packages/rubygem-activerecord
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to version 7.0.7

Browse Source
This commit is contained in:
lyn1001 2023-08-18 09:52:53 +08:00
parent f8cf610f42
commit 0c3196a9c0
11 changed files with 21 additions and 378 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
CVE-2022-44566.patch
View File

@ -1,133 +0,0 @@
From 82bcdc011e2ff674e7dd8fd8cee3a831c908d29b Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Mon, 21 Nov 2022 17:11:31 -0500
Subject: [PATCH] Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric.
Comparing integer values against numeric values can result
in a slow sequential scan.
This behavior is configurable via
ActiveRecord.raise_int_wider_than_64bit which defaults to true.
[CVE-2022-44566]
---
activerecord-7.0.4/lib/active_record.rb | 8 ++++++
.../connection_adapters/postgresql/quoting.rb | 26 +++++++++++++++++
.../cases/adapters/postgresql/quoting_test.rb | 28 +++++++++++++++++++
3 files changed, 85 insertions(+)
diff --git a/activerecord-7.0.4/lib/active_record.rb b/activerecord-7.0.4/lib/active_record.rb
index d553fe5c7c..4f6e5493e7 100644
--- a/activerecord-7.0.4/lib/active_record.rb
+++ b/activerecord-7.0.4/lib/active_record.rb
@@ -347,6 +347,14 @@ def self.global_executor_concurrency # :nodoc:
singleton_class.attr_accessor :use_yaml_unsafe_load
self.use_yaml_unsafe_load = false
+ ##
+ # :singleton-method:
+ # Application configurable boolean that denotes whether or not to raise
+ # an exception when the PostgreSQLAdapter is provided with an integer that
+ # is wider than signed 64bit representation
+ singleton_class.attr_accessor :raise_int_wider_than_64bit
+ self.raise_int_wider_than_64bit = true
+
##
# :singleton-method:
# Application configurable array that provides additional permitted classes
diff --git a/activerecord-7.0.4/lib/active_record/connection_adapters/postgresql/quoting.rb b/activerecord-7.0.4/lib/active_record/connection_adapters/postgresql/quoting.rb
index 0d1cd8b02d..d5591dbe00 100644
--- a/activerecord-7.0.4/lib/active_record/connection_adapters/postgresql/quoting.rb
+++ b/activerecord-7.0.4/lib/active_record/connection_adapters/postgresql/quoting.rb
@@ -4,6 +4,12 @@
module ConnectionAdapters
module PostgreSQL
module Quoting
+ class IntegerOutOf64BitRange < StandardError
+ def initialize(msg)
+ super(msg)
+ end
+ end
+
# Escapes binary strings for bytea input to the database.
def escape_bytea(value)
@connection.escape_bytea(value) if value
@@ -16,7 +22,27 @@ def unescape_bytea(value)
@connection.unescape_bytea(value) if value
end
+ def check_int_in_range(value)
+ if value.to_int > 9223372036854775807 || value.to_int < -9223372036854775808
+ exception = <<~ERROR
+ Provided value outside of the range of a signed 64bit integer.
+
+ PostgreSQL will treat the column type in question as a numeric.
+ This may result in a slow sequential scan due to a comparison
+ being performed between an integer or bigint value and a numeric value.
+
+ To allow for this potentially unwanted behavior, set
+ ActiveRecord.raise_int_wider_than_64bit to false.
+ ERROR
+ raise IntegerOutOf64BitRange.new exception
+ end
+ end
+
def quote(value) # :nodoc:
+ if ActiveRecord.raise_int_wider_than_64bit && value.is_a?(Integer)
+ check_int_in_range(value)
+ end
+
case value
when OID::Xml::Data
"xml '#{quote_string(value.to_s)}'"
diff --git a/test/cases/adapters/postgresql/quoting_test.rb b/test/cases/adapters/postgresql/quoting_test.rb
index d571355a9c..7e01defd96 100644
--- a/test/cases/adapters/postgresql/quoting_test.rb
+++ b/test/cases/adapters/postgresql/quoting_test.rb
@@ -8,6 +8,7 @@
class QuotingTest < ActiveRecord::PostgreSQLTestCase
def setup
@conn = ActiveRecord::Base.connection
+ @raise_int_wider_than_64bit = ActiveRecord.raise_int_wider_than_64bit
end
def test_type_cast_true
@@ -44,6 +45,33 @@ def test_quote_table_name_with_spaces
value = "user posts"
assert_equal "\"user posts\"", @conn.quote_table_name(value)
end
+
+ def test_raise_when_int_is_wider_than_64bit
+ value = 9223372036854775807 + 1
+ assert_raise ActiveRecord::ConnectionAdapters::PostgreSQL::Quoting::IntegerOutOf64BitRange do
+ @conn.quote(value)
+ end
+
+ value = -9223372036854775808 - 1
+ assert_raise ActiveRecord::ConnectionAdapters::PostgreSQL::Quoting::IntegerOutOf64BitRange do
+ @conn.quote(value)
+ end
+ end
+
+ def test_do_not_raise_when_int_is_not_wider_than_64bit
+ value = 9223372036854775807
+ assert_equal "9223372036854775807", @conn.quote(value)
+
+ value = -9223372036854775808
+ assert_equal "-9223372036854775808", @conn.quote(value)
+ end
+
+ def test_do_not_raise_when_raise_int_wider_than_64bit_is_false
+ ActiveRecord.raise_int_wider_than_64bit = false
+ value = 9223372036854775807 + 1
+ assert_equal "9223372036854775808", @conn.quote(value)
+ ActiveRecord.raise_int_wider_than_64bit = @raise_int_wider_than_64bit
+ end
end
end
end
--
2.35.1

171
CVE-2023-22794.patch
View File

@ -1,171 +0,0 @@
From d7aba06953f9fa789c411676b941d20df8ef73de Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Tue, 6 Sep 2022 15:49:26 -0700
Subject: [PATCH] Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
---
.../connection_adapters/abstract/quoting.rb | 11 ++++++++++-
activerecord-7.0.4/lib/active_record/query_logs.rb | 13 ++++++++++++-
.../lib/active_record/relation/query_methods.rb | 2 ++
activerecord-7.0.4/test/cases/annotate_test.rb | 11 ++++++++---
activerecord-7.0.4/test/cases/query_logs_test.rb | 5 +++--
activerecord-7.0.4/test/cases/relation_test.rb | 10 +++-------
6 files changed, 38 insertions(+), 14 deletions(-)
diff --git a/activerecord-7.0.4/lib/active_record/connection_adapters/abstract/quoting.rb b/activerecord-7.0.4/lib/active_record/connection_adapters/abstract/quoting.rb
index dda3145bdd..3b7819eb56 100644
--- a/activerecord-7.0.4/lib/active_record/connection_adapters/abstract/quoting.rb
+++ b/activerecord-7.0.4/lib/active_record/connection_adapters/abstract/quoting.rb
@@ -146,7 +146,16 @@ def quoted_binary(value) # :nodoc:
end
def sanitize_as_sql_comment(value) # :nodoc:
- value.to_s.gsub(%r{ (/ (?: | \g<1>) \*) \+? \s* | \s* (\* (?: | \g<2>) /) }x, "")
+ # Sanitize a string to appear within a SQL comment
+ # For compatibility, this also surrounding "/*+", "/*", and "*/"
+ # charcacters, possibly with single surrounding space.
+ # Then follows that by replacing any internal "*/" or "/ *" with
+ # "* /" or "/ *"
+ comment = value.to_s.dup
+ comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
+ comment.gsub!("*/", "* /")
+ comment.gsub!("/*", "/ *")
+ comment
end
def column_name_matcher # :nodoc:
diff --git a/activerecord-7.0.4/lib/active_record/query_logs.rb b/activerecord-7.0.4/lib/active_record/query_logs.rb
index f116a154dd..2fd6ca3640 100644
--- a/activerecord-7.0.4/lib/active_record/query_logs.rb
+++ b/activerecord-7.0.4/lib/active_record/query_logs.rb
@@ -33,6 +33,8 @@
# want to add to the comment. Dynamic content can be created by setting a proc or lambda value in a hash,
# and can reference any value stored in the +context+ object.
#
+ # Escaping is performed on the string returned, however untrusted user input should not be used.
+ #
# Example:
#
# tags = [
@@ -109,7 +111,16 @@ def uncached_comment
end
def escape_sql_comment(content)
- content.to_s.gsub(%r{ (/ (?: | \g<1>) \*) \+? \s* | \s* (\* (?: | \g<2>) /) }x, "")
+ # Sanitize a string to appear within a SQL comment
+ # For compatibility, this also surrounding "/*+", "/*", and "*/"
+ # charcacters, possibly with single surrounding space.
+ # Then follows that by replacing any internal "*/" or "/ *" with
+ # "* /" or "/ *"
+ comment = content.to_s.dup
+ comment.gsub!(%r{\A\s*/\*\+?\s?|\s?\*/\s*\Z}, "")
+ comment.gsub!("*/", "* /")
+ comment.gsub!("/*", "/ *")
+ comment
end
def tag_content
diff --git a/activerecord-7.0.4/lib/active_record/relation/query_methods.rb b/activerecord-7.0.4/lib/active_record/relation/query_methods.rb
index 25136331f9..cf7c524291 100644
--- a/activerecord-7.0.4/lib/active_record/relation/query_methods.rb
+++ b/activerecord-7.0.4/lib/active_record/relation/query_methods.rb
@@ -1216,6 +1216,8 @@ def skip_preloading! # :nodoc:
# # SELECT "users"."name" FROM "users" /* selecting */ /* user */ /* names */
#
# The SQL block comment delimiters, "/*" and "*/", will be added automatically.
+ #
+ # Some escaping is performed, however untrusted user input should not be used.
def annotate(*args)
check_if_method_has_arguments!(__callee__, args)
spawn.annotate!(*args)
diff --git a/test/cases/annotate_test.rb b/test/cases/annotate_test.rb
index b0802ca559..ed1d846178 100644
--- a/test/cases/annotate_test.rb
+++ b/test/cases/annotate_test.rb
@@ -18,17 +18,22 @@ def test_annotate_wraps_content_in_an_inline_comment
def test_annotate_is_sanitized
quoted_posts_id, quoted_posts = regexp_escape_table_name("posts.id"), regexp_escape_table_name("posts")
- assert_sql(%r{SELECT #{quoted_posts_id} FROM #{quoted_posts} /\* foo \*/}i) do
+ assert_sql(%r{SELECT #{quoted_posts_id} FROM #{quoted_posts} /\* \* /foo/ \* \*/}i) do
posts = Post.select(:id).annotate("*/foo/*")
assert posts.first
end
- assert_sql(%r{SELECT #{quoted_posts_id} FROM #{quoted_posts} /\* foo \*/}i) do
+ assert_sql(%r{SELECT #{quoted_posts_id} FROM #{quoted_posts} /\* \*\* //foo// \*\* \*/}i) do
posts = Post.select(:id).annotate("**//foo//**")
assert posts.first
end
- assert_sql(%r{SELECT #{quoted_posts_id} FROM #{quoted_posts} /\* foo \*/ /\* bar \*/}i) do
+ assert_sql(%r{SELECT #{quoted_posts_id} FROM #{quoted_posts} /\* \* \* //foo// \* \* \*/}i) do
+ posts = Post.select(:id).annotate("* *//foo//* *")
+ assert posts.first
+ end
+
+ assert_sql(%r{SELECT #{quoted_posts_id} FROM #{quoted_posts} /\* \* /foo/ \* \*/ /\* \* /bar \*/}i) do
posts = Post.select(:id).annotate("*/foo/*").annotate("*/bar")
assert posts.first
end
diff --git a/test/cases/query_logs_test.rb b/test/cases/query_logs_test.rb
index 05207f17e3..09ca530417 100644
--- a/test/cases/query_logs_test.rb
+++ b/test/cases/query_logs_test.rb
@@ -42,8 +42,9 @@ def test_escaping_good_comment
end
def test_escaping_bad_comments
- assert_equal "; DROP TABLE USERS;", ActiveRecord::QueryLogs.send(:escape_sql_comment, "*/; DROP TABLE USERS;/*")
- assert_equal "; DROP TABLE USERS;", ActiveRecord::QueryLogs.send(:escape_sql_comment, "**//; DROP TABLE USERS;/*")
+ assert_equal "* /; DROP TABLE USERS;/ *", ActiveRecord::QueryLogs.send(:escape_sql_comment, "*/; DROP TABLE USERS;/*")
+ assert_equal "** //; DROP TABLE USERS;/ *", ActiveRecord::QueryLogs.send(:escape_sql_comment, "**//; DROP TABLE USERS;/*")
+ assert_equal "* * //; DROP TABLE USERS;// * *", ActiveRecord::QueryLogs.send(:escape_sql_comment, "* *//; DROP TABLE USERS;//* *")
end
def test_basic_commenting
diff --git a/test/cases/relation_test.rb b/test/cases/relation_test.rb
index 1da95bd3ae..0aed326678 100644
--- a/test/cases/relation_test.rb
+++ b/test/cases/relation_test.rb
@@ -345,7 +345,7 @@ def test_relation_with_annotation_chains_sql_comments
def test_relation_with_annotation_filters_sql_comment_delimiters
post_with_annotation = Post.where(id: 1).annotate("**//foo//**")
- assert_match %r{= 1 /\* foo \*/}, post_with_annotation.to_sql
+ assert_includes post_with_annotation.to_sql, "= 1 /* ** //foo// ** */"
end
def test_relation_with_annotation_includes_comment_in_count_query
@@ -367,13 +367,9 @@ def test_relation_without_annotation_does_not_include_an_empty_comment
def test_relation_with_optimizer_hints_filters_sql_comment_delimiters
post_with_hint = Post.where(id: 1).optimizer_hints("**//BADHINT//**")
- assert_match %r{BADHINT}, post_with_hint.to_sql
- assert_no_match %r{\*/BADHINT}, post_with_hint.to_sql
- assert_no_match %r{\*//BADHINT}, post_with_hint.to_sql
- assert_no_match %r{BADHINT/\*}, post_with_hint.to_sql
- assert_no_match %r{BADHINT//\*}, post_with_hint.to_sql
+ assert_includes post_with_hint.to_sql, "/*+ ** //BADHINT// ** */"
post_with_hint = Post.where(id: 1).optimizer_hints("/*+ BADHINT */")
- assert_match %r{/\*\+ BADHINT \*/}, post_with_hint.to_sql
+ assert_includes post_with_hint.to_sql, "/*+ BADHINT */"
end
def test_does_not_duplicate_optimizer_hints_on_merge
--
2.35.1

BIN
activerecord-7.0.4.gem
View File

Binary file not shown.

BIN
activerecord-7.0.4-tests.txz → activerecord-7.0.7-tests.txz
View File

Binary file not shown.

BIN
activerecord-7.0.7.gem Normal file
View File

Binary file not shown.

BIN
rails-7.0.4-tools.txz → rails-7.0.7-tools.txz
View File

Binary file not shown.

49
rubygem-activerecord-7.0.2.3-Fix-assert_called_with-with-empty-args-array.patch
View File

@ -1,49 +0,0 @@
From d536ffd591d6a2363aaa1ad140f7b450e2e67ac6 Mon Sep 17 00:00:00 2001
From: Jess Bees <jesse@toomanybees.com>
Date: Fri, 29 Oct 2021 15:02:04 -0400
Subject: [PATCH] Raise an exception when using unrecognized options in
change_table block
In a database migration, the expressions `add_column`, `remove_index`,
etc. accept as keyword options `if_exists: true`/`if_not_exists: true`
which will skip that table alteration if the column or index does or
does not already exist.
This might lead some to think that within a change_table block,
```
change_table(:table) do |t|
t.column :new_column, if_not_exists: true
t.remove_index :old_column, if_exists: true
end
```
also works, but it doesn't. Or rather, it is silently ignored when
change_table is called with `bulk: true`, and it works accidentally
otherwise.
This commit raises an exception when these options are used in a
change_table block, which suggests the similar syntax:
`t.column :new_column unless t.column_exists?(:new_column)`. This
suggestion is already made in the documentation to
`ActiveRecord::ConnectionAdapters::Table`.
https://api.rubyonrails.org/classes/ActiveRecord/ConnectionAdapters/Table.html#method-i-column_exists-3F
Do not raise these new exceptions on migrations before 7.0
---
.../abstract/schema_definitions.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/activerecord/lib/active_record/connection_adapters/abstract/schema_definitions.rb b/activerecord/lib/active_record/connection_adapters/abstract/schema_definitions.rb
index eccb49adb91d8..e88d1637f68c7 100644
--- a/activerecord/lib/active_record/connection_adapters/abstract/schema_definitions.rb
+++ b/activerecord/lib/active_record/connection_adapters/abstract/schema_definitions.rb
@@ -657,8 +659,8 @@ def index(column_name, **options)
# end
#
# See {connection.index_exists?}[rdoc-ref:SchemaStatements#index_exists?]
- def index_exists?(column_name, options = {})
- @base.index_exists?(name, column_name, options)
+ def index_exists?(column_name, **options)
+ @base.index_exists?(name, column_name, **options)
end
# Renames the given index on the table.

8
rubygem-activerecord-7.0.2.3-Fix-tests-for-minitest-5.16.patch
View File

@ -35,7 +35,7 @@ diff --git a/activerecord/test/cases/fixtures_test.rb b/activerecord/test/cases/
index 0267da5116bdd..772f421f2c852 100644
--- a/activerecord/test/cases/fixtures_test.rb
+++ b/activerecord/test/cases/fixtures_test.rb
@@ -996,7 +996,7 @@ def rollback_transaction(*args); end
@@ -997,7 +997,7 @@ def rollback_transaction(*args); end
def lock_thread=(lock_thread); end
end.new
@ -44,7 +44,7 @@ index 0267da5116bdd..772f421f2c852 100644
fire_connection_notification(connection)
end
end
@@ -1036,14 +1036,14 @@ def rollback_transaction(*args); end
@@ -1037,14 +1037,14 @@ def rollback_transaction(*args); end
def lock_thread=(lock_thread); end
end.new
@ -237,7 +237,7 @@ index 5cf6493e52ba2..620319b38655c 100644
t.xml :foo, :bar
end
end
@@ -152,120 +166,120 @@ def test_remove_exclusion_constraint_removes_exclusion_constraint
@@ -166,120 +166,120 @@ module ActiveRecord
def test_column_creates_column
with_change_table do |t|
@ -283,7 +283,7 @@ index 5cf6493e52ba2..620319b38655c 100644
def test_index_exists
with_change_table do |t|
- @connection.expect :index_exists?, nil, [:delete_me, :bar, {}]
- @connection.expect :index_exists?, nil, [:delete_me, :bar]
+ expect :index_exists?, nil, [:delete_me, :bar]
t.index_exists?(:bar)
end

4
rubygem-activerecord-7.0.4-remove-require-pathname-from-drop-method-tests.patch
View File

@ -3,10 +3,10 @@ From: Nicolas Iragorri Dominguez
<nicolasiragorridominguez@Nicolass-Mac-Studio.local>
Date: Tue, 27 Dec 2022 01:24:19 +0100
Subject: [PATCH] [issue-46741] remove `require pathname` from `drop` method
---
.../test/cases/tasks/sqlite_rake_test.rb | 42 +++++++------------
diff --git a/activerecord/test/cases/tasks/sqlite_rake_test.rb b/activerecord/test/cases/tasks/sqlite_rake_test.rb
index 98257867aa773..9b534b88220bd 100644
--- a/activerecord/test/cases/tasks/sqlite_rake_test.rb

2
rubygem-activerecord-7.0.4-remove-require-pathname-from-drop-method.patch
View File

@ -11,7 +11,7 @@ diff --git a/activerecord/lib/active_record/tasks/sqlite_database_tasks.rb b/act
index d920d874ef308..fdfa299fa0e8c 100644
--- a/activerecord/lib/active_record/tasks/sqlite_database_tasks.rb
+++ b/activerecord/lib/active_record/tasks/sqlite_database_tasks.rb
@@ -22,10 +22,8 @@
@@ -22,10 +22,8 @@ def create
end
def drop

32
rubygem-activerecord.spec
View File

@ -1,8 +1,8 @@
%global gem_name activerecord
Name: rubygem-%{gem_name}
Epoch: 1
Version: 7.0.4
Release: 3
Version: 7.0.7
Release: 1
Summary: Object-relational mapper framework (part of Rails)
License: MIT
URL: http://rubyonrails.org
@ -10,24 +10,20 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
# The gem doesn't ship with the test suite.
# You may check it out like so
# git clone http://github.com/rails/rails.git
# cd rails/activerecord && git archive -v -o activerecord-7.0.4-tests.txz v7.0.4 test/
# cd rails/activerecord && git archive -v -o activerecord-7.0.7-tests.txz v7.0.7 test/
Source1: activerecord-%{version}-tests.txz
# The tools are needed for the test suite, are however unpackaged in gem file.
# You may check it out like so
# git clone http://github.com/rails/rails.git --no-checkout
# cd rails && git archive -v -o rails-7.0.4-tools.txz v7.0.4 tools/
# cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
Source2: rails-%{version}-tools.txz
# Fixes for Minitest 5.16+
# https://github.com/rails/rails/pull/43807
Patch0: rubygem-activerecord-7.0.2.3-Fix-assert_called_with-with-empty-args-array.patch
# https://github.com/rails/rails/pull/45380
Patch1: rubygem-activerecord-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with.patch
# https://github.com/rails/rails/pull/45370
Patch2: rubygem-activerecord-7.0.2.3-Fix-tests-for-minitest-5.16.patch
Patch3: CVE-2022-44566.patch
Patch4: CVE-2023-22794.patch
Patch5: rubygem-activerecord-7.0.4-remove-require-pathname-from-drop-method.patch
Patch6: rubygem-activerecord-7.0.4-remove-require-pathname-from-drop-method-tests.patch
Patch3: rubygem-activerecord-7.0.4-remove-require-pathname-from-drop-method.patch
Patch4: rubygem-activerecord-7.0.4-remove-require-pathname-from-drop-method-tests.patch
Suggests: %{_bindir}/sqlite3
BuildRequires: rubygems-devel rubygem(bcrypt) rubygem(activesupport) = %{version}
@ -51,15 +47,12 @@ Documentation for %{name}.
%prep
%setup -q -n %{gem_name}-%{version} -b1 -b2
%patch0 -p2
%patch5 -p2
%patch 3 -p2
pushd %{_builddir}
%patch1 -p2
%patch2 -p2
%patch3 -p1
%patch4 -p1
%patch6 -p2
%patch 1 -p2
%patch 2 -p2
%patch 4 -p2
popd
%build
gem build ../%{gem_name}-%{version}.gemspec
@ -112,6 +105,9 @@ popd
%{gem_instdir}/examples
%changelog
* Fri Aug 18 2023 liyanan <thistleslyn@163.com> - 1:7.0.7-1
- Upgrade to version 7.0.7
* Mon Aug 14 2023 liyanan <thistleslyn@163.com> - 1:7.0.4-3
- fix build error