Psych::DisallowedClass: Tried to load unspecified class: Symbol
seb-sykio opened this issue · comments
I updated rails to 7.0.3.1 ([CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record )
now I have this issue:
`Failure/Error: @casting.create_activity(key: "xxx", owner: current_user, parameters: { email_subject: 'xxx' })
Psych::DisallowedClass:
Tried to load unspecified class: Symbol
# (eval):2:in `symbol'
# .rvm/gems/ruby-3.1.2/gems/activerecord-7.0.3.1/lib/active_record/coders/yaml_column.rb:50:in `yaml_load'`
It is mentioned that you can allow specific classes with:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
Does that help?
I have an app with both Symbol
and HashWithIndifferentAccess
, have anyone solved how do limit the dangerous behaviour without destroying old data?
We realized the parameters
column from the activities table is causing this problem as it was doing the serialization of the data.
Our app uses Date, Time, ActiveSupport::TimeWithZone, ActiveSupport::TimeZone, ActiveSupport::HashWithIndifferentAccess, BigDecimal
classes. We fixed the issue by adding them to config.active_record.yaml_column_permitted_classes
in application.rb.
However, we are still concerned about this problem because some other classes also can cause this problem again.
I am a bit worried about what data is accepted inside ActiveSupport::HashWithIndifferentAccess
.
The same data as in Hash, this is just a wrapper.
And regarding the fix in the second comment, yes this is the only way to do it - you have to whitelist explicitly. This breaks Rails apps even without public_activity.