Eliminate instance level writers for class accessors

Instance level writers can have an impact on how the Active Model / Record objects are saved. Specifically, they can be used to bypass validations. This is a problem if mass assignment protection is disabled and specific attributes are passed to the constructor. Conflicts: activerecord/lib/active_record/scoping/default.rb activesupport/lib/active_support/callbacks.rb CVE-2016-0753
rails · Jan 22, 2016 · 50d3d7d · 50d3d7d
1 parent be543e8
commit 50d3d7d
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 6 deletions.
diff --git a/activemodel/lib/active_model/serializers/json.rb b/activemodel/lib/active_model/serializers/json.rb
@@ -10,7 +10,7 @@ module JSON
       included do
         extend ActiveModel::Naming
 
-        class_attribute :include_root_in_json
+        class_attribute :include_root_in_json, instance_writer: false
         self.include_root_in_json = false
       end
 

diff --git a/activemodel/lib/active_model/validations.rb b/activemodel/lib/active_model/validations.rb
@@ -46,9 +46,10 @@ module Validations
       include HelperMethods
 
       attr_accessor :validation_context
+      private :validation_context=
       define_callbacks :validate, scope: :name
 
-      class_attribute :_validators
+      class_attribute :_validators, instance_writer: false
       self._validators = Hash.new { |h,k| h[k] = [] }
     end
 

diff --git a/activerecord/lib/active_record/enum.rb b/activerecord/lib/active_record/enum.rb
@@ -68,7 +68,7 @@ module ActiveRecord
   # Where conditions on an enum attribute must use the ordinal value of an enum.
   module Enum
     def self.extended(base) # :nodoc:
-      base.class_attribute(:defined_enums)
+      base.class_attribute(:defined_enums, instance_writer: false)
       base.defined_enums = {}
     end
 

diff --git a/activerecord/lib/active_record/reflection.rb b/activerecord/lib/active_record/reflection.rb
@@ -4,8 +4,8 @@ module Reflection # :nodoc:
     extend ActiveSupport::Concern
 
     included do
-      class_attribute :_reflections
-      class_attribute :aggregate_reflections
+      class_attribute :_reflections, instance_writer: false
+      class_attribute :aggregate_reflections, instance_writer: false
       self._reflections = {}
       self.aggregate_reflections = {}
     end

diff --git a/activesupport/lib/active_support/callbacks.rb b/activesupport/lib/active_support/callbacks.rb
@@ -768,7 +768,7 @@ def define_callbacks(*names)
         end
 
         names.each do |name|
-          class_attribute "_#{name}_callbacks"
+          class_attribute "_#{name}_callbacks", instance_writer: false
           set_callbacks name, CallbackChain.new(name, options)
         end
       end