-
Godfrey Chan authored
* * * This bug can be triggered when serializing record R (the instance) of type C (the class), provided that the following conditions are met: 1. The name of one or more columns/attributes on C/R matches an existing private method on C (e.g. those defined by `Kernel`, such as `format`). 2. The attribute methods have not yet been generated on C. In this case, the matching private methods will be called by the serialization code (with no arguments) and their return values will be serialized instead. If the method requires one or more arguments, it will result in an `ArgumentError`. This regression is introduced in d1316bb1. * * * Attribute methods (e.g. `#name` and `#format`, assuming the class has columns named `name` and `format` in its database table) are lazily defined. Instead of defining them when a the class is defined (e.g. in the `inherited` hook on `ActiveRecord::Base`), this operation is deferred until they are first accessed. The reason behind this is that is defining those methods requires knowing what columns are defined on the database table, which usually requires a round-trip to the database. Deferring their definition until the last-possible moment helps reducing unnessary work, especially in development mode where classes are redefined and throw away between requests. Typically, when an attribute is first accessed (e.g. `a_book.format`), it will fire the `method_missing` hook on the class, which triggers the definition of the attribute methods. This even works for methods like `format`, because calling a private method with an explicit receiver will also trigger that hook. Unfortunately, `read_attribute_for_serialization` is simply an alias to `send`, which does not respect method visibility. As a result, when serializing a record with those conflicting attributes, the `method_missing` is not fired, and as a result the attribute methods are not defined one would expected. Before d1316bb1, this is negated by the fact that calling the `run_callbacks` method will also trigger a call to `respond_to?`, which is another trigger point for the class to define its attribute methods. Therefore, when Active Record tries to run the `after_find` callbacks, it will also define all the attribute methods thus masking the problem. * * * The proper fix for this problem is probably to restrict `read_attribute_for_serialization` to call public methods only (i.e. alias `read_attribute_for_serialization` to `public_send` instead of `send`). This however would be quite risky to change in a patch release and would probably require a full deprecation cycle. Another approach would be to override `read_attribute_for_serialization` inside Active Record to force the definition of attribute methods: def read_attribute_for_serialization(attribute) self.class.define_attribute_methods send(attribute) end Unfortunately, this is quite likely going to cause a performance degradation. This patch therefore restores the behaviour from the 4-0-stable branch by explicitly forcing the class to define its attribute methods in a similar spot (when records are initialized). This should not cause any extra roundtrips to the database because the `@columns` should already be cached on the class. Fixes #15188.
Godfrey Chan authored* * * This bug can be triggered when serializing record R (the instance) of type C (the class), provided that the following conditions are met: 1. The name of one or more columns/attributes on C/R matches an existing private method on C (e.g. those defined by `Kernel`, such as `format`). 2. The attribute methods have not yet been generated on C. In this case, the matching private methods will be called by the serialization code (with no arguments) and their return values will be serialized instead. If the method requires one or more arguments, it will result in an `ArgumentError`. This regression is introduced in d1316bb1. * * * Attribute methods (e.g. `#name` and `#format`, assuming the class has columns named `name` and `format` in its database table) are lazily defined. Instead of defining them when a the class is defined (e.g. in the `inherited` hook on `ActiveRecord::Base`), this operation is deferred until they are first accessed. The reason behind this is that is defining those methods requires knowing what columns are defined on the database table, which usually requires a round-trip to the database. Deferring their definition until the last-possible moment helps reducing unnessary work, especially in development mode where classes are redefined and throw away between requests. Typically, when an attribute is first accessed (e.g. `a_book.format`), it will fire the `method_missing` hook on the class, which triggers the definition of the attribute methods. This even works for methods like `format`, because calling a private method with an explicit receiver will also trigger that hook. Unfortunately, `read_attribute_for_serialization` is simply an alias to `send`, which does not respect method visibility. As a result, when serializing a record with those conflicting attributes, the `method_missing` is not fired, and as a result the attribute methods are not defined one would expected. Before d1316bb1, this is negated by the fact that calling the `run_callbacks` method will also trigger a call to `respond_to?`, which is another trigger point for the class to define its attribute methods. Therefore, when Active Record tries to run the `after_find` callbacks, it will also define all the attribute methods thus masking the problem. * * * The proper fix for this problem is probably to restrict `read_attribute_for_serialization` to call public methods only (i.e. alias `read_attribute_for_serialization` to `public_send` instead of `send`). This however would be quite risky to change in a patch release and would probably require a full deprecation cycle. Another approach would be to override `read_attribute_for_serialization` inside Active Record to force the definition of attribute methods: def read_attribute_for_serialization(attribute) self.class.define_attribute_methods send(attribute) end Unfortunately, this is quite likely going to cause a performance degradation. This patch therefore restores the behaviour from the 4-0-stable branch by explicitly forcing the class to define its attribute methods in a similar spot (when records are initialized). This should not cause any extra roundtrips to the database because the `@columns` should already be cached on the class. Fixes #15188.
Loading