Merge branch '6-1-sec' into 6-1-stable

* 6-1-sec:
  Preparing for 6.1.6.1 release
  updating version and changelog
  Change ActiveRecord::Coders::YAMLColumn default to safe_load
  Preparing for 6.1.6 release

Author: tenderlove

RAILS_VERSION

@@ -1 +1 @@
-6.1.6
+6.1.6.1

actioncable/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.6 (May 09, 2022) ##
 
 *   No changes.

actioncable/lib/action_cable/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 6
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actioncable/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actioncable",
-  "version": "6.1.6",
+  "version": "6.1.6-1",
   "description": "WebSocket framework for Ruby on Rails.",
   "main": "app/assets/javascripts/action_cable.js",
   "files": [

actionmailbox/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.6 (May 09, 2022) ##
 
 *   No changes.

actionmailbox/lib/action_mailbox/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 6
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionmailer/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.6 (May 09, 2022) ##
 
 *   No changes.

actionmailer/lib/action_mailer/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 6
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionpack/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.6 (May 09, 2022) ##
 
 *   No changes.

actionpack/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 6
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actiontext/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.6 (May 09, 2022) ##
 
 *   No changes.

actiontext/lib/action_text/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 6
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actiontext/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "6.1.6",
+  "version": "6.1.6-1",
   "description": "Edit and display rich text in Rails applications",
   "main": "app/javascript/actiontext/index.js",
   "files": [

actionview/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.6 (May 09, 2022) ##
 
 *   No changes.

actionview/lib/action_view/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 6
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionview/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/ujs",
-  "version": "6.1.6",
+  "version": "6.1.6-1",
   "description": "Ruby on Rails unobtrusive scripting adapter",
   "main": "lib/assets/compiled/rails-ujs.js",
   "files": [

activejob/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.6 (May 09, 2022) ##
 
 *   No changes.

activejob/lib/active_job/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 6
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

activemodel/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.6 (May 09, 2022) ##
 
 *   No changes.

activemodel/lib/active_model/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 6
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

activerecord/CHANGELOG.md

@@ -4,6 +4,34 @@
 
     *Nikita Vasilevsky*
 
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   Change ActiveRecord::Coders::YAMLColumn default to safe_load
+
+    This adds two new configuration options The configuration options are as
+    follows:
+    
+    * `config.active_storage.use_yaml_unsafe_load`
+    
+    When set to true, this configuration option tells Rails to use the old
+    "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
+    the possible escalation vulnerability in place.  Setting this option to true
+    is *not* recommended, but can aid in upgrading.
+    
+    * `config.active_record.yaml_column_permitted_classes`
+    
+    The "safe YAML" loading method does not allow all classes to be deserialized
+    by default.  This option allows you to specify classes deemed "safe" in your
+    application.  For example, if your application uses Symbol and Time in
+    serialized data, you can add Symbol and Time to the allowed list as follows:
+    
+    ```
+    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
+    ```
+
+    [CVE-2022-32224]
+
+
 ## Rails 6.1.6 (May 09, 2022) ##
 
 *   No changes.

activerecord/lib/active_record/coders/yaml_column.rb

@@ -45,13 +45,15 @@ def check_arity_of_constructor
           raise ArgumentError, "Cannot serialize #{object_class}. Classes passed to `serialize` must have a 0 argument constructor."
         end
 
-        if YAML.respond_to?(:unsafe_load)
-          def yaml_load(payload)
-            YAML.unsafe_load(payload)
-          end
-        else
-          def yaml_load(payload)
-            YAML.load(payload)
+        def yaml_load(payload)
+          if !ActiveRecord::Base.use_yaml_unsafe_load
+            YAML.safe_load(payload, permitted_classes: ActiveRecord::Base.yaml_column_permitted_classes, aliases: true)
+          else
+            if YAML.respond_to?(:unsafe_load)
+              YAML.unsafe_load(payload)
+            else
+              YAML.load(payload)
+            end
           end
         end
     end

activerecord/lib/active_record/core.rb

@@ -155,6 +155,14 @@ def self.configurations
 
       mattr_accessor :legacy_connection_handling, instance_writer: false, default: true
 
+      # Application configurable boolean that instructs the YAML Coder to use
+      # an unsafe load if set to true.
+      mattr_accessor :use_yaml_unsafe_load, instance_writer: false, default: false
+
+      # Application configurable array that provides additional permitted classes
+      # to Psych safe_load in the YAML Coder
+      mattr_accessor :yaml_column_permitted_classes, instance_writer: false, default: []
+
       self.filter_attributes = []
 
       def self.connection_handler

activerecord/lib/active_record/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 6
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

activerecord/lib/active_record/railtie.rb

@@ -279,5 +279,23 @@ class Railtie < Rails::Railtie # :nodoc:
         self.signed_id_verifier_secret ||= -> { Rails.application.key_generator.generate_key("active_record/signed_id") }
       end
     end
+
+    initializer "active_record.use_yaml_unsafe_load" do |app|
+      config.after_initialize do
+        unless app.config.active_record.use_yaml_unsafe_load.nil?
+          ActiveRecord::Base.use_yaml_unsafe_load =
+            app.config.active_record.use_yaml_unsafe_load
+        end
+      end
+    end
+
+    initializer "active_record.yaml_column_permitted_classes" do |app|
+      config.after_initialize do
+        unless app.config.active_record.yaml_column_permitted_classes.nil?
+          ActiveRecord::Base.yaml_column_permitted_classes =
+            app.config.active_record.yaml_column_permitted_classes
+        end
+      end
+    end
   end
 end

activerecord/test/cases/attribute_methods_test.rb

@@ -46,9 +46,9 @@ def setup
 
   test "attribute_for_inspect with an array" do
     t = topics(:first)
-    t.content = [Object.new]
+    t.content = ["some_value"]
 
-    assert_match %r(\[#<Object:0x[0-9a-f]+>\]), t.attribute_for_inspect(:content)
+    assert_match %r(\[\"some_value\"\]), t.attribute_for_inspect(:content)
   end
 
   test "attribute_for_inspect with a long array" do
@@ -279,16 +279,16 @@ def setup
   end
 
   test "hashes are not mangled" do
-    new_topic = { title: "New Topic", content: { key: "First value" } }
-    new_topic_values = { title: "AnotherTopic", content: { key: "Second value" } }
+    new_topic = { "title" => "New Topic", "content" => { "key" => "First value" } }
+    new_topic_values = { "title" => "AnotherTopic", "content" => { "key" => "Second value" } }
 
     topic = Topic.new(new_topic)
-    assert_equal new_topic[:title], topic.title
-    assert_equal new_topic[:content], topic.content
+    assert_equal new_topic["title"], topic.title
+    assert_equal new_topic["content"], topic.content
 
     topic.attributes = new_topic_values
-    assert_equal new_topic_values[:title], topic.title
-    assert_equal new_topic_values[:content], topic.content
+    assert_equal new_topic_values["title"], topic.title
+    assert_equal new_topic_values["content"], topic.content
   end
 
   test "create through factory" do
@@ -602,7 +602,7 @@ def topic.title() "b" end
   end
 
   test "should unserialize attributes for frozen records" do
-    myobj = { value1: :value2 }
+    myobj = { "value1" => "value2" }
     topic = Topic.create(content: myobj)
     topic.freeze
     assert_equal myobj, topic.content

activerecord/test/cases/base_test.rb

@@ -108,7 +108,7 @@ def test_deprecated_arel_attribute_on_relation
 
   def test_incomplete_schema_loading
     topic = Topic.first
-    payload = { foo: 42 }
+    payload = { "foo" => 42 }
     topic.update!(content: payload)
 
     Topic.reset_column_information

activerecord/test/cases/calculations_test.rb

@@ -809,8 +809,8 @@ def test_pluck_on_aliased_attribute
   end
 
   def test_pluck_with_serialization
-    t = Topic.create!(content: { foo: :bar })
-    assert_equal [{ foo: :bar }], Topic.where(id: t.id).pluck(:content)
+    t = Topic.create!(content: { "foo" => "bar" })
+    assert_equal [{ "foo" => "bar" }], Topic.where(id: t.id).pluck(:content)
   end
 
   def test_pluck_with_qualified_column_name

activerecord/test/cases/coders/yaml_column_test.rb

@@ -5,6 +5,10 @@
 module ActiveRecord
   module Coders
     class YAMLColumnTest < ActiveRecord::TestCase
+      setup do
+        ActiveRecord::Base.use_yaml_unsafe_load = true
+      end
+
       def test_initialize_takes_class
         coder = YAMLColumn.new("attr_name", Object)
         assert_equal Object, coder.object_class
@@ -62,5 +66,35 @@ def test_load_doesnt_handle_undefined_class_or_module
         end
       end
     end
+
+    class YAMLColumnTestWithSafeLoad < YAMLColumnTest
+      setup do
+        @yaml_column_permitted_classes_default = ActiveRecord::Base.yaml_column_permitted_classes
+        ActiveRecord::Base.use_yaml_unsafe_load = false
+      end
+
+      def test_yaml_column_permitted_classes_are_consumed_by_safe_load
+        ActiveRecord::Base.yaml_column_permitted_classes = [Symbol, Time]
+
+        coder = YAMLColumn.new("attr_name")
+        time_yaml = YAML.dump(Time.new)
+        symbol_yaml = YAML.dump(:somesymbol)
+
+        assert_nothing_raised do
+          coder.load(time_yaml)
+          coder.load(symbol_yaml)
+        end
+
+        ActiveRecord::Base.yaml_column_permitted_classes = @yaml_column_permitted_classes_default
+      end
+
+      def test_load_doesnt_handle_undefined_class_or_module
+        coder = YAMLColumn.new("attr_name")
+        missing_class_yaml = '--- !ruby/object:DoesNotExistAndShouldntEver {}\n'
+        assert_raises(Psych::DisallowedClass) do
+          coder.load(missing_class_yaml)
+        end
+      end
+    end
   end
 end