File CVE-2022-32224.patch of Package rubygem-activerecord-5.2.17807
From 6576aa7bbcf52ebd39853363e29f92b4dd53b6f1 Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Wed, 27 Apr 2022 14:31:29 +0000
Subject: [PATCH] Change ActiveRecord::Coders::YAMLColumn default to safe_load
In Psych >= 4.0.0, load defaults to safe_load. This commit
makes the ActiveRecord::Coders::YAMLColum class use Psych safe_load
as the Rails default.
This default is configurable via ActiveRecord::Base.use_yaml_unsafe_load
We conditionally fallback to the correct unsafe load if use_yaml_unsafe_load
is set to true. unsafe_load was introduced in Psych >= 4.0.0
The list of safe_load permitted classes is configurable via
ActiveRecord::Base.yaml_column_permitted_classes
[CVE-2022-32224]
---
.../lib/active_record/coders/yaml_column.rb | 14 +++-
activerecord/lib/active_record/core.rb | 10 +++
activerecord/lib/active_record/railtie.rb | 18 +++++
.../test/cases/attribute_methods_test.rb | 6 +-
activerecord/test/cases/calculations_test.rb | 4 +-
.../test/cases/coders/yaml_column_test.rb | 34 ++++++++
activerecord/test/cases/dirty_test.rb | 20 ++---
.../test/cases/json_serialization_test.rb | 2 +-
activerecord/test/cases/serialization_test.rb | 2 +-
.../test/cases/serialized_attribute_test.rb | 77 +++++++++++++++++++
activerecord/test/cases/store_test.rb | 17 +++-
.../test/cases/yaml_serialization_test.rb | 8 +-
activerecord/test/models/admin/user_json.rb | 42 ++++++++++
.../rails_4_1_no_symbol.yml | 22 ++++++
.../test/application/configuration_test.rb | 33 ++++++++
15 files changed, 286 insertions(+), 23 deletions(-)
create mode 100644 activerecord/test/models/admin/user_json.rb
create mode 100644 activerecord/test/support/yaml_compatibility_fixtures/rails_4_1_no_symbol.yml
Index: b/activerecord/test/models/admin/user_json.rb
===================================================================
--- /dev/null
+++ b/activerecord/test/models/admin/user_json.rb
@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+class Admin::UserJson < ActiveRecord::Base
+ class Coder
+ def initialize(default = {})
+ @default = default
+ end
+
+ def dump(o)
+ ActiveSupport::JSON.encode(o || @default)
+ end
+
+ def load(s)
+ s.present? ? ActiveSupport::JSON.decode(s) : @default.clone
+ end
+ end
+
+ belongs_to :account
+ store :params, accessors: [ :token ], coder: JSON
+ store :settings, accessors: [ :color, :homepage ], coder: Coder.new
+ store_accessor :settings, :favorite_food
+ store :preferences, accessors: [ :remember_login ], coder: Coder.new
+ store :json_data, accessors: [ :height, :weight ], coder: Coder.new
+ store :json_data_empty, accessors: [ :is_a_good_guy ], coder: Coder.new
+
+ def phone_number
+ read_store_attribute(:settings, :phone_number).gsub(/(\d{3})(\d{3})(\d{4})/, '(\1) \2-\3')
+ end
+
+ def phone_number=(value)
+ write_store_attribute(:settings, :phone_number, value && value.gsub(/[^\d]/, ""))
+ end
+
+ def color
+ super || "red"
+ end
+
+ def color=(value)
+ value = "blue" unless %w(black red green blue).include?(value)
+ super
+ end
+end
Index: b/activerecord/test/support/yaml_compatibility_fixtures/rails_4_1_no_symbol.yml
===================================================================
--- /dev/null
+++ b/activerecord/test/support/yaml_compatibility_fixtures/rails_4_1_no_symbol.yml
@@ -0,0 +1,22 @@
+--- !ruby/object:Topic
+ attributes:
+ id:
+ title: The First Topic
+ author_name: David
+ author_email_address: david@loudthinking.com
+ written_on: 2003-07-16 14:28:11.223300000 Z
+ bonus_time: 2000-01-01 14:28:00.000000000 Z
+ last_read: 2004-04-15
+ content: |
+ ---
+ omg: lol
+ important:
+ approved: false
+ replies_count: 1
+ unique_replies_count: 0
+ parent_id:
+ parent_title:
+ type:
+ group:
+ created_at: 2015-03-10 17:05:42.000000000 Z
+ updated_at: 2015-03-10 17:05:42.000000000 Z
