Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-globalid for
openSUSE:Factory checked in at 2023-01-29 14:11:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-globalid (Old)
and /work/SRC/openSUSE:Factory/.rubygem-globalid.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-globalid"
Sun Jan 29 14:11:23 2023 rev:10 rq:1061856 version:1.1.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-globalid/rubygem-globalid.changes
2021-12-25 20:17:10.965275833 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-globalid.new.32243/rubygem-globalid.changes
2023-01-29 14:17:07.937101731 +0100
@@ -1,0 +2,16 @@
+Fri Jan 27 09:27:44 UTC 2023 - pgaj...@suse.com
+
+- version update to 1.1.0
+ * URI::GID: Update #check_scheme, no need to call super by @alexcwatt in #146
+ * JSON-encode GlobalIDs as strings by @georgeclaghorn in #149
+ * Support pattern matching of GlobalID & GlobalID::URI by @ojab in #140
+ * prevent double find by @ooooooo-q in #148
+ * implement non signed global_id helper method on fixture set by
@rainerborene in #144
+
+-------------------------------------------------------------------
+Mon Jan 23 23:46:01 UTC 2023 - Marcus Rueckert <mrueck...@suse.de>
+
+- update to 1.0.1
+ Fix ReDoS vulnerability in name parsing (CVE-2023-22799 [bsc#1207587])
+
+-------------------------------------------------------------------
Old:
----
globalid-1.0.0.gem
New:
----
globalid-1.1.0.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-globalid.spec ++++++
--- /var/tmp/diff_new_pack.wzTQeX/_old 2023-01-29 14:17:08.353103777 +0100
+++ /var/tmp/diff_new_pack.wzTQeX/_new 2023-01-29 14:17:08.357103797 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-globalid
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-globalid
-Version: 1.0.0
+Version: 1.1.0
Release: 0
%define mod_name globalid
%define mod_full_name %{mod_name}-%{version}
++++++ globalid-1.0.0.gem -> globalid-1.1.0.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/MIT-LICENSE new/MIT-LICENSE
--- old/MIT-LICENSE 2021-11-26 00:16:26.000000000 +0100
+++ new/MIT-LICENSE 2023-01-25 19:47:17.000000000 +0100
@@ -1,4 +1,4 @@
-Copyright (c) 2014-2016 David Heinemeier Hansson
+Copyright (c) 2014-2023 David Heinemeier Hansson
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
@@ -18,4 +18,3 @@
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/global_id/fixture_set.rb
new/lib/global_id/fixture_set.rb
--- old/lib/global_id/fixture_set.rb 2021-11-26 00:16:26.000000000 +0100
+++ new/lib/global_id/fixture_set.rb 2023-01-25 19:47:17.000000000 +0100
@@ -2,12 +2,20 @@
class GlobalID
module FixtureSet
- def signed_global_id(fixture_set_name, label, column_type: :integer,
**options)
- identifier = identify(label, column_type)
- model_name = default_fixture_model_name(fixture_set_name)
- uri = URI::GID.build([GlobalID.app, model_name, identifier, {}])
+ def global_id(fixture_set_name, label, column_type: :integer, **options)
+ create_global_id(fixture_set_name, label, column_type: column_type,
klass: GlobalID, **options)
+ end
- SignedGlobalID.new(uri, **options)
+ def signed_global_id(fixture_set_name, label, column_type: :integer,
**options)
+ create_global_id(fixture_set_name, label, column_type: column_type,
klass: SignedGlobalID, **options)
end
+
+ private
+ def create_global_id(fixture_set_name, label, klass:, column_type:
:integer, **options)
+ identifier = identify(label, column_type)
+ model_name = default_fixture_model_name(fixture_set_name)
+ uri = URI::GID.build([GlobalID.app, model_name, identifier, {}])
+ klass.new(uri, **options)
+ end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/global_id/global_id.rb
new/lib/global_id/global_id.rb
--- old/lib/global_id/global_id.rb 2021-11-26 00:16:26.000000000 +0100
+++ new/lib/global_id/global_id.rb 2023-01-25 19:47:17.000000000 +0100
@@ -1,4 +1,3 @@
-require 'active_support'
require 'active_support/core_ext/string/inflections' # For #model_class
constantize
require 'active_support/core_ext/array/access'
require 'active_support/core_ext/object/try' # For #find
@@ -35,18 +34,12 @@
private
def parse_encoded_gid(gid, options)
- new(Base64.urlsafe_decode64(repad_gid(gid)), options) rescue nil
- end
-
- # We removed the base64 padding character = during #to_param, now we're
adding it back so decoding will work
- def repad_gid(gid)
- padding_chars = gid.length.modulo(4).zero? ? 0 : (4 -
gid.length.modulo(4))
- gid + ('=' * padding_chars)
+ new(Base64.urlsafe_decode64(gid), options) rescue nil
end
end
attr_reader :uri
- delegate :app, :model_name, :model_id, :params, :to_s, to: :uri
+ delegate :app, :model_name, :model_id, :params, :to_s, :deconstruct_keys,
to: :uri
def initialize(gid, options = {})
@uri = gid.is_a?(URI::GID) ? gid : URI::GID.parse(gid)
@@ -57,7 +50,13 @@
end
def model_class
- model_name.constantize
+ model = model_name.constantize
+
+ unless model <= GlobalID
+ model
+ else
+ raise ArgumentError, "GlobalID and SignedGlobalID cannot be used as
model_class."
+ end
end
def ==(other)
@@ -70,7 +69,10 @@
end
def to_param
- # remove the = padding character for a prettier param -- it'll be added
back in parse_encoded_gid
- Base64.urlsafe_encode64(to_s).sub(/=+$/, '')
+ Base64.urlsafe_encode64(to_s, padding: false)
+ end
+
+ def as_json(*)
+ to_s
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/global_id/locator.rb new/lib/global_id/locator.rb
--- old/lib/global_id/locator.rb 2021-11-26 00:16:26.000000000 +0100
+++ new/lib/global_id/locator.rb 2023-01-25 19:47:17.000000000 +0100
@@ -1,4 +1,3 @@
-require 'active_support'
require 'active_support/core_ext/enumerable' # For Enumerable#index_by
class GlobalID
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/global_id/railtie.rb new/lib/global_id/railtie.rb
--- old/lib/global_id/railtie.rb 2021-11-26 00:16:26.000000000 +0100
+++ new/lib/global_id/railtie.rb 2023-01-25 19:47:17.000000000 +0100
@@ -3,7 +3,6 @@
rescue LoadError
else
require 'global_id'
-require 'active_support'
require 'active_support/core_ext/string/inflections'
require 'active_support/core_ext/integer/time'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/global_id/signed_global_id.rb
new/lib/global_id/signed_global_id.rb
--- old/lib/global_id/signed_global_id.rb 2021-11-26 00:16:26.000000000
+0100
+++ new/lib/global_id/signed_global_id.rb 2023-01-25 19:47:17.000000000
+0100
@@ -1,4 +1,3 @@
-require 'global_id'
require 'active_support/message_verifier'
require 'time'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/global_id/uri/gid.rb new/lib/global_id/uri/gid.rb
--- old/lib/global_id/uri/gid.rb 2021-11-26 00:16:26.000000000 +0100
+++ new/lib/global_id/uri/gid.rb 2023-01-25 19:47:17.000000000 +0100
@@ -98,6 +98,10 @@
"gid://#{app}#{path}#{'?' + query if query}"
end
+ def deconstruct_keys(_keys)
+ {app: app, model_name: model_name, model_id: model_id, params: params}
+ end
+
protected
def set_path(path)
set_model_components(path) unless defined?(@model_name) && @model_id
@@ -123,9 +127,6 @@
private
COMPONENT = [ :scheme, :app, :model_name, :model_id, :params ].freeze
- # Extracts model_name and model_id from the URI path.
- PATH_REGEXP = %r(\A/([^/]+)/?([^/]+)?\z)
-
def check_host(host)
validate_component(host)
super
@@ -138,18 +139,18 @@
def check_scheme(scheme)
if scheme == 'gid'
- super
+ true
else
raise URI::BadURIError, "Not a gid:// URI scheme: #{inspect}"
end
end
def set_model_components(path, validate = false)
- _, model_name, model_id = path.match(PATH_REGEXP).to_a
- model_id = CGI.unescape(model_id) if model_id
-
+ _, model_name, model_id = path.split('/', 3)
validate_component(model_name) && validate_model_id(model_id,
model_name) if validate
+ model_id = CGI.unescape(model_id) if model_id
+
@model_name = model_name
@model_id = model_id
end
@@ -162,7 +163,7 @@
end
def validate_model_id(model_id, model_name)
- return model_id unless model_id.blank?
+ return model_id unless model_id.blank? || model_id.include?('/')
raise MissingModelIdError, "Unable to create a Global ID for " \
"#{model_name} without a model id."
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/global_id/verifier.rb
new/lib/global_id/verifier.rb
--- old/lib/global_id/verifier.rb 2021-11-26 00:16:26.000000000 +0100
+++ new/lib/global_id/verifier.rb 2023-01-25 19:47:17.000000000 +0100
@@ -1,4 +1,3 @@
-require 'active_support'
require 'active_support/message_verifier'
class GlobalID
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/global_id.rb new/lib/global_id.rb
--- old/lib/global_id.rb 2021-11-26 00:16:26.000000000 +0100
+++ new/lib/global_id.rb 2023-01-25 19:47:17.000000000 +0100
@@ -1,5 +1,5 @@
-require 'global_id/global_id'
require 'active_support'
+require 'global_id/global_id'
autoload :SignedGlobalID, 'global_id/signed_global_id'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2021-11-26 00:16:26.000000000 +0100
+++ new/metadata 2023-01-25 19:47:17.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: globalid
version: !ruby/object:Gem::Version
- version: 1.0.0
+ version: 1.1.0
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2021-11-25 00:00:00.000000000 Z
+date: 2023-01-25 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -59,7 +59,8 @@
homepage: http://www.rubyonrails.org
licenses:
- MIT
-metadata: {}
+metadata:
+ rubygems_mfa_required: 'true'
post_install_message:
rdoc_options: []
require_paths:
@@ -75,7 +76,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.4.1
signing_key:
specification_version: 4
summary: 'Refer to any model with a URI: gid://app/class/id'
