From 2f0c42a13d23a03284b4cdc2fc0e087fb0630330 Mon Sep 17 00:00:00 2001
From: Chris Hanks <christopher.m.hanks@gmail.com>
Date: Thu, 1 Jun 2017 11:35:55 -0400
Subject: [PATCH 1/2] Disable create_additions when parsing JSON from the DB.

---
 CHANGELOG.md             | 4 ++++
 lib/que/adapters/base.rb | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2929ff8f..47487cd6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+### Unreleased
+
+*   Fix security vulnerability in parsing JSON from the DB (by specifying create_additions: false). This shouldn't be a concern unless you were passing untrusted user input in your job arguments. (hmac)
+
 ### 0.11.6 (2016-07-01)
 
 *   Fix for operating in nested transactions in Rails 5.0. (#160) (greysteil)
diff --git a/lib/que/adapters/base.rb b/lib/que/adapters/base.rb
index 222f6efa..f2705dda 100644
--- a/lib/que/adapters/base.rb
+++ b/lib/que/adapters/base.rb
@@ -102,7 +102,7 @@ def execute_prepared(name, params)
       CAST_PROCS[1184] = Time.method(:parse)
 
       # JSON.
-      CAST_PROCS[114] = JSON_MODULE.method(:load)
+      CAST_PROCS[114] = -> (value) { JSON_MODULE.load(value, create_additions: false) }
 
       # Boolean:
       CAST_PROCS[16] = 't'.method(:==)

From c10d4457531648b217ee19c9ea7e7f1030a5ec67 Mon Sep 17 00:00:00 2001
From: Harry Maclean <harrymaclean@gocardless.com>
Date: Thu, 1 Jun 2017 17:19:57 +0100
Subject: [PATCH 2/2] Bump version to 0.11.7

---
 CHANGELOG.md       | 2 +-
 lib/que/version.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47487cd6..7661e4d7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,4 @@
-### Unreleased
+### 0.11.7 (2017-06-01)
 
 *   Fix security vulnerability in parsing JSON from the DB (by specifying create_additions: false). This shouldn't be a concern unless you were passing untrusted user input in your job arguments. (hmac)
 
diff --git a/lib/que/version.rb b/lib/que/version.rb
index 8006c0a2..4cf87a79 100644
--- a/lib/que/version.rb
+++ b/lib/que/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Que
-  Version = '0.11.6'
+  Version = '0.11.7'
 end