Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure YAML safe loading in Rails 6.1 #1399

Closed
wants to merge 1 commit into from
Closed

Ensure YAML safe loading in Rails 6.1 #1399

wants to merge 1 commit into from

Commits on Aug 26, 2022

  1. Ensure YAML safe loading in Rails 6.1 

    As part of the fix for CVE-2022-32224 Rails intruduced safe YAML loading
and the `ActiveRecord.yaml_column_permitted_classes` config.

PaperTrail added support for respecting the new configuration here
paper-trail-gem#1397

The CVE-2022-32224 fix was also backported to Rails versions 5.2.8.1,
6.0.5.1, and, 6.1.6.1, however the name of the confiuration is slightly
different from that in Rails 7.x.

    7.0.3.1 ActiveRecord.yaml_column_permitted_classes
    6.1.6.1 ActiveRecord::Base.yaml_column_permitted_classes
    6.0.5.1 ActiveRecord::Base.yaml_column_permitted_classes
    5.2.8.1 ActiveRecord::Base.yaml_column_permitted_classes

PaperTrail currently doesn't support this alternative configuration
naming, which means it will silent fall back to unsafe YAML loading.

This commit updates `PaperTrail::Serializers::YAML` to be compatible
with safe YAML loading for the Rails 5.2 / 6.0 / 6.1 branches.
    Tim Connor committed Aug 26, 2022
    Configuration menu
    Copy the full SHA
    520cf4d View commit details
    Browse the repository at this point in the history