activerecord/test/cases/serialized_attribute_test.rb · v6.1.7.1 · Rails relative code / rails-deleted-2

Apr 22, 2022

Change ActiveRecord::Coders::YAMLColumn default to safe_load · 8ce4bd1b

Zack authored Apr 22, 2022

In Psych >= 4.0.0, load defaults to safe_load. This commit
makes the ActiveRecord::Coders::YAMLColum class use Psych safe_load
as the Rails default.

This default is configurable via ActiveRecord::Base.use_yaml_unsafe_load

We conditionally fallback to the correct unsafe load if use_yaml_unsafe_load
is set to true. unsafe_load was introduced in Psych >= 4.0.0

The list of safe_load permitted classes is configurable via
ActiveRecord::Base.yaml_column_permitted_classes

[CVE-2022-32224]

8ce4bd1b

Change ActiveRecord::Coders::YAMLColumn default to safe_load

Zack authored Apr 22, 2022

In Psych >= 4.0.0, load defaults to safe_load. This commit
makes the ActiveRecord::Coders::YAMLColum class use Psych safe_load
as the Rails default.

This default is configurable via ActiveRecord::Base.use_yaml_unsafe_load

We conditionally fallback to the correct unsafe load if use_yaml_unsafe_load
is set to true. unsafe_load was introduced in Psych >= 4.0.0

The list of safe_load permitted classes is configurable via
ActiveRecord::Base.yaml_column_permitted_classes

[CVE-2022-32224]