Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:
data = cache.fetch("demo", raw: true) { untrusted_string }
Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.
Workarounds
It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
In this version, we fixed warnings when used with Ruby 2.7 across the entire framework.
Following are the list of other changes, per-framework.
Active Support
Array#to_sentence no longer returns a frozen string.
Before:
['one', 'two'].to_sentence.frozen?
# => true
After:
['one', 'two'].to_sentence.frozen?
# => false
Nicolas Dular
Update ActiveSupport::Messages::Metadata#fresh? to work for cookies with expiry set when ActiveSupport.parse_json_times = true.
Christian Gregg
Active Model
No changes.
Active Record
Recommend applications don't use the database kwarg in connected_to
The database kwarg in connected_to was meant to be used for one-off scripts but is often used in requests. This is really dangerous because it re-establishes a connection every time. It's deprecated in 6.1 and will be removed in 6.2 without replacement. This change soft deprecates it in 6.0 by removing documentation.
Eileen M. Uchitelle
Fix support for PostgreSQL 11+ partitioned indexes.
Sebastián Palma
Add support for beginless ranges, introduced in Ruby 2.7.
Add Regexp.escape to one method in ActiveRecord, so that table names with regular expression characters in them work as expected. Since MS SQL Server uses "[" and "]" to quote table and column names, and those characters are regular expression characters, methods like pluck and select fail in certain cases when used with the MS SQL Server adapter.
Larry Reid
Store advisory locks on their own named connection.
Previously advisory locks were taken out against a connection when a migration started. This works fine in single database applications but doesn't work well when migrations need to open new connections which results in the lock getting dropped.
In order to fix this we are storing the advisory lock on a new connection with the connection specification name AdisoryLockBase. The caveat is that we need to maintain at least 2 connections to a database while migrations are running in order to do this.
Eileen M. Uchitelle, John Crepezzi
Ensure :reading connections always raise if a write is attempted.
Now Rails will raise an ActiveRecord::ReadOnlyError if any connection on the reading handler attempts to make a write. If your reading role needs to write you should name the role something other than :reading.
Eileen M. Uchitelle
Enforce fresh ETag header after a collection's contents change by adding
ActiveRecord::Relation#cache_key_with_version. This method will be used by
ActionController::ConditionalGet to ensure that when collection cache versioning
is enabled, requests using ConditionalGet don't return the same ETag header
after a collection is modified. Fixes #38078.
Aaron Lipman
A database URL can now contain a querystring value that contains an equal sign. This is needed to support passing PostgresSQL options.
Joshua Flanagan
Retain explicit selections on the base model after applying includes and joins.
annotated_source_code returns an empty array so TemplateErrors without a
template in the backtrace are surfaced properly by DebugExceptions.
Guilherme Mansur, Kasper Timm Hansen
Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.
Guilherme Mansur, Gannon McGibbon
Action Pack
Include child session assertion count in ActionDispatch::IntegrationTest
IntegrationTest#open_session uses dup to create the new session, which
meant it had its own copy of @assertions. This prevented the assertions
from being correctly counted and reported.
Child sessions now have their attr_accessor overriden to delegate to the
root session.
While using perform_enqueued_jobs test helper enqueued jobs must be stored for the later check with assert_enqueued_with.
Dmitry Polushkin
Add queue name support to Que adapter
Brad Nauta, Wojciech Wnętrzak
Action Mailer
No changes.
Action Cable
No changes.
Active Storage
No changes.
Action Mailbox
Update Mandrill inbound email route to respond appropriately to HEAD requests for URL health checks from Mandrill.
Bill Cromie
Action Text
No changes.
Railties
Cache compiled view templates when running tests by default
When generating a new app without --skip-spring, caching classes is
disabled in environments/test.rb. This implicitly disables caching
view templates too. This change will enable view template caching by
adding this to the generated environments/test.rb:
config.action_view.cache_template_loading =true
Jorge Manrubia
Rails::Application#eager_load! is available again to load application code
manually as it was possible in previous versions.
Please, note this is not integrated with the whole eager loading logic that
runs when Rails boots with eager loading enabled, you can think of this
method as a vanilla recursive code loader.
This ability has been restored because there are some use cases for it, such
as indexers that need to have all application classes and modules in memory.
Xavier Noria
Generators that inherit from NamedBase respect --force option
Josh Brody
Regression fix: The Rake task zeitwerk:check supports eager loaded
namespaces which do not have eager load paths, like the recently added i18n. These namespaces are only required to respond to eager_load!.
For example, if booking/actions/create.rb is meant to define Booking::Create because the subdirectory actions is there only for organizational purposes, you can tell Zeitwerk with collapse:
loader.collapse("booking/actions")
The method also accepts glob patterns to support standardized project structures:
loader.collapse("*/actions")
Please check the documentation for more details.
Eager loading is idempotent, but now you can eager load again after reloading.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your version of activesupport has known security vulnerabilities 🚨
Advisory: CVE-2020-8165 Disclosed: May 18, 2020 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ activesupport (indirect, 6.0.2.1 → 6.0.3.1) · Repo · Changelog
Release Notes
6.0.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 39 commits:
Preparing for 6.0.3.1 release
bumping version, updating changelog
update changelog
activesupport: Deprecate Marshal.load on raw cache read in RedisCacheStore
activesupport: Avoid Marshal.load on raw cache value in MemCacheStore
Preparing for 6.0.3 release
Preparing for 6.0.3.rc1 release
adds missing require [Fixes #39042]
Fix Builder::XmlMarkup lazy load in Array#to_xml
Merge pull request #36941 from ts-3156/master
Merge pull request #38939 from hammerdr/38937
Merge pull request #38864 from abhaynikam/replace-mailing-list-url
Add CHANGELOG entry to 6.0.2.2
Merge pull request #38810 from kamipo/restore_compatibility_for_lookup_store
Fix configuring a cache store with ActiveSupport::OrderedOptions
Merge branch '6-2-sec' into 6-0-stable
Preparing for 6.0.2.2 release
Merge pull request #37435 from abhaynikam/37428-fix-filter-attributes-for-json-data-type
Fix `delegate_missing_to` to allow keyword arguments
Simplify `lookup_store`
Revert "Merge pull request #22780 from pauloancheta/master"
Fix `with_options` to allow string key options
Tests for OptionMerger with keyword arguments
Merge pull request #37776 from Edouard-chin/ec-irb-deprecation
Merge pull request #37100 from jonathanhefner/fix-irb-tab-completion-warning
Fix `deprecate_methods` to not expand positional argument hash
Merge pull request #38227 from jhawthorn/fix_for_mimitest_5_14
Fix CI failure due to renamed `#exception=` to `#error=` in minitest 5.14.0
Fix keyword arguments warnings on `try`
subscribe block doesn't take keyword arguments
`Logger#initialize` takes keyword arguments
Fix broken markup [ci skip]
Merge pull request #38117 from nicolasdular/nicolasdular/fix-frozen-strings-in-to-sentence
Remove warning from the deprecation method wrappers
Merge pull request #38069 from y-yagi/make_load_interlock_aware_monitor_work_in_ruby27
Merge pull request #37834 from Shopify/handle-unrelated-name-error-in-router
Merge pull request #38034 from Shopify/activerecord-ruby-2.7-warnings-6-0-stable
Fix most Ruby 2.7 warnings in Active Record 6.0
Merge branch '6-0-2-sec' into 6-0-stable
↗️ concurrent-ruby (indirect, 1.1.5 → 1.1.6) · Repo · Changelog
Release Notes
1.1.6 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ minitest (indirect, 5.14.0 → 5.14.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 6 commits:
prepped for release
+ Minitest.filter_backtrace returns original backtrace if filter comes back empty.
Refactored positive spec tests w/ a custom assertion.
+ Return true on a successful refute. (jusleg)
Updated rake specs for latest assertions.
- Fixed expectation doco to not use global expectations.
↗️ tzinfo (indirect, 1.2.6 → 1.2.7) · Repo · Changelog
Release Notes
1.2.7
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 19 commits:
Improve grammar.
Preparing v1.2.7.
Update to Ruby 2.7.1.
Revert to Ruby 2.4.9 and 2.7.0.
Update to Ruby 2.4.10, 2.5.8, 2.6.6, 2.7.1 and JRuby 9.2.11.1.
Use shields.io for badges.
Update copyright years.
Add a build status badge for AppVeyor.
Replace broken links.
Use https for links where available.
Update to JRuby 9.2.11.0.
Merge pull request #112.
Test for just the non-existence of #untaint.
Fix comments relating to taint/untaint removal.
Don't rely on lexicographic version comparisons.
Fix test failures on Ruby 1.8.7.
Fix erroneous 'wrong number of arguments' errors on JRuby 9.0.5.0.
`$VERBOSE = false` won't be worked since `rb_warning` is changed to `rb_warn`
Update to Ruby 2.7.0.
↗️ zeitwerk (indirect, 2.2.2 → 2.3.0) · Repo · Changelog
Release Notes
2.3.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 9 commits:
version 2.3.0
adds support for collapsing directories
typo [skip ci]
annotates a type [skip ci]
Merge pull request #105 from Shopify/micro-optim-slice
Micro optimization: `[0...-3] = ''` is faster than `slice!(-3, 3)`
Merge pull request #103 from tricknotes/ruby-2.7
test Ruby 2.7 on CI
allow eager loading after reloading
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands