I updated rails to 7.0.3.1 ([CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record )

now I have this issue:

`Failure/Error: @casting.create_activity(key: "xxx", owner: current_user, parameters: { email_subject: 'xxx' })

 Psych::DisallowedClass:
   Tried to load unspecified class: Symbol
 # (eval):2:in `symbol'
 # .rvm/gems/ruby-3.1.2/gems/activerecord-7.0.3.1/lib/active_record/coders/yaml_column.rb:50:in `yaml_load'`

https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017

It is mentioned that you can allow specific classes with:

config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]

Does that help?

I have an app with both Symbol and HashWithIndifferentAccess, have anyone solved how do limit the dangerous behaviour without destroying old data?

We realized the parameters column from the activities table is causing this problem as it was doing the serialization of the data.
Our app uses Date, Time, ActiveSupport::TimeWithZone, ActiveSupport::TimeZone, ActiveSupport::HashWithIndifferentAccess, BigDecimal classes. We fixed the issue by adding them to config.active_record.yaml_column_permitted_classes in application.rb.

However, we are still concerned about this problem because some other classes also can cause this problem again.

I am a bit worried about what data is accepted inside ActiveSupport::HashWithIndifferentAccess.

The same data as in Hash, this is just a wrapper.

And regarding the fix in the second comment, yes this is the only way to do it - you have to whitelist explicitly. This breaks Rails apps even without public_activity.