activerecord/test/cases/serialization_test.rb · c593a7436a1ae3c99a7cc87bbcb7f7973550493e · Rails relative code / rails-deleted-2

Apr 22, 2022

611990f1

Change ActiveRecord::Coders::YAMLColumn default to safe_load · 611990f1

Zack Deveau authored Apr 22, 2022

In Psych >= 4.0.0, load defaults to safe_load. This commit
makes the ActiveRecord::Coders::YAMLColum class use Psych safe_load
as the Rails default.

This default is configurable via ActiveRecord.use_yaml_unsafe_load

We conditionally fallback to the correct unsafe load if use_yaml_unsafe_load
is set to true. unsafe_load was introduced in Psych 4.0.0

The list of safe_load permitted classes is configurable via
ActiveRecord.yaml_column_permitted_classes

[CVE-2022-32224]

611990f1

Change ActiveRecord::Coders::YAMLColumn default to safe_load

Zack Deveau authored Apr 22, 2022

In Psych >= 4.0.0, load defaults to safe_load. This commit
makes the ActiveRecord::Coders::YAMLColum class use Psych safe_load
as the Rails default.

This default is configurable via ActiveRecord.use_yaml_unsafe_load

We conditionally fallback to the correct unsafe load if use_yaml_unsafe_load
is set to true. unsafe_load was introduced in Psych 4.0.0

The list of safe_load permitted classes is configurable via
ActiveRecord.yaml_column_permitted_classes

[CVE-2022-32224]