File CVE-2022-44566.patch of Package rubygem-activerecord-4_2

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-44566.patch of Package rubygem-activerecord-4_2

From 4f44aa9d514e701ada92b5cf08beccf566eeaebf Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Tue, 22 Nov 2022 09:48:59 -0500
Subject: [PATCH] Added integer width check to PostgreSQL::Quoting

Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.

This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

[CVE-2022-44566]

SUSE: adapt for older version
---
--- activerecord.orig/lib/active_record/connection_adapters/postgresql/quoting.rb	2023-01-26 19:04:00.701921860 +0100
+++ activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb	2023-01-26 19:23:44.099635728 +0100
@@ -2,6 +2,12 @@ module ActiveRecord
   module ConnectionAdapters
     module PostgreSQL
       module Quoting
+        class IntegerOutOf64BitRange < StandardError
+          def initialize(msg)
+            super(msg)
+          end
+        end
+
         # Escapes binary strings for bytea input to the database.
         def escape_bytea(value)
           @connection.escape_bytea(value) if value
@@ -66,7 +72,25 @@ module ActiveRecord
 
         private
 
+        def check_int_in_range(value)
+          if value.to_int > 9223372036854775807 || value.to_int < -9223372036854775808
+            exception = <<-ERROR
+              Provided value outside of the range of a signed 64bit integer.
+              PostgreSQL will treat the column type in question as a numeric.
+              This may result in a slow sequential scan due to a comparison
+              being performed between an integer or bigint value and a numeric value.
+              To allow for this potentially unwanted behavior, set
+              ActiveRecord::Base.raise_int_wider_than_64bit to false.
+            ERROR
+            raise IntegerOutOf64BitRange.new exception
+          end
+        end
+
         def _quote(value)
+          if ActiveRecord::Base.raise_int_wider_than_64bit && value.is_a?(Integer)
+            check_int_in_range(value)
+          end
+
           case value
           when Type::Binary::Data
             "'#{escape_bytea(value.to_s)}'"
--- activerecord.orig/lib/active_record/core.rb	2023-01-26 19:04:00.701921860 +0100
+++ activerecord/lib/active_record/core.rb	2023-01-26 19:35:41.403084717 +0100
@@ -85,6 +85,14 @@ module ActiveRecord
       mattr_accessor :dump_schema_after_migration, instance_writer: false
       self.dump_schema_after_migration = true
 
+      ##
+      # :singleton-method:
+      # Application configurable boolean that denotes whether or not to raise
+      # an exception when the PostgreSQLAdapter is provided with an integer that is
+      # wider than signed 64bit representation
+      mattr_accessor :raise_int_wider_than_64bit, instance_writer: false
+      self.raise_int_wider_than_64bit = true
+
       mattr_accessor :maintain_test_schema, instance_accessor: false
 
       def self.disable_implicit_join_references=(value)

Places

File CVE-2022-44566.patch of Package rubygem-activerecord-4_2

Places