Skip to content

Rails 5.2 #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pboling wants to merge 53 commits into
base: master
Choose a base branch
from
Open

Rails 5.2 #6

pboling wants to merge 53 commits into from

Conversation

@pboling
Copy link

@pboling pboling commented Jan 15, 2025

Rails 5.2.8.1 is a security patch release to fix CVE-2022-32224.
See: https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017

The patch (Rails v5.2.8.1) causes an error with masq v0.3.4
(... actually it doesn't work at all on Rails v5, but some forks have been fixed):

Psych::DisallowedClass: Tried to load unspecified class: ActiveSupport::HashWithIndifferentAccess

when serializing a Hash the way we had done in previous versions app/models/masq/open_id_request.rb:

serialize :parameters, Hash

so we instead switch to serializing as JSON:

serialize :parameters, JSON

If an implementation needs to continue using the serialized Hash,
you will need to override the definition by reopening the model, and adding:

serialize :parameters, Hash

In addition, one of the following is also needed.

  1. Simple, but insecure fix, which reverts to previous unpatched behavior is:

    Rails.application.config.active_record.use_yaml_unsafe_load = true

  2. More complex, and a bit less insecure fix, is to explicitly list the allowed classes to serialize:

    Rails.application.config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time, HashWithIndifferentAccess]

pboling and others added 30 commits January 15, 2025 04:30
@pboling
🚚 Rename to masq2
356d384
@pboling
Rails 4 Gemfile
b4b61f1 
Update gemfile for rails 4
@pboling
Rails 4 changes
508d54a 
o Update Gemfile and gemspec
o Update dummy env and change to sqlite for tests
o Comment out model strong parameters
  moved to controllers instead
@pboling
Update travis details and gemspec
9dccc71
@pboling
Fix test schema to match column rename
14f03c6
@pboling
Rails 4.1 Masq Support
944068d 
Update gemfile and gemspec to support rails 4.1
@pboling
Rails 4.1 remove turn dependency
78ebd19 
This was preventing tests from running.
Fixed warning in assert_match server controller test
@pboling
Tidy up instance variable not initialized warnings
95656eb
@pboling
Travis tests expand_path change
a2f4b23 
Hopefully travis can find my fixtures now
@pboling
Rails 4.2 Upgrade
89eb7ef 
Update gemfile for Rails 4.2
@pboling
Update deprication and failing tests
ff3f9e0
@pboling
Update travis badge for branch
f7fd5b9
@pboling
Fix broken tests for rails 4.2
19fffe1
@pboling
Rails 5.0 Masq upgrade
78399fe 
Update bin file
rename depricated before/after_filters
Fix on tests so they run
Gemfile updates
@pboling
Test deprication changes
a1543ea 
Remove deprication warnings from tests
@pboling
Rails 5.0 get tests passing
0aa5cf2 
Fix on permitted openid parameters
Fix on saving parameters for an OpenID request
Fix on site parameters correctly permitted
@pboling
Rails 5.0 travis badge update
d1c7d02
@pboling
Rails 5.0 remove deprications
5b04024 
Update code removing depricated calls
- delete_all should not have arguments
- render text: has been depricated
@pboling
Remove find_by search shorthands
efcbc8a 
remove find_by and replace with where first
@pboling
Expect auth token
935b981
@pboling
🚨 Fix Markdown formatting
eae3ede
@pboling
🔒️ Use HTTPS for rubygems source
a7108df
@pboling
⬆️ Rails ~> 5.1
ac7f322
@pboling
🔥 auto_explain_threshold_in_seconds was deprecated in Rails 4.0, remo…
601cea6 
…ved in Rails 4.1

- https://guides.rubyonrails.org/4_1_release_notes.html#active-record-removals
@pboling
🚨 Linting
ebae030
@pboling
🚨 where(**).first => find_by
2c02c44
@pboling
⬆️ Rails 4 => 5 upgrade: Migrations
e49d4e7
@pboling
✨ Allow either id or login for accounts/show
fcf88ee
@pboling
✨ Allow ERB within YAML for config file
d73d0e5
@pboling
🔧 Rails 4.2 config updates
0327e37
pboling added 21 commits January 15, 2025 04:39
@pboling
➕ erb
5c799a7
@pboling
⬆️ Rails 4 => 5 upgrade: Controller & Parameters
39295b0
@pboling
✨ Allow logout via DELETE HTTP method
155c26e
@pboling
🐛 Fix locale key issues
fd2d12c
@pboling
⬆️ Rails 5.0 => 5.1 upgrade: before_filter => before_action
860ab0f
@pboling
⬆️ Rails 5.0 => 5.1 upgrade: avoid loading sprockets
fdb9eba 
- Kill asset pipeline
@pboling
🐛 Fix before_destroy callback on Persona
f7184a3
@pboling
🔥 mass_assignment_sanitizer isn't part of Rails 5.1
9e11bb4
@pboling
🔥 kill asset pipeline
c90f986
@pboling
🔥 Fix deprecation for Rails 5.2
f8c66c3
@pboling
💚 Fix tests
895d735
@pboling
🔥 Travis is dead
bfb7929
@pboling
✅ Timestamp math & comparison can be inaccurate
63dc6c0
@pboling
✅ String equality > Object equality
8940422
@pboling
➕ mysql2, pg for tests
2fa1dca
@pboling
Merge pull request #2 from oauth-xx/rename
d00751b 
🚚 Rename to masq2
@pboling
Merge pull request #1 from oauth-xx/upstream-rails-5-1-fixes
2d9d127 
Upstream rails 5.1 fixes
@pboling
⬆️ rails 5.2.8.
c7ea43b
@pboling
🙈 gitignores for rails 5.2.8.1
ca562af
@pboling
⬆️ ruby-openid2
6b7b3bf 
- drop-in replacement for ⚰️ruby-openid⚰️
@pboling
🚑️ [BREAKING] Fix compatibility with Rails v5.2.8.1
404e5de 
Rails 5.2.8.1 is a security patch release to fix CVE-2022-32224.
See: https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017

The patch (Rails v5.2.8.1) causes an error with `masq` v0.3.4
(... actually it doesn't work at all on Rails v5, but some forks have been fixed):

```
Psych::DisallowedClass: Tried to load unspecified class: ActiveSupport::HashWithIndifferentAccess
```

when serializing a Hash the way we had done in previous versions `app/models/masq/open_id_request.rb`:
```ruby
serialize :parameters, Hash
```

so we instead switch to serializing as JSON:
```ruby
serialize :parameters, JSON
```

If an implementation needs to continue using the serialized Hash,
you will need to override the definition by reopening the model, and adding:

```ruby
serialize :parameters, Hash
```

In addition, one of the following is also needed.

1. Simple, but insecure fix, which reverts to previous unpatched behavior is:

      ```ruby
      Rails.application.config.active_record.use_yaml_unsafe_load = true
      ```

2. More complex, and a bit less insecure fix, is to explicitly list the allowed classes to serialize:

      ```ruby
      Rails.application.config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time, HashWithIndifferentAccess]
      ```
@pboling pboling changed the title Rails 5 2 Rails 5.2 Jan 15, 2025
@pboling
➕ version_gem
ad95627 
- switch to require_relative
@pboling
🔇 DEPRECATION WARNING: Leaving `ActiveRecord::ConnectionAdapters::SQL…
866ab12 
…ite3Adapter.represent_boolean_as_integer`

  set to false is deprecated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pboling