS_VERSION=5.2.1
 before_install:
   - gem install bundler
   - gem update bundler

data/CHANGELOG.md CHANGED

@@ -1,3 +1,10 @@
+# 1.1.1
+  * Fixes possible SQL injection for ActiveRecord columns typed with
+    MySQLBinUUID::Type.
+    Thank you @ejoubaud, @geoffevason and @viraptor.
 # 1.1.0
   * Set minimum Ruby version from 2.2 to 2.3

data/Gemfile.lock CHANGED

@@ -1,49 +1,49 @@
 PATH
   remote: .
   specs:
-    mysql-binuuid-rails (1.0.0)
+    mysql-binuuid-rails (1.1.0)
       rails (>= 5)
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.0)
-      actionpack (= 5.2.0)
+    actioncable (5.2.1)
+      actionpack (= 5.2.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.0)
-      actionpack (= 5.2.0)
-      actionview (= 5.2.0)
-      activejob (= 5.2.0)
+    actionmailer (5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.0)
-      actionview (= 5.2.0)
-      activesupport (= 5.2.0)
+    actionpack (5.2.1)
+      actionview (= 5.2.1)
+      activesupport (= 5.2.1)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.0)
-      activesupport (= 5.2.0)
+    actionview (5.2.1)
+      activesupport (= 5.2.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.0)
-      activesupport (= 5.2.0)
+    activejob (5.2.1)
+      activesupport (= 5.2.1)
       globalid (>= 0.3.6)
-    activemodel (5.2.0)
-      activesupport (= 5.2.0)
-    activerecord (5.2.0)
-      activemodel (= 5.2.0)
-      activesupport (= 5.2.0)
+    activemodel (5.2.1)
+      activesupport (= 5.2.1)
+    activerecord (5.2.1)
+      activemodel (= 5.2.1)
+      activesupport (= 5.2.1)
       arel (>= 9.0)
-    activestorage (5.2.0)
-      actionpack (= 5.2.0)
-      activerecord (= 5.2.0)
+    activestorage (5.2.1)
+      actionpack (= 5.2.1)
+      activerecord (= 5.2.1)
       marcel (~> 0.3.1)
-    activesupport (5.2.0)
+    activesupport (5.2.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -55,7 +55,7 @@ GEM
     erubi (1.7.1)
     globalid (0.4.1)
       activesupport (>= 4.2.0)
-    i18n (1.0.0)
+    i18n (1.1.0)
       concurrent-ruby (~> 1.0)
     loofah (2.2.2)
       crass (~> 1.0.2)
@@ -66,44 +66,44 @@ GEM
       mimemagic (~> 0.3.2)
     method_source (0.9.0)
     mimemagic (0.3.2)
-    mini_mime (1.0.0)
+    mini_mime (1.0.1)
     mini_portile2 (2.3.0)
     minitest (5.11.3)
     minitest-hooks (1.4.2)
     minitest-spec-context (0.0.3)
     mysql2 (0.4.10)
-    nio4r (2.3.0)
-    nokogiri (1.8.2)
+    nio4r (2.3.1)
+    nokogiri (1.8.4)
       mini_portile2 (~> 2.3.0)
-    rack (2.0.4)
-    rack-test (1.0.0)
+    rack (2.0.5)
+    rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.0)
-      actioncable (= 5.2.0)
-      actionmailer (= 5.2.0)
-      actionpack (= 5.2.0)
-      actionview (= 5.2.0)
-      activejob (= 5.2.0)
-      activemodel (= 5.2.0)
-      activerecord (= 5.2.0)
-      activestorage (= 5.2.0)
-      activesupport (= 5.2.0)
+    rails (5.2.1)
+      actioncable (= 5.2.1)
+      actionmailer (= 5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
+      activemodel (= 5.2.1)
+      activerecord (= 5.2.1)
+      activestorage (= 5.2.1)
+      activesupport (= 5.2.1)
       bundler (>= 1.3.0)
-      railties (= 5.2.0)
+      railties (= 5.2.1)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.0.4)
       loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.0)
-      actionpack (= 5.2.0)
-      activesupport (= 5.2.0)
+    railties (5.2.1)
+      actionpack (= 5.2.1)
+      activesupport (= 5.2.1)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
+      thor (>= 0.19.0, < 2.0)
     rake (12.3.1)
-    sprockets (3.7.1)
+    sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.1)
@@ -131,4 +131,4 @@ DEPENDENCIES
   rake
 BUNDLED WITH
-   1.16.1
+   1.16.2

data/README.md CHANGED

@@ -152,6 +152,14 @@ a console with the changes you made, run `bin/console`.
 Bug reports and pull requests are welcome on GitHub at
 https://github.com/nedap/mysql-binuuid-rails
+## Contributors
+Thank you:
+  * Emmanuel Joubaud ([@ejoubaud](https://github.com/ejoubaud))
+  * Geoff Evason ([@geoffevason](https://github.com/geoffevason))
+  * Stanisław Pitucha ([@viraptor](https://github.com/viraptor))
 # License

data/lib/mysql-binuuid/type.rb CHANGED

@@ -1,6 +1,7 @@
 module MySQLBinUUID
-  class Type < ActiveModel::Type::Binary
+  class InvalidUUID < StandardError; end
+  class Type < ActiveModel::Type::Binary
     def type
       :uuid
     end
@@ -27,7 +28,16 @@ module MySQLBinUUID
     # it to the database.
     def serialize(value)
       return if value.nil?
-      Data.new(strip_dashes(value))
+      undashed_uuid = strip_dashes(value)
+      # To avoid SQL injection, verify that it looks like a UUID. ActiveRecord
+      # does not explicity escape the Binary data type. escaping is implicit as
+      # the Binary data type always converts its value to a hex string.
+      unless valid_undashed_uuid?(undashed_uuid)
+        raise MySQLBinUUID::InvalidUUID, "#{value} is not a valid UUID"
+      end
+      Data.new(undashed_uuid)
     end
     # We're inheriting from the Binary type since ActiveRecord in that case
@@ -73,5 +83,10 @@ module MySQLBinUUID
       uuid.delete("-")
     end
+    # Verify that the undashed version of a UUID only contains characters that
+    # represent a hexadecimal value.
+    def valid_undashed_uuid?(value)
+      value =~ /\A[[:xdigit:]]{32}\z/
+    end
   end
 end

data/lib/mysql-binuuid/version.rb CHANGED

@@ -1,3 +1,3 @@
 module MySQLBinUUID
-  VERSION = "1.1.0"
+  VERSION = "1.1.1"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mysql-binuuid-rails
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Mark Oude Veldhuis
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-04-17 00:00:00.000000000 Z
+date: 2018-10-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails