From 7a01874b75fdd62ab3626490cdf1c65c0ba659d0 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Mon, 18 Jan 2016 13:51:02 -0800
Subject: [PATCH] Eliminate instance level writers for class accessors
Instance level writers can have an impact on how the Active Model /
Record objects are saved. Specifically, they can be used to bypass
validations. This is a problem if mass assignment protection is
disabled and specific attributes are passed to the constructor.
Conflicts:
activerecord/lib/active_record/scoping/default.rb
activesupport/lib/active_support/callbacks.rb
CVE-2016-0753
---
activemodel/lib/active_model/serializers/json.rb | 2 +-
activemodel/lib/active_model/validations.rb | 3 ++-
activerecord/lib/active_record/enum.rb | 2 +-
activerecord/lib/active_record/reflection.rb | 4 ++--
activesupport/lib/active_support/callbacks.rb | 2 +-
5 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/activerecord/lib/active_record/enum.rb b/activerecord/lib/active_record/enum.rb
index fba7747..c99941e 100644
--- a/activerecord/lib/active_record/enum.rb
+++ b/activerecord/lib/active_record/enum.rb
@@ -68,7 +68,7 @@ module ActiveRecord
# Where conditions on an enum attribute must use the ordinal value of an enum.
module Enum
def self.extended(base)
- base.class_attribute(:defined_enums)
+ base.class_attribute(:defined_enums, instance_writer: false)
base.defined_enums = {}
end
diff --git a/activerecord/lib/active_record/reflection.rb b/activerecord/lib/active_record/reflection.rb
index 824e005..82b0123 100644
--- a/activerecord/lib/active_record/reflection.rb
+++ b/activerecord/lib/active_record/reflection.rb
@@ -4,8 +4,8 @@ module ActiveRecord
extend ActiveSupport::Concern
included do
- class_attribute :_reflections
- class_attribute :aggregate_reflections
+ class_attribute :_reflections, instance_writer: false
+ class_attribute :aggregate_reflections, instance_writer: false
self._reflections = {}
self.aggregate_reflections = {}
end
--
2.2.1