Fix ruby-master test suite (Psych 4.0.0) #42257
Conversation
casperisfine
force-pushed
the
psych-4-fixes
branch
from
2c98d66 to
3e9b41c
Compare
casperisfine
force-pushed
the
psych-4-fixes
branch
from
3e9b41c to
b78be90
Compare
casperisfine
force-pushed
the
psych-4-fixes
branch
3 times, most recently
from
5b2618e to
4d47ca5
Compare
|
Ok, |
casperisfine
force-pushed
the
psych-4-fixes
branch
from
4d47ca5 to
1bb0fa4
Compare
Ruby master ships with Psych 4.0.0 which makes `YAML.load` defaults to safe mode (ruby/psych#487). However since these YAML files are trustworthy sources we can parse them with `unsafe_load`.
casperisfine
force-pushed
the
psych-4-fixes
branch
from
1bb0fa4 to
1e56b1d
Compare
|
I added CHANGELOG entries for Active Record and Railties as the two main documented APIs that are impacted are I'll also backport this to the 6-1-stable branch. |
|
@casperisfine Any chance this to be backported to 6-0-stable? |
|
Sure. |
|
Hum, actually did you try? As far as I can tell it was backported and released as part of |
|
Yeah, it was backported to We can fix this in our side by adding explicit |
|
Ah sorry 🤦 I misread 6-0-stable as 6-1-stable, my bad. Let me ask around because I think 6.0 only receive security fixes now, so I don't think I'm supposed to do that. |
|
@byroot Yeah, I was looking for that info too and We'll handle it on our side, thanks for the quick response! |
Since I am not sure when, pwstore just completely fails to start in
Debian bookworm:
anarcat@curie:tor-passwords$ ~/src/pwstore/pws update-keyring
Unknown alias: weasel
It turns out this is a failure of the YAML module to load our
configuration file because of aliases:
irb(main):004:0> YAML::load_file("/home/anarcat/.pws.yaml")
/usr/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:430:in `visit_Psych_Nodes_Alias': Unknown alias: weasel (Psych::BadAlias)
The fix seems to be to enable aliases, which is what this project has
done:
sidekiq/sidekiq#5140
Rails seems to have switched to unsafe load, which seems like a bad
idea:
rails/rails#42257
Since I am not sure when, pwstore just completely fails to start in
Debian bookworm:
anarcat@curie:tor-passwords$ ~/src/pwstore/pws update-keyring
Unknown alias: weasel
It turns out this is a failure of the YAML module to load our
configuration file because of aliases:
irb(main):004:0> YAML::load_file("/home/anarcat/.pws.yaml")
/usr/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:430:in `visit_Psych_Nodes_Alias': Unknown alias: weasel (Psych::BadAlias)
The fix seems to be to enable aliases, which is what this project has
done:
sidekiq/sidekiq#5140
Rails seems to have switched to unsafe load, which seems like a bad
idea:
rails/rails#42257
Ruby master ships with Psych 4.0.0 which makes
YAML.loaddefault to safe mode (ruby/psych#487)So a bunch of places where we parse YAML configuration and schema caches are broken.
Ultimately I think we can consider that configuration files are trustworthy, so we can parse them with
unsafe_load.A slightly trickier case is YAML serialized payloads in database columns. It could be a good idea to be stricter here, but for backward compatibility reasons there no alternatives to using
unsafe_load.