sequel 5.51.0 → 5.52.0

data/lib/sequel/connection_pool/single.rb

@@ -24,15 +24,13 @@ class Sequel::SingleConnectionPool < Sequel::ConnectionPool
 
   # Yield the connection to the block.
   def hold(server=nil)
-    begin
-      unless c = @conn.first
-        @conn.replace([c = make_new(:default)])
-      end
-      yield c
-    rescue Sequel::DatabaseDisconnectError, *@error_classes => e
-      disconnect if disconnect_error?(e)
-      raise
+    unless c = @conn.first
+      @conn.replace([c = make_new(:default)])
     end
+    yield c
+  rescue Sequel::DatabaseDisconnectError, *@error_classes => e
+    disconnect if disconnect_error?(e)
+    raise
   end
 
   # The SingleConnectionPool always has a maximum size of 1.

data/lib/sequel/core.rb

@@ -278,11 +278,9 @@ module Sequel
     #
     #   Sequel.string_to_date('2010-09-10') # Date.civil(2010, 09, 10)
     def string_to_date(string)
-      begin
-        Date.parse(string, Sequel.convert_two_digit_years)
-      rescue => e
-        raise convert_exception_class(e, InvalidValue)
-      end
+      Date.parse(string, Sequel.convert_two_digit_years)
+    rescue => e
+      raise convert_exception_class(e, InvalidValue)
     end
 
     # Converts the given +string+ into a +Time+ or +DateTime+ object, depending on the
@@ -290,15 +288,13 @@ module Sequel
     #
     #   Sequel.string_to_datetime('2010-09-10 10:20:30') # Time.local(2010, 09, 10, 10, 20, 30)
     def string_to_datetime(string)
-      begin
-        if datetime_class == DateTime
-          DateTime.parse(string, convert_two_digit_years)
-        else
-          datetime_class.parse(string)
-        end
-      rescue => e
-        raise convert_exception_class(e, InvalidValue)
+      if datetime_class == DateTime
+        DateTime.parse(string, convert_two_digit_years)
+      else
+        datetime_class.parse(string)
       end
+    rescue => e
+      raise convert_exception_class(e, InvalidValue)
     end
 
     # Converts the given +string+ into a <tt>Sequel::SQLTime</tt> object.
@@ -306,11 +302,9 @@ module Sequel
     #   v = Sequel.string_to_time('10:20:30') # Sequel::SQLTime.parse('10:20:30')
     #   DB.literal(v) # => '10:20:30'
     def string_to_time(string)
-      begin
-        SQLTime.parse(string)
-      rescue => e
-        raise convert_exception_class(e, InvalidValue)
-      end
+      SQLTime.parse(string)
+    rescue => e
+      raise convert_exception_class(e, InvalidValue)
     end
 
     # Unless in single threaded mode, protects access to any mutable
@@ -400,6 +394,11 @@ module Sequel
 
     private
 
+    # Return a hash of date information parsed from the given string.
+    def _date_parse(string)
+      Date._parse(string)
+    end
+
     # Helper method that the database adapter class methods that are added to Sequel via
     # metaprogramming use to parse arguments.
     def adapter_method(adapter, *args, &block)

data/lib/sequel/database/query.rb

@@ -236,7 +236,7 @@ module Sequel
       when :date
         Sequel.string_to_date(default)
       when :datetime
-        DateTime.parse(default)
+        Sequel.string_to_datetime(default)
       when :time
         Sequel.string_to_time(default)
       when :decimal

data/lib/sequel/extensions/core_refinements.rb

@@ -15,6 +15,12 @@ raise(Sequel::Error, "Refinements require ruby 2.0.0 or greater") unless RUBY_VE
 # :nocov:
 
 module Sequel::CoreRefinements
+  # :nocov:
+  include_meth = RUBY_VERSION >= '3.1' ? :import_methods : :include
+  # :nocov:
+  INCLUDE_METH = include_meth
+  private_constant :INCLUDE_METH
+
   refine Array do
     # Return a <tt>Sequel::SQL::BooleanExpression</tt> created from this array, not matching all of the
     # conditions.
@@ -161,8 +167,8 @@ module Sequel::CoreRefinements
   end
 
   refine String do
-    include Sequel::SQL::AliasMethods
-    include Sequel::SQL::CastMethods
+    send include_meth, Sequel::SQL::AliasMethods
+    send include_meth, Sequel::SQL::CastMethods
 
     # Converts a string into a <tt>Sequel::LiteralString</tt>, in order to override string
     # literalization, e.g.:
@@ -189,15 +195,34 @@ module Sequel::CoreRefinements
   end
 
   refine Symbol do
-    include Sequel::SQL::AliasMethods
-    include Sequel::SQL::CastMethods
-    include Sequel::SQL::OrderMethods
-    include Sequel::SQL::BooleanMethods
-    include Sequel::SQL::NumericMethods
-    include Sequel::SQL::QualifyingMethods
-    include Sequel::SQL::StringMethods
-    include Sequel::SQL::SubscriptMethods
-    include Sequel::SQL::ComplexExpressionMethods
+    send include_meth, Sequel::SQL::AliasMethods
+    send include_meth, Sequel::SQL::CastMethods
+    send include_meth, Sequel::SQL::OrderMethods
+    send include_meth, Sequel::SQL::BooleanMethods
+    send include_meth, Sequel::SQL::NumericMethods
+
+    # :nocov:
+    remove_method :* if RUBY_VERSION >= '3.1'
+    # :nocov:
+
+    send include_meth, Sequel::SQL::QualifyingMethods
+    send include_meth, Sequel::SQL::StringMethods
+    send include_meth, Sequel::SQL::SubscriptMethods
+    send include_meth, Sequel::SQL::ComplexExpressionMethods
+
+    # :nocov:
+    if RUBY_VERSION >= '3.1'
+      remove_method :*
+      def *(ce=(arg=false;nil))
+        if arg == false
+          Sequel::SQL::ColumnAll.new(self)
+        else
+          Sequel::SQL::NumericExpression.new(:*, self, ce)
+        end
+      end
+
+    end
+    # :nocov:
 
     # Returns receiver wrapped in an <tt>Sequel::SQL::Identifier</tt>.
     #

data/lib/sequel/extensions/date_parse_input_handler.rb

@@ -0,0 +1,67 @@
+# frozen-string-literal: true
+#
+# The date_parse_input_handler extension allows for configuring how input
+# to date parsing methods should be handled.  By default, the
+# extension does not change behavior.  However, you can use the
+# +Sequel.date_parse_input_handler+ method to support custom handling
+# of input strings to the date parsing methods.  For example, if you want
+# to implement a length check to prevent denial of service vulnerabilities
+# in older versions of Ruby, you can do:
+#
+#   Sequel.extension :date_parse_input_handler
+#   Sequel.date_parse_input_handler do |string|
+#     raise Sequel::InvalidValue, "string length (200) exceeds the limit 128" if string.bytesize > 128
+#     string
+#   end
+#
+# You can also use +Sequel.date_parse_input_handler+ to modify the string
+# that will be passed to the parsing methods.  For example, you could
+# truncate it:
+#
+#   Sequel.date_parse_input_handler do |string|
+#     string.b[0, 128]
+#   end
+#
+# Be aware that modern versions of Ruby will raise an exception if
+# date parsing input exceeds 128 bytes.
+
+module Sequel
+  module DateParseInputHandler
+    def date_parse_input_handler(&block)
+      singleton_class.class_eval do
+        define_method(:handle_date_parse_input, &block)
+        private :handle_date_parse_input
+        alias handle_date_parse_input handle_date_parse_input
+      end
+    end
+
+    # Call date parse input handler with input string.
+    def string_to_date(string)
+      super(handle_date_parse_input(string))
+    end
+
+    # Call date parse input handler with input string.
+    def string_to_datetime(string)
+      super(handle_date_parse_input(string))
+    end
+
+    # Call date parse input handler with input string.
+    def string_to_time(string)
+      super(handle_date_parse_input(string))
+    end
+
+    private
+
+    # Call date parse input handler with input string.
+    def _date_parse(string)
+      super(handle_date_parse_input(string))
+    end
+
+    # Return string as-is by default, so by default behavior does not change.
+    def handle_date_parse_input(string)
+      string
+    end
+  end
+
+  extend DateParseInputHandler
+end

data/lib/sequel/extensions/datetime_parse_to_time.rb

@@ -19,7 +19,11 @@ module Sequel::DateTimeParseToTime
   # Use DateTime.parse.to_time to do the conversion if the input a string and is assumed to
   # be in UTC and there is no offset information in the string.
   def convert_input_timestamp(v, input_timezone)
-    if v.is_a?(String) && datetime_class == Time && input_timezone == :utc && !Date._parse(v).has_key?(:offset)
+    if v.is_a?(String) && datetime_class == Time && input_timezone == :utc && !_date_parse(v).has_key?(:offset)
+      # :nocov:
+      # Whether this is fully branch covered depends on the order in which the specs are run.
+      v = handle_date_parse_input(v) if respond_to?(:handle_date_parse_input, true)
+      # :nocov:
       t = DateTime.parse(v).to_time
       case application_timezone
       when nil, :local

data/lib/sequel/extensions/pg_array_ops.rb

@@ -329,7 +329,7 @@ end
 if defined?(Sequel::CoreRefinements)
   module Sequel::CoreRefinements
     refine Symbol do
-      include Sequel::Postgres::ArrayOpMethods
+      send INCLUDE_METH, Sequel::Postgres::ArrayOpMethods
     end
   end
 end

data/lib/sequel/extensions/pg_hstore_ops.rb

@@ -406,7 +406,7 @@ end
 if defined?(Sequel::CoreRefinements)
   module Sequel::CoreRefinements
     refine Symbol do
-      include Sequel::Postgres::HStoreOpMethods
+      send INCLUDE_METH, Sequel::Postgres::HStoreOpMethods
     end
   end
 end

data/lib/sequel/extensions/pg_inet_ops.rb

@@ -197,7 +197,7 @@ end
 if defined?(Sequel::CoreRefinements)
   module Sequel::CoreRefinements
     refine Symbol do
-      include Sequel::Postgres::InetOpMethods
+      send INCLUDE_METH, Sequel::Postgres::InetOpMethods
     end
   end
 end

data/lib/sequel/extensions/pg_interval.rb

@@ -32,6 +32,7 @@
 #
 # Related module: Sequel::Postgres::IntervalDatabaseMethods
 
+require 'active_support'
 require 'active_support/duration'
 
 # :nocov:

data/lib/sequel/extensions/pg_json.rb

@@ -387,11 +387,9 @@ module Sequel
       # argument is true), or a String, Numeric, true, false, or nil
       # if the json library used supports that.
       def _parse_json(s)
-        begin
-          Sequel.parse_json(s)
-        rescue Sequel.json_parser_error_class => e
-          raise Sequel.convert_exception_class(e, Sequel::InvalidValue)
-        end
+        Sequel.parse_json(s)
+      rescue Sequel.json_parser_error_class => e
+        raise Sequel.convert_exception_class(e, Sequel::InvalidValue)
       end
 
       # Wrap the parsed JSON value in the appropriate JSON wrapper class.

data/lib/sequel/extensions/pg_json_ops.rb

@@ -744,7 +744,7 @@ end
 if defined?(Sequel::CoreRefinements)
   module Sequel::CoreRefinements
     refine Symbol do
-      include Sequel::Postgres::JSONOpMethods
+      send INCLUDE_METH, Sequel::Postgres::JSONOpMethods
     end
   end
 end

data/lib/sequel/extensions/pg_range_ops.rb

@@ -188,7 +188,7 @@ end
 if defined?(Sequel::CoreRefinements)
   module Sequel::CoreRefinements
     refine Symbol do
-      include Sequel::Postgres::RangeOpMethods
+      send INCLUDE_METH, Sequel::Postgres::RangeOpMethods
     end
   end
 end

data/lib/sequel/extensions/pg_row_ops.rb

@@ -210,7 +210,7 @@ end
 if defined?(Sequel::CoreRefinements)
   module Sequel::CoreRefinements
     refine Symbol do
-      include Sequel::Postgres::PGRowOp::ExpressionMethods
+      send INCLUDE_METH, Sequel::Postgres::PGRowOp::ExpressionMethods
     end
   end
 end

data/lib/sequel/extensions/s.rb

@@ -51,9 +51,10 @@ module Sequel::S
 
   # :nocov:
   if RUBY_VERSION >= '2.0.0'
+    include_meth = RUBY_VERSION >= '3.1' ? :import_methods : :include
   # :nocov:
     refine Object do
-      include Sequel::S
+      send include_meth, Sequel::S
     end
   end
 end

data/lib/sequel/extensions/server_block.rb

@@ -88,12 +88,10 @@ module Sequel
   module UnthreadedServerBlock
     # Set a default server/shard to use inside the block.
     def with_server(default_server, read_only_server=default_server)
-      begin
-        set_default_server(default_server, read_only_server)
-        yield
-      ensure
-        clear_default_server
-      end
+      set_default_server(default_server, read_only_server)
+      yield
+    ensure
+      clear_default_server
     end
 
     private
@@ -131,12 +129,10 @@ module Sequel
     # Set a default server/shard to use inside the block for the current
     # thread.
     def with_server(default_server, read_only_server=default_server)
-      begin
-        set_default_server(default_server, read_only_server)
-        yield
-      ensure
-        clear_default_server
-      end
+      set_default_server(default_server, read_only_server)
+      yield
+    ensure
+      clear_default_server
     end
 
     private

data/lib/sequel/extensions/sql_comments.rb

@@ -44,11 +44,51 @@
 #
 #   DB.extension(:sql_comments)
 #
+# Loading the sql_comments extension into the database also adds 
+# support for block-level comment support via Database#with_comments.
+# You call #with_comments with a hash.  Queries inside the hash will
+# include a comment based on the hash (assuming they are inside the
+# same thread):
+#
+#   DB.with_comments(model: Album, action: :all) do
+#     DB[:albums].all
+#     # SELECT * FROM albums -- model:Album,action:all
+#   end
+#
+# You can nest calls to #with_comments, which will combine the
+# entries from both calls:
+#
+#   DB.with_comments(application: App, path: :scrubbed_path) do
+#     DB.with_comments(model: Album, action: :all) do
+#       ds = DB[:albums].all
+#       # SELECT * FROM albums
+#       # -- application:App,path:scrubbed_path,model:Album,action:all
+#     end
+#   end
+#
+# You can override comment entries specified in earlier blocks, or
+# remove entries specified earlier using a nil value:
+#
+#   DB.with_comments(application: App, path: :scrubbed_path) do
+#     DB.with_comments(application: Foo, path: nil) do
+#       ds = DB[:albums].all
+#       # SELECT * FROM albums # -- application:Foo
+#     end
+#   end
+#
+# You can combine block-level comments with dataset-specific
+# comments:
+#
+#   DB.with_comments(model: Album, action: :all) do
+#     DB[:table].comment("Some Comment").all
+#     # SELECT * FROM albums -- model:Album,action:all -- Some Comment
+#   end
+#
 # Note that Microsoft Access does not support inline comments,
 # and attempting to use comments on it will result in SQL syntax
 # errors.
 #
-# Related module: Sequel::SQLComments
+# Related modules: Sequel::SQLComments, Sequel::Database::SQLComments
 
 #
 module Sequel
@@ -62,7 +102,7 @@ module Sequel
     %w'select insert update delete'.each do |type|
       define_method(:"#{type}_sql") do |*a|
         sql = super(*a)
-        if comment = @opts[:comment]
+        if comment = _sql_comment
           # This assumes that the comment stored in the dataset has
           # already been formatted. If not, this could result in SQL
           # injection.
@@ -74,8 +114,10 @@ module Sequel
           if sql.frozen?
             sql += comment
             sql.freeze
-          else
+          elsif @opts[:append_sql] || @opts[:placeholder_literalizer]
             sql << comment
+          else
+            sql += comment
           end
         end
         sql
@@ -84,6 +126,11 @@ module Sequel
 
     private
 
+    # The comment to include in the SQL query, if any.
+    def _sql_comment
+      @opts[:comment]
+    end
+
     # Format the comment.  For maximum compatibility, this uses a
     # single line SQL comment, and converts all consecutive whitespace
     # in the comment to a single space.
@@ -92,5 +139,63 @@ module Sequel
     end
   end
 
+  module Database::SQLComments
+    def self.extended(db)
+      db.instance_variable_set(:@comment_hashes, {})
+      db.extend_datasets DatasetSQLComments
+    end
+
+    # A map of threads to comment hashes, used for correctly setting
+    # comments for all queries inside #with_comments blocks.
+    attr_reader :comment_hashes
+
+    # Store the comment hash and use it to create comments inside the block
+    def with_comments(comment_hash)
+      hashes = @comment_hashes
+      t = Sequel.current
+      new_hash = if hash = Sequel.synchronize{hashes[t]}
+        hash.merge(comment_hash)
+      else
+        comment_hash.dup
+      end
+      yield Sequel.synchronize{hashes[t] = new_hash}
+    ensure
+      if hash
+        Sequel.synchronize{hashes[t] = hash}
+      else
+        t && Sequel.synchronize{hashes.delete(t)}
+      end
+    end
+
+    module DatasetSQLComments
+      include Sequel::SQLComments
+
+      # Include comments added via Database#with_comments in the output SQL.
+      def _sql_comment
+        specific_comment = super
+        return specific_comment if @opts[:append_sql]
+
+        t = Sequel.current
+        hashes = db.comment_hashes
+        block_comment = if comment_hash = Sequel.synchronize{hashes[t]}
+          comment_array = comment_hash.map{|k,v| "#{k}:#{v}" unless v.nil?}
+          comment_array.compact!
+          comment_array.join(",")
+        end
+
+        if block_comment
+          if specific_comment
+            format_sql_comment(block_comment + specific_comment)
+          else
+            format_sql_comment(block_comment)
+          end
+        else
+          specific_comment
+        end
+      end
+    end
+  end
+
   Dataset.register_extension(:sql_comments, SQLComments)
+  Database.register_extension(:sql_comments, Database::SQLComments)
 end

data/lib/sequel/extensions/string_date_time.rb

@@ -4,6 +4,10 @@
 # for converting the strings to a date (e.g. String#to_date), allowing
 # for backwards compatibility with legacy Sequel code.
 #
+# These methods calls +parse+ on the related class, and as such, can
+# result in denial of service in older versions of Ruby for large
+# untrusted input, and raise exceptions in newer versions of Ruby. 
+#
 # To load the extension:
 #
 #   Sequel.extension :string_date_time
@@ -11,42 +15,34 @@
 class String
   # Converts a string into a Date object.
   def to_date
-    begin
-      Date.parse(self, Sequel.convert_two_digit_years)
-    rescue => e
-      raise Sequel.convert_exception_class(e, Sequel::InvalidValue)
-    end
+    Date.parse(self, Sequel.convert_two_digit_years)
+  rescue => e
+    raise Sequel.convert_exception_class(e, Sequel::InvalidValue)
   end
 
   # Converts a string into a DateTime object.
   def to_datetime
-    begin
-      DateTime.parse(self, Sequel.convert_two_digit_years)
-    rescue => e
-      raise Sequel.convert_exception_class(e, Sequel::InvalidValue)
-    end
+    DateTime.parse(self, Sequel.convert_two_digit_years)
+  rescue => e
+    raise Sequel.convert_exception_class(e, Sequel::InvalidValue)
   end
 
   # Converts a string into a Time or DateTime object, depending on the
   # value of Sequel.datetime_class
   def to_sequel_time
-    begin
-      if Sequel.datetime_class == DateTime
-        DateTime.parse(self, Sequel.convert_two_digit_years)
-      else
-        Sequel.datetime_class.parse(self)
-      end
-    rescue => e
-      raise Sequel.convert_exception_class(e, Sequel::InvalidValue)
+    if Sequel.datetime_class == DateTime
+      DateTime.parse(self, Sequel.convert_two_digit_years)
+    else
+      Sequel.datetime_class.parse(self)
     end
+  rescue => e
+    raise Sequel.convert_exception_class(e, Sequel::InvalidValue)
   end
 
   # Converts a string into a Time object.
   def to_time
-    begin
-      Time.parse(self)
-    rescue => e
-      raise Sequel.convert_exception_class(e, Sequel::InvalidValue)
-    end
+    Time.parse(self)
+  rescue => e
+    raise Sequel.convert_exception_class(e, Sequel::InvalidValue)
   end
 end

data/lib/sequel/model/base.rb

@@ -682,13 +682,11 @@ module Sequel
       
       # Yield to the passed block and if do_raise is false, swallow all errors other than DatabaseConnectionErrors.
       def check_non_connection_error(do_raise=require_valid_table)
-        begin
-          db.transaction(:savepoint=>:only){yield}
-        rescue Sequel::DatabaseConnectionError
-          raise
-        rescue Sequel::Error
-          raise if do_raise
-        end
+        db.transaction(:savepoint=>:only){yield}
+      rescue Sequel::DatabaseConnectionError
+        raise
+      rescue Sequel::Error
+        raise if do_raise
       end
 
       # Convert the given object to a Dataset that should be used as
@@ -1630,11 +1628,9 @@ module Sequel
       #   artist.set(name: 'Invalid').valid? # => false
       #   artist.errors.full_messages # => ['name cannot be Invalid']
       def valid?(opts = OPTS)
-        begin
-          _valid?(opts)
-        rescue HookFailed
-          false
-        end
+        _valid?(opts)
+      rescue HookFailed
+        false
       end
 
       private