Reject non-Hash classes for hash-with-ivars tags

!ruby/hash-with-ivars, !ruby/hash and !map are only emitted for Hash
subclasses, but the loader allocated whatever class the tag named and
populated its ivars directly. That let a permitted non-Hash class be
instantiated with attacker-chosen ivars, bypassing its init_with
validation. Verify the resolved class is a Hash subclass before use.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: hsbt

lib/psych/visitors/to_ruby.rb

@@ -302,7 +302,7 @@ def visit_Psych_Nodes_Mapping o
           set
 
         when /^!ruby\/hash-with-ivars(?::(.*))?$/
-          hash = $1 ? resolve_class($1).allocate : {}
+          hash = $1 ? resolve_subclass($1, Hash).allocate : {}
           register o, hash
           o.children.each_slice(2) do |key, value|
             case key.value
@@ -317,7 +317,7 @@ def visit_Psych_Nodes_Mapping o
           hash
 
         when /^!map:(.*)$/, /^!ruby\/hash:(.*)$/
-          revive_hash register(o, resolve_class($1).allocate), o
+          revive_hash register(o, resolve_subclass($1, Hash).allocate), o
 
         when '!omap', 'tag:yaml.org,2002:omap'
           map = register(o, class_loader.psych_omap.new)
@@ -469,6 +469,19 @@ def init_with o, h, node
       def resolve_class klassname
         class_loader.load klassname
       end
+
+      # Resolve +klassname+ and ensure it is +parent+ or one of its
+      # subclasses. Tags such as !ruby/hash-with-ivars are only ever emitted
+      # for subclasses of a specific core class; without this check a crafted
+      # document could name an unrelated (but permitted) class and have its
+      # state populated directly, bypassing the class's own init_with.
+      def resolve_subclass klassname, parent
+        klass = resolve_class(klassname)
+        if klass && !(klass <= parent)
+          raise ArgumentError, "Invalid tag: expected a subclass of #{parent}, got #{klass}"
+        end
+        klass
+      end
     end
 
     class NoAliasRuby < ToRuby

test/psych/test_hash.rb

@@ -92,6 +92,31 @@ def test_map
       assert_equal X, x.class
     end
 
+    class NotAHash
+      def init_with(coder)
+        @string = coder.map["string"].to_s
+      end
+    end
+
+    def test_hash_with_ivars_rejects_non_hash_class
+      assert_raise(ArgumentError) do
+        Psych.unsafe_load <<~eoyml
+          --- !ruby/hash-with-ivars:#{NotAHash}
+          ivars:
+            '@string': ["a surprise array!"]
+        eoyml
+      end
+    end
+
+    def test_hash_tag_rejects_non_hash_class
+      assert_raise(ArgumentError) do
+        Psych.unsafe_load "--- !ruby/hash:#{NotAHash} {}\n"
+      end
+      assert_raise(ArgumentError) do
+        Psych.unsafe_load "--- !map:#{NotAHash} {}\n"
+      end
+    end
+
     def test_self_referential
       @hash['self'] = @hash
       assert_cycle(@hash)