Project

General

Profile

Actions
Copy link

Patch #41331

open

Gemfile patch: fix for handling (security related) ERB expressions in database.yml

Added by Jan Catrysse about 2 months ago. Updated 29 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Ruby support
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Redmine installations that use ERB expressions (like `<% %>`) in their database.yml file may encounter issues during parsing.
To address this, we've applied a patch to the Gemfile that ensures compatibility when handling files containing such special characters, thus preventing common errors.

This patch modifies the way the database.yml is processed, ignoring lines that contain ERB expressions.
This is particularly useful for installations where the database configuration might contain sensitive data managed via Rails' encrypted credentials or other mechanisms that use ERB.

Index: Gemfile
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/Gemfile b/Gemfile
--- a/Gemfile    (revision 277728afc979a7123eef8d1a8ac54d74c235c5fc)
+++ b/Gemfile    (date 1727590462090)
@@ -61,7 +61,7 @@
 require 'yaml'
 database_file = File.join(File.dirname(__FILE__), "config/database.yml")
 if File.exist?(database_file)
-  yaml_config = ERB.new(IO.read(database_file)).result
+  yaml_config = ERB.new(IO.readlines(database_file).reject { |line| line =~ /<%.*%>/ }.join).result
   database_config = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(yaml_config) : YAML.load(yaml_config)
   adapters = database_config.values.filter_map {|c| c['adapter']}.uniq
   if adapters.any?

Files

Gemfile.patch (801 Bytes) Gemfile.patch Jan Catrysse, 2024-09-29 09:04
Actions
Copy link

Also available in: Atom PDF