As part of the fix for CVE-2022-32224 Rails intruduced safe YAML loading
and the `ActiveRecord.yaml_column_permitted_classes` config.
PaperTrail added support for respecting the new configuration here
https://github.com/paper-trail-gem/paper_trail/pull/1397
The CVE-2022-32224 fix was also backported to Rails versions 5.2.8.1,
6.0.5.1, and, 6.1.6.1, however the name of the confiuration is slightly
different from that in Rails 7.x.
7.0.3.1 ActiveRecord.yaml_column_permitted_classes
6.1.6.1 ActiveRecord::Base.yaml_column_permitted_classes
6.0.5.1 ActiveRecord::Base.yaml_column_permitted_classes
5.2.8.1 ActiveRecord::Base.yaml_column_permitted_classes
PaperTrail currently doesn't support this alternative configuration
naming, which means it will silent fall back to unsafe YAML loading.
This commit updates `PaperTrail::Serializers::YAML` to be compatible
with safe YAML loading for the Rails 5.2 / 6.0 / 6.1 branches.
Breaking change.
Going forward, PT's default serializer (PaperTrail::Serializers::YAML)
will use `safe_load` unless `ActiveRecord.use_yaml_unsafe_load`.
PT users are required to configure `ActiveRecord.yaml_column_permitted_classes`
correctly for their own application. Users may want to start with the following
safe-list:
```ruby
::ActiveRecord.use_yaml_unsafe_load = false
::ActiveRecord.yaml_column_permitted_classes = [
::ActiveRecord::Type::Time::Value,
::ActiveSupport::TimeWithZone,
::ActiveSupport::TimeZone,
::BigDecimal,
::Date,
::Symbol,
::Time
]
```
- Ensure that the "paper_trail" initializer happens before the
end-user's initializers (in their app's config/initializers)
- Document the boot process of dummy_app and how it differs
from a conventional app.
This is a direct continuation of fc6c5f6, which was a collaboration
between Eric and myself, but I choose to make this a separate
commit, partly for vanity, and partly on the faint hope that it
might make review easier.
After years of providing an awesome service for free, which we are very
grateful for, TravisCI will be dropping their free plan on Dec 31. So,
we are switching to GHA.
Drops multi-db (foo/bar) tests. Managing three databases per RDBMS
was turning into a huge hassle, and they needed to be rewritten anyway for
rails 6, per Eileen's talk.
We started setting this config in rails 5, to preserve the behavior
in rails 4, ie. `time` columns being "zone-unaware".
If we rewrite our `time` column tests to focus on the time only
(and not the date) then we don't need to set time_zone_aware_types.
* Change update_attributes to update
In Rails 6.0 update_attributes/update_attributes! is considered deprecated. Method update/update! is the replacement.
* CI: Don't use Bundler 1.16.1
- Bundler 1.16.1 has bug where dependencies can't be resolved properly
when a gem is a release candidate or an alpha version.
The underlying bundler issue can be found here https://github.com/bundler/bundler/issues/6449
* Disable eager_load in test env:
- In Rails 6.0, rails/rails@3b95478 made a change to eagerly define
attribute methods of a Model when `eager_load` is enabled.
This breaks our test suite because of the way we run migration.
The TL;DR is that doing `People.attribute_names` will return an
empty array instead of `[:id, time_zone, ...]`.
You can find a failing build here https://travis-ci.org/paper-trail-gem/paper_trail/jobs/463369634
Basically what happens is:
1) The dummy app boot, attribute methods of each model are defined
but since migration didn't run yet, the tables aren't even
created resulting in a empty attribute set.
2) Migration runs, but it's already too late.
In this commit I disabled eager_loading in test, AFAIT there isn't
much benefit in eager_loading the dummy app anyway.
Also renaming the `user.rb` file to `postgres_user.rb` in order for
rails autoloading to work correctly.
Since Rails 5.0, belongs_to_required_by_default has been the official ActiveRecord default.
Add the configuration lines necessary to enable this default in both 5.0 and 5.1.
Add "optional: true" where necessary to fix spec failures caused by this change.
Add version-checking conditionals where necessary.
Update the Changelog appropriately.
- Convert serializers/mixin_json_test.rb to rspec
- Convert functional/thread_safety_test.rb to rspec
- Convert functional/controller_test.rb to rspec
- Move the dummy app from test to spec, delete test dir
Jared Beck