Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15-SP4:Update
rubygem-activerecord-5.2
CVE-2022-32224.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2022-32224.patch of Package rubygem-activerecord-5.2
From 6576aa7bbcf52ebd39853363e29f92b4dd53b6f1 Mon Sep 17 00:00:00 2001 From: Zack Deveau <zack.ref@gmail.com> Date: Wed, 27 Apr 2022 14:31:29 +0000 Subject: [PATCH] Change ActiveRecord::Coders::YAMLColumn default to safe_load In Psych >= 4.0.0, load defaults to safe_load. This commit makes the ActiveRecord::Coders::YAMLColum class use Psych safe_load as the Rails default. This default is configurable via ActiveRecord::Base.use_yaml_unsafe_load We conditionally fallback to the correct unsafe load if use_yaml_unsafe_load is set to true. unsafe_load was introduced in Psych >= 4.0.0 The list of safe_load permitted classes is configurable via ActiveRecord::Base.yaml_column_permitted_classes [CVE-2022-32224] --- .../lib/active_record/coders/yaml_column.rb | 14 +++- activerecord/lib/active_record/core.rb | 10 +++ activerecord/lib/active_record/railtie.rb | 18 +++++ .../test/cases/attribute_methods_test.rb | 6 +- activerecord/test/cases/calculations_test.rb | 4 +- .../test/cases/coders/yaml_column_test.rb | 34 ++++++++ activerecord/test/cases/dirty_test.rb | 20 ++--- .../test/cases/json_serialization_test.rb | 2 +- activerecord/test/cases/serialization_test.rb | 2 +- .../test/cases/serialized_attribute_test.rb | 77 +++++++++++++++++++ activerecord/test/cases/store_test.rb | 17 +++- .../test/cases/yaml_serialization_test.rb | 8 +- activerecord/test/models/admin/user_json.rb | 42 ++++++++++ .../rails_4_1_no_symbol.yml | 22 ++++++ .../test/application/configuration_test.rb | 33 ++++++++ 15 files changed, 286 insertions(+), 23 deletions(-) create mode 100644 activerecord/test/models/admin/user_json.rb create mode 100644 activerecord/test/support/yaml_compatibility_fixtures/rails_4_1_no_symbol.yml Index: b/activerecord/test/models/admin/user_json.rb =================================================================== --- /dev/null +++ b/activerecord/test/models/admin/user_json.rb @@ -0,0 +1,42 @@ +# frozen_string_literal: true + +class Admin::UserJson < ActiveRecord::Base + class Coder + def initialize(default = {}) + @default = default + end + + def dump(o) + ActiveSupport::JSON.encode(o || @default) + end + + def load(s) + s.present? ? ActiveSupport::JSON.decode(s) : @default.clone + end + end + + belongs_to :account + store :params, accessors: [ :token ], coder: JSON + store :settings, accessors: [ :color, :homepage ], coder: Coder.new + store_accessor :settings, :favorite_food + store :preferences, accessors: [ :remember_login ], coder: Coder.new + store :json_data, accessors: [ :height, :weight ], coder: Coder.new + store :json_data_empty, accessors: [ :is_a_good_guy ], coder: Coder.new + + def phone_number + read_store_attribute(:settings, :phone_number).gsub(/(\d{3})(\d{3})(\d{4})/, '(\1) \2-\3') + end + + def phone_number=(value) + write_store_attribute(:settings, :phone_number, value && value.gsub(/[^\d]/, "")) + end + + def color + super || "red" + end + + def color=(value) + value = "blue" unless %w(black red green blue).include?(value) + super + end +end Index: b/activerecord/test/support/yaml_compatibility_fixtures/rails_4_1_no_symbol.yml =================================================================== --- /dev/null +++ b/activerecord/test/support/yaml_compatibility_fixtures/rails_4_1_no_symbol.yml @@ -0,0 +1,22 @@ +--- !ruby/object:Topic + attributes: + id: + title: The First Topic + author_name: David + author_email_address: david@loudthinking.com + written_on: 2003-07-16 14:28:11.223300000 Z + bonus_time: 2000-01-01 14:28:00.000000000 Z + last_read: 2004-04-15 + content: | + --- + omg: lol + important: + approved: false + replies_count: 1 + unique_replies_count: 0 + parent_id: + parent_title: + type: + group: + created_at: 2015-03-10 17:05:42.000000000 Z + updated_at: 2015-03-10 17:05:42.000000000 Z
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
