From 1ef4dad8ab42d129da7529097a5cf7a31b4a3446 Mon Sep 17 00:00:00 2001
From: Jun Aruga <jaruga@redhat.com>
Date: Aug 19 2016 13:27:21 +0000
Subject: - Fix for CVE-2016-6317 (rhbz#1366479)

- Fix argument error for instance_exec for Ruby 2.3 compatibility
- Improve tests not to accept the failures

---

diff --git a/rubygem-activerecord-4.2.6-fix-for-instance_exec-tests.patch b/rubygem-activerecord-4.2.6-fix-for-instance_exec-tests.patch
new file mode 100644
index 0000000..4b3bfcc
--- /dev/null
+++ b/rubygem-activerecord-4.2.6-fix-for-instance_exec-tests.patch
@@ -0,0 +1,18 @@
+diff --git a/activerecord/test/cases/relation_test.rb b/activerecord/test/cases/relation_test.rb
+index 408953b..44e07a2 100644
+--- a/activerecord/test/cases/relation_test.rb
++++ b/activerecord/test/cases/relation_test.rb
+@@ -260,6 +260,13 @@ def test_relation_merging_with_merged_joins_as_strings
+       assert_equal 3, authors(:david).posts.merge(posts_with_special_comments_with_ratings).count.length
+     end
+ 
++    def test_merge_raises_with_invalid_argument
++      assert_raises ArgumentError do
++        relation = Relation.new(FakeKlass, :b)
++        relation.merge(true)
++      end
++    end
++
+     class EnsureRoundTripTypeCasting < ActiveRecord::Type::Value
+       def type
+         :string
diff --git a/rubygem-activerecord-4.2.6-fix-for-instance_exec.patch b/rubygem-activerecord-4.2.6-fix-for-instance_exec.patch
new file mode 100644
index 0000000..67aedbd
--- /dev/null
+++ b/rubygem-activerecord-4.2.6-fix-for-instance_exec.patch
@@ -0,0 +1,30 @@
+diff --git a/activerecord/lib/active_record/relation/spawn_methods.rb b/activerecord/lib/active_record/relation/spawn_methods.rb
+index 57d66bc..6551344 100644
+--- a/activerecord/lib/active_record/relation/spawn_methods.rb
++++ b/activerecord/lib/active_record/relation/spawn_methods.rb
+@@ -12,6 +12,7 @@ def spawn #:nodoc:
+ 
+     # Merges in the conditions from <tt>other</tt>, if <tt>other</tt> is an <tt>ActiveRecord::Relation</tt>.
+     # Returns an array representing the intersection of the resulting records with <tt>other</tt>, if <tt>other</tt> is an array.
++    #
+     #   Post.where(published: true).joins(:comments).merge( Comment.where(spam: false) )
+     #   # Performs a single join query with both where conditions.
+     #
+@@ -37,11 +38,14 @@ def merge(other)
+     end
+ 
+     def merge!(other) # :nodoc:
+-      if !other.is_a?(Relation) && other.respond_to?(:to_proc)
++      if other.is_a?(Hash)
++        Relation::HashMerger.new(self, other).merge
++      elsif other.is_a?(Relation)
++        Relation::Merger.new(self, other).merge
++      elsif other.respond_to?(:to_proc)
+         instance_exec(&other)
+       else
+-        klass = other.is_a?(Hash) ? Relation::HashMerger : Relation::Merger
+-        klass.new(self, other).merge
++        raise ArgumentError, "#{other.inspect} is not an ActiveRecord::Relation"
+       end
+     end
+ 
diff --git a/rubygem-activerecord-4.2.7.1-CVE-2016-6317-unsafe-query.patch b/rubygem-activerecord-4.2.7.1-CVE-2016-6317-unsafe-query.patch
new file mode 100644
index 0000000..65a4461
--- /dev/null
+++ b/rubygem-activerecord-4.2.7.1-CVE-2016-6317-unsafe-query.patch
@@ -0,0 +1,14 @@
+diff --git a/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb b/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb
+index fb08326..d4e74eb 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb
+@@ -14,7 +14,8 @@ def call(attribute, value)
+             it for 'IN' conditions.
+           MSG
+ 
+-          values = values.flatten
++          flat_values = values.flatten
++          values = flat_values unless flat_values.include?(nil)
+         end
+ 
+         return attribute.in([]) if values.empty? && nils.empty?
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index eb87166..fec1224 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -5,7 +5,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 4.2.5.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -15,6 +15,13 @@ Source0: http://rubygems.org/downloads/activerecord-%{version}.gem
 # git checkout v4.2.5.2
 # tar czvf activerecord-4.2.5.2-tests.tgz test/
 Source1: activerecord-%{version}-tests.tgz
+# Fix argument error for instance_exec for Ruby 2.3 compatibility
+# https://github.com/rails/rails/commit/4be8e5d
+Patch0: rubygem-activerecord-4.2.6-fix-for-instance_exec.patch
+Patch1: rubygem-activerecord-4.2.6-fix-for-instance_exec-tests.patch
+# Fix CVE-2016-6317 unsafe query generation in Active Record
+# https://bugzilla.redhat.com/show_bug.cgi?id=1366479
+Patch2: rubygem-activerecord-4.2.7.1-CVE-2016-6317-unsafe-query.patch
 BuildRequires: rubygems-devel
 BuildRequires: rubygem(bcrypt)
 BuildRequires: rubygem(activesupport) = %{version}
@@ -26,6 +33,7 @@ BuildRequires: rubygem(arel) >= 6.0.0
 BuildRequires: rubygem(arel) < 7.0.0
 BuildRequires: rubygem(minitest)
 BuildRequires: rubygem(rack)
+BuildRequires: %{_bindir}/sqlite3
 BuildArch: noarch
 
 %description
@@ -49,6 +57,9 @@ gem unpack %{SOURCE0}
 
 gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
 
+%patch0 -p2
+%patch2 -p2
+
 %build
 gem build %{gem_name}.gemspec
 %gem_install
@@ -63,21 +74,33 @@ pushd .%{gem_instdir}
 
 tar xzvf %{SOURCE1}
 
+patch -p2 < %{PATCH1}
+
 # load_path is not available, remove its require.
 sed -i '1,2d' test/cases/helper.rb
 
 # Fail with any test
 set -e
 
-# 1 failure/bug
-# public_send in combination with method_missing raises NameError instead of NoMethodError
-# https://github.com/rails/rails/issues/19297
-# https://bugs.ruby-lang.org/issues/10969
-#
-# There is one more or N failures when requiring the tests in the following order.
-# Running them in complete isolation solves the problem but takes too much time.
-# So accepting up to 5 failures.
-ruby -I.:test:lib <<EOF | egrep "(1|2|3|4|5) failures"
+# Disable unstable tests.
+sed -i '/^  def test_do_not_call_callbacks_for_delete_all$/,/^  end$/ s/^/#/' \
+  test/cases/associations/has_many_associations_test.rb
+sed -i '/^  def test_create_resets_cached_counters$/,/^  end$/ s/^/#/' \
+  test/cases/associations/has_many_associations_test.rb
+
+run_separately=(
+  associations/cascaded_eager_loading
+  associations/has_many_associations
+  associations/has_one_through_associations
+  associations/has_many_through_associations
+  autosave_association
+  calculations
+  core
+  reflection
+  nested_attributes
+)
+
+ruby -I.:test:lib <<EOF
   test_files = Dir.glob( "test/cases/**/*_test.rb" )
   test_files.reject! { |x| x =~ %r|/adapters/| }
 
@@ -89,11 +112,17 @@ ruby -I.:test:lib <<EOF | egrep "(1|2|3|4|5) failures"
   test_files.delete('test/cases/session_store/session_test.rb')
 
   # Running separatelly works
-  test_files.delete('test/cases/calculations_test.rb')
+  test_files -= "${run_separately[@]}".split
+    .map { |test| "test/cases/#{test}_test.rb" }
 
   test_files.sort.each { |f| require f }
 EOF
 
+# Running separatelly
+for test in ${run_separately[@]} ; do
+  ruby -I.:test:lib "test/cases/${test}_test.rb"
+done
+
 popd
 
 %files
@@ -110,6 +139,11 @@ popd
 %doc %{gem_instdir}/examples
 
 %changelog
+* Wed Aug 17 2016 Jun Aruga <jaruga@redhat.com> - 1:4.2.5.2-2
+- Fix for CVE-2016-6317 (rhbz#1366479)
+- Fix argument error for instance_exec for Ruby 2.3 compatibility
+- Improve tests not to accept the failures
+
 * Mon Mar 07 2016 Pavel Valena <pvalena@redhat.com> - 1:4.2.5.2-1
 - Update to activerecord 4.2.5.2