RubyGems - solidus_core - Versions diffs - 2.11.16 → 2.11.17 - Mend

solidus_core 2.11.16 → 2.11.17

Files changed (8) hide show

checksums.yaml +4 -4
data/app/models/spree/log_entry.rb +74 -1
data/lib/spree/app_configuration.rb +16 -0
data/lib/spree/core/engine.rb +6 -0
data/lib/spree/core/version.rb +1 -1
data/lib/spree/testing_support/factories/user_factory.rb +6 -0
data/solidus_core.gemspec +1 -0
metadata +23 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eca3c22f4ee132c33aece457789669a65671005ce5b1c985a142813b699e35b0
-  data.tar.gz: d049f348d8cea36cb7b94a842a44a8ac818e09aa8db7bd1893f97a6217bb8459
+  metadata.gz: 78b3a6c05e492d60c9690e028991c934d4a2aa33788de045110a62b28924bbcb
+  data.tar.gz: 79213862902521b83cfa4dc56c9f6c59bc79cd6c73920145a53b1a67d3cb1eb2
 SHA512:
-  metadata.gz: 96235dffd078546e6319b38e7f582d316a009bcacf45103a8962bb6d7a7e2402bc3c867e5ad29006a461267be4bab536704a8ae2527a0f996a314c2514a01632
-  data.tar.gz: 4955b7cc26bfa9ca9e33023fbba57dc58b91c149971d8676fcc3779bb3852bfcd8ae3daa26091072419bda8a2ad5e16121974edca644ff7385a96f045c6785a4
+  metadata.gz: 18eac571ddd52378a9b186a8f18f8eccb7c0825e9d966926106ccfc07e25792ce0d4081b22175e671638bd1ccf98fd5292328887fa5872075690ddd3c1488fba
+  data.tar.gz: b2c25455b49e633a5b9388d92d2dd6d4bbc22a394f8c8d2eb81deb3e0c04e5fdc8e9a7916f9b4dfe97df2724f0607eb8b3fcaf9542e54e441752efdcf74d91a0

data/app/models/spree/log_entry.rb CHANGED Viewed

@@ -2,10 +2,83 @@
 module Spree
   class LogEntry < Spree::Base
+    # Classes used in core that can be present in serialized details
+    #
+    # Users can add their own classes in
+    # `Spree::Config#log_entry_permitted_classes`.
+    #
+    # @see Spree::AppConfiguration#log_entry_permitted_classes
+    CORE_PERMITTED_CLASSES = [
+      ActiveMerchant::Billing::Response,
+      ActiveSupport::TimeWithZone,
+      Time,
+      ActiveSupport::TimeZone
+    ].freeze
+    # Raised when a disallowed class is tried to be loaded
+    class DisallowedClass < RuntimeError
+      attr_reader :psych_exception
+      def initialize(psych_exception:)
+        @psych_exception = psych_exception
+        super(default_message)
+      end
+      private
+      def default_message
+        <<~MSG
+          #{psych_exception.message}
+          You can specify custom classes to be loaded in config/initializers/spree.rb. E.g:
+          Spree.config do |config|
+            config.log_entry_permitted_classes = ['MyClass']
+          end
+        MSG
+      end
+    end
+    # Raised when YAML contains aliases and they're not enabled
+    class BadAlias < RuntimeError
+      attr_reader :psych_exception
+      def initialize(psych_exception:)
+        @psych_exception = psych_exception
+        super(default_message)
+      end
+      private
+      def default_message
+        <<~MSG
+          #{psych_exception.message}
+          You can explicitly enable aliases in config/initializers/spree.rb. E.g:
+          Spree.config do |config|
+            config.log_entry_allow_aliases = true
+          end
+        MSG
+      end
+    end
+    def self.permitted_classes
+      CORE_PERMITTED_CLASSES + Spree::Config.log_entry_permitted_classes.map(&:constantize)
+    end
     belongs_to :source, polymorphic: true, optional: true
     def parsed_details
-      @details ||= YAML.load(details)
+      @details ||= YAML.safe_load(
+        details,
+        permitted_classes: self.class.permitted_classes,
+        aliases: Spree::Config.log_entry_allow_aliases
+      )
+    rescue Psych::DisallowedClass => e
+      raise DisallowedClass.new(psych_exception: e)
+    rescue Psych::BadAlias => e
+      raise BadAlias.new(psych_exception: e)
     end
   end
 end

data/lib/spree/app_configuration.rb CHANGED Viewed

@@ -188,6 +188,22 @@ module Spree
     #   @return [String] URL of logo used on frontend (default: +'logo/solidus.svg'+)
     preference :logo, :string, default: 'logo/solidus.svg'
+    # @!attribute [rw] log_entry_permitted_classes
+    #   @return [Array<String>] An array of extra classes that are allowed to be
+    #     loaded from a serialized YAML as details in {Spree::LogEntry}
+    #     (defaults to a non-frozen empty array, so that extensions can add
+    #     their own classes).
+    #   @example
+    #     config.log_entry_permitted_classes = ['Date']
+    preference :log_entry_permitted_classes, :array, default: []
+    # @!attribute [rw] log_entry_allow_aliases
+    #   @return [Boolean] Whether YAML aliases are allowed when loading
+    #     serialized data in {Spree::LogEntry}. It defaults to true. Depending
+    #     on the source of your data, you may consider disabling it to prevent
+    #     entity expansion attacks.
+    preference :log_entry_allow_aliases, :boolean, default: true
     # @!attribute [rw] mails_from
     #   @return [String] Email address used as +From:+ field in transactional emails.
     preference :mails_from, :string, default: 'solidus@example.com'

data/lib/spree/core/engine.rb CHANGED Viewed

@@ -15,6 +15,12 @@ module Spree
         generator.test_framework :rspec
       end
+      if ActiveRecord.respond_to?(:yaml_column_permitted_classes) || ActiveRecord::Base.respond_to?(:yaml_column_permitted_classes)
+        config.active_record.yaml_column_permitted_classes ||= []
+        config.active_record.yaml_column_permitted_classes |=
+          [Symbol, BigDecimal, ActiveSupport::HashWithIndifferentAccess]
+      end
       initializer "spree.environment", before: :load_config_initializers do |app|
         app.config.spree = Spree::Config.environment
       end

data/lib/spree/core/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module Spree
-  VERSION = "2.11.16"
+  VERSION = "2.11.17"
   def self.solidus_version
     VERSION

data/lib/spree/testing_support/factories/user_factory.rb CHANGED Viewed

@@ -21,6 +21,12 @@ FactoryBot.define do
       end
     end
+    trait :with_orders do
+      after(:create) do |user, _|
+        create(:order, user: user)
+      end
+    end
     factory :admin_user do
       after(:create) do |user, _|
         admin_role = Spree::Role.find_by(name: 'admin') || create(:role, name: 'admin')

data/solidus_core.gemspec CHANGED Viewed

@@ -41,6 +41,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'monetize', '~> 1.8'
   s.add_dependency 'kt-paperclip', ['>= 4.4.0', '< 7']
   s.add_dependency 'paranoia', '~> 2.4'
+  s.add_dependency 'psych', ['>= 3.1.0', '< 5.0']
   s.add_dependency 'ransack', '~> 2.0'
   s.add_dependency 'state_machines-activerecord', '~> 0.6'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_core
 version: !ruby/object:Gem::Version
-  version: 2.11.16
+  version: 2.11.17
 platform: ruby
 authors:
 - Solidus Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-06-01 00:00:00.000000000 Z
+date: 2022-07-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionmailer
@@ -364,6 +364,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.4'
+- !ruby/object:Gem::Dependency
+  name: psych
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: ransack
   requirement: !ruby/object:Gem::Requirement
@@ -992,7 +1012,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.8.23
 requirements: []
-rubygems_version: 3.2.31
+rubygems_version: 3.1.2
 signing_key:
 specification_version: 4
 summary: Essential models, mailers, and classes for the Solidus e-commerce project.