miq-bot
commented
2 months ago Closed renovate[bot] closed 4 weeks ago
miq-bot
commented
2 months ago miq-bot
commented
4 weeks ago
This PR contains the following updates:
"~>6.1.4"->"~>6.1.7", ">= 6.1.7.1""~>6.0.4"->"~>6.1.7", ">= 6.1.7.1""~>5.2.6"->"~>6.1.7", ">= 6.1.7.1"GitHub Vulnerability Alerts
CVE-2022-44566
There is a potential denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter.
This has been assigned the CVE identifier CVE-2022-44566.
Versions Affected: All. Not affected: None. Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact: In ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service. Releases
The fixed releases are available at the normal locations. Workarounds
Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats. Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy 1 regarding security issues. They are in git-am format and consist of a single changeset.
Release Notes
rails/rails (activerecord)
### [`v6.1.7.1`](https://togithub.com/rails/rails/releases/tag/v6.1.7.1) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7...v6.1.7.1) #### Active Support - Avoid regex backtracking in Inflector.underscore \[CVE-2023-22796] #### Active Model - No changes. #### Active Record - Make sanitize_as_sql_comment more strict Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input. This commit makes the sanitization more robust by replacing any occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal. This also clarifies in the documentation of annotate that it should not be provided user input. \[CVE-2023-22794] - Added integer width check to PostgreSQL::Quoting Given a value outside the range for a 64bit signed integer type PostgreSQL will treat the column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan. This behavior is configurable via ActiveRecord::Base.raise_int_wider_than\_64bit which defaults to true. \[CVE-2022-44566] #### Action View - No changes. #### Action Pack - Avoid regex backtracking on If-None-Match header \[CVE-2023-22795] - Use string#split instead of regex for domain parts \[CVE-2023-22792] #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7`](https://togithub.com/rails/rails/releases/tag/v6.1.7) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.6.1...v6.1.7) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - Symbol is allowed by default for YAML columns *Étienne Barrié* - Fix `ActiveRecord::Store` to serialize as a regular Hash Previously it would serialize as an `ActiveSupport::HashWithIndifferentAccess` which is wasteful and cause problem with YAML safe_load. *Jean Boussier* - Fix PG.connect keyword arguments deprecation warning on ruby 2.7 Fixes [#44307](https://togithub.com/rails/rails/issues/44307). *Nikita Vasilevsky* #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0. *fatkodima* #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.6.1`](https://togithub.com/rails/rails/releases/tag/v6.1.6.1): 6.1.6.1 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.6...v6.1.6.1) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - Change ActiveRecord::Coders::YAMLColumn default to safe_load This adds two new configuration options The configuration options are as follows: - `config.active_storage.use_yaml_unsafe_load` When set to true, this configuration option tells Rails to use the old "unsafe" YAML loading strategy, maintaining the existing behavior but leaving the possible escalation vulnerability in place. Setting this option to true is *not* recommended, but can aid in upgrading. - `config.active_record.yaml_column_permitted_classes` The "safe YAML" loading method does not allow all classes to be deserialized by default. This option allows you to specify classes deemed "safe" in your application. For example, if your application uses Symbol and Time in serialized data, you can add Symbol and Time to the allowed list as follows: config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] \[CVE-2022-32224] #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.6`](https://togithub.com/rails/rails/releases/tag/v6.1.6): 6.1.6 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.5.1...v6.1.6) #### Active Support - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. *Álvaro Martín Fraguas* #### Active Model - No changes. #### Active Record - No changes. #### Action View - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. *Álvaro Martín Fraguas* #### Action Pack - Allow Content Security Policy DSL to generate for API responses. *Tim Wade* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.5.1`](https://togithub.com/rails/rails/releases/tag/v6.1.5.1): 6.1.5.1 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.5...v6.1.5.1) #### Active Support - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. *Álvaro Martín Fraguas* #### Active Model - No changes. #### Active Record - No changes. #### Action View - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. *Álvaro Martín Fraguas* #### Action Pack - Allow Content Security Policy DSL to generate for API responses. *Tim Wade* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Railties - No changes. ### [`v6.1.5`](https://togithub.com/rails/rails/releases/tag/v6.1.5): 6.1.5 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.7...v6.1.5) #### Active Support - Fix `ActiveSupport::Duration.build` to support negative values. The algorithm to collect the `parts` of the `ActiveSupport::Duration` ignored the sign of the `value` and accumulated incorrect part values. This impacted `ActiveSupport::Duration#sum` (which is dependent on `parts`) but not `ActiveSupport::Duration#eql?` (which is dependent on `value`). *Caleb Buxton*, *Braden Staudacher* - `Time#change` and methods that call it (eg. `Time#advance`) will now return a `Time` with the timezone argument provided, if the caller was initialized with a timezone argument. Fixes [#42467](https://togithub.com/rails/rails/issues/42467). *Alex Ghiculescu* - Clone to keep extended Logger methods for tagged logger. *Orhan Toy* - `assert_changes` works on including `ActiveSupport::Assertions` module. *Pedro Medeiros* #### Active Model - Clear secure password cache if password is set to `nil` Before: user.password = 'something' user.password = nil user.password # => 'something' Now: user.password = 'something' user.password = nil user.password # => nil *Markus Doits* - Fix delegation in `ActiveModel::Type::Registry#lookup` and `ActiveModel::Type.lookup` Passing a last positional argument `{}` would be incorrectly considered as keyword argument. *Benoit Daloze* - Fix `to_json` after `changes_applied` for `ActiveModel::Dirty` object. *Ryuta Kamizono* #### Active Record - Fix `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` for Ruby 2.6. Ruby 2.6 and 2.7 have slightly different implementations of the `String#@-` method. In Ruby 2.6, the receiver of the `String#@-` method is modified under certain circumstances. This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only fixed in Ruby 2.7. Before the changes in this commit, the `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` method, which internally calls the `String#@-` method, could also modify an input string argument in Ruby 2.6 -- changing a tainted, unfrozen string into a tainted, frozen string. Fixes [#43056](https://togithub.com/rails/rails/issues/43056) *Eric O'Hanlon* - Fix migration compatibility to create SQLite references/belongs_to column as integer when migration version is 6.0. `reference`/`belongs_to` in migrations with version 6.0 were creating columns as bigint instead of integer for the SQLite Adapter. *Marcelo Lauxen* - Fix dbconsole for 3-tier config. *Eileen M. Uchitelle* - Better handle SQL queries with invalid encoding. ```ruby Post.create(name: "broken \xC8 UTF-8") ``` Would cause all adapters to fail in a non controlled way in the code responsible to detect write queries. The query is now properly passed to the database connection, which might or might not be able to handle it, but will either succeed or failed in a more correct way. *Jean Boussier* - Ignore persisted in-memory records when merging target lists. *Kevin Sjöberg* - Fix regression bug that caused ignoring additional conditions for preloading `has_many` through relations. Fixes [#43132](https://togithub.com/rails/rails/issues/43132) *Alexander Pauly* - Fix `ActiveRecord::InternalMetadata` to not be broken by `config.active_record.record_timestamps = false` Since the model always create the timestamp columns, it has to set them, otherwise it breaks various DB management tasks. Fixes [#42983](https://togithub.com/rails/rails/issues/42983) *Jean Boussier* - Fix duplicate active record objects on `inverse_of`. *Justin Carvalho* - Fix duplicate objects stored in has many association after save. Fixes [#42549](https://togithub.com/rails/rails/issues/42549). *Alex Ghiculescu* - Fix performance regression in `CollectionAssocation#build`. *Alex Ghiculescu* - Fix retrieving default value for text column for MariaDB. *fatkodima* #### Action View - `preload_link_tag` properly inserts `as` attributes for files with `image` MIME types, such as JPG or SVG. *Nate Berkopec* - Add `autocomplete="off"` to all generated hidden fields. Fixes [#42610](https://togithub.com/rails/rails/issues/42610). *Ryan Baumann* - Fix `current_page?` when URL has trailing slash. This fixes the `current_page?` helper when the given URL has a trailing slash, and is an absolute URL or also has query params. Fixes [#33956](https://togithub.com/rails/rails/issues/33956). *Jonathan Hefner* #### Action Pack - Fix `content_security_policy` returning invalid directives. Directives such as `self`, `unsafe-eval` and few others were not single quoted when the directive was the result of calling a lambda returning an array. ```ruby content_security_policy do |policy| policy.frame_ancestors lambda { [:self, "https://example.com"] } end ``` With this fix the policy generated from above will now be valid. *Edouard Chin* - Update `HostAuthorization` middleware to render debug info only when `config.consider_all_requests_local` is set to true. Also, blocked host info is always logged with level `error`. Fixes [#42813](https://togithub.com/rails/rails/issues/42813). *Nikita Vyrko* - Dup arrays that get "converted". Fixes [#43681](https://togithub.com/rails/rails/issues/43681). *Aaron Patterson* - Don't show deprecation warning for equal paths. *Anton Rieder* - Fix crash in `ActionController::Instrumentation` with invalid HTTP formats. Fixes [#43094](https://togithub.com/rails/rails/issues/43094). *Alex Ghiculescu* - Add fallback host for SystemTestCase driven by RackTest. Fixes [#42780](https://togithub.com/rails/rails/issues/42780). *Petrik de Heus* - Add more detail about what hosts are allowed. *Alex Ghiculescu* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - The Action Cable client now ensures successful channel subscriptions: - The client maintains a set of pending subscriptions until either the server confirms the subscription or the channel is torn down. - Rectifies the race condition where an unsubscribe is rapidly followed by a subscribe (on the same channel identifier) and the requests are handled out of order by the ActionCable server, thereby ignoring the subscribe command. *Daniel Spinosa* - Truncate broadcast logging messages. *J Smith* #### Active Storage - Attachments can be deleted after their association is no longer defined. Fixes [#42514](https://togithub.com/rails/rails/issues/42514) *Don Sisco* #### Action Mailbox - Add `attachments` to the list of permitted parameters for inbound emails conductor. When using the conductor to test inbound emails with attachments, this prevents an unpermitted parameter warning in default configurations, and prevents errors for applications that set: ```ruby config.action_controller.action_on_unpermitted_parameters = :raise ``` *David Jones*, *Dana Henke* #### Action Text - Fix Action Text extra trix content wrapper. *Alexandre Ruban* #### Railties - In `zeitwerk` mode, setup the `once` autoloader first, and the `main` autoloader after it. This order plays better with shared namespaces. *Xavier Noria* - Handle paths with spaces when editing credentials. *Alex Ghiculescu* - Support Psych 4 when loading secrets. *Nat Morcos* ### [`v6.1.4.7`](https://togithub.com/rails/rails/releases/tag/v6.1.4.7): 6.1.4.7 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.6...v6.1.4.7) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Added image transformation validation via configurable allow-list. Variant now offers a configurable allow-list for transformation methods in addition to a configurable deny-list for arguments. \[CVE-2022-21831] #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.6`](https://togithub.com/rails/rails/releases/tag/v6.1.4.6): 6.1.4.6 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.5...v6.1.4.6) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix Reloader method signature to work with the new Executor signature #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.5`](https://togithub.com/rails/rails/releases/tag/v6.1.4.5): 6.1.4.5 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.4...v6.1.4.5) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Under certain circumstances, the middleware isn't informed that the response body has been fully closed which result in request state not being fully reset before the next request \[CVE-2022-23633] #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.4`](https://togithub.com/rails/rails/releases/tag/v6.1.4.4): 6.1.4.4 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.3...v6.1.4.4) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix issue with host protection not allowing host with port in development. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.3`](https://togithub.com/rails/rails/releases/tag/v6.1.4.3): 6.1.4.3 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.2...v6.1.4.3) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - Allow localhost with a port by default in development \[Fixes: [#43864](https://togithub.com/rails/rails/issues/43864)] ### [`v6.1.4.2`](https://togithub.com/rails/rails/releases/tag/v6.1.4.2): 6.1.4.2 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.1...v6.1.4.2) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix X_FORWARDED_HOST protection. \[CVE-2021-44528] #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.1`](https://togithub.com/rails/rails/compare/v6.1.4...v6.1.4.1) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4...v6.1.4.1)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.