Psych::DisallowedClass: Tried to load unspecified class: Symbol

[seb-sykio]

I updated rails to 7.0.3.1 ([CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record )

now I have this issue:

`Failure/Error: @casting.create_activity(key: "xxx", owner: current_user, parameters: { email_subject: 'xxx' })

 Psych::DisallowedClass:
   Tried to load unspecified class: Symbol
 # (eval):2:in `symbol'
 # .rvm/gems/ruby-3.1.2/gems/activerecord-7.0.3.1/lib/active_record/coders/yaml_column.rb:50:in `yaml_load'`

[davidwessman]

https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017

It is mentioned that you can allow specific classes with:

config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]

Does that help?

[davidwessman]

I have an app with both Symbol and HashWithIndifferentAccess, have anyone solved how do limit the dangerous behaviour without destroying old data?

[pandu-cls]

We realized the parameters column from the activities table is causing this problem as it was doing the serialization of the data. Our app uses Date, Time, ActiveSupport::TimeWithZone, ActiveSupport::TimeZone, ActiveSupport::HashWithIndifferentAccess, BigDecimal classes. We fixed the issue by adding them to config.active_record.yaml_column_permitted_classes in application.rb.

However, we are still concerned about this problem because some other classes also can cause this problem again.

[davidwessman]

I am a bit worried about what data is accepted inside ActiveSupport::HashWithIndifferentAccess.

[pokonski]

The same data as in Hash, this is just a wrapper.

And regarding the fix in the second comment, yes this is the only way to do it - you have to whitelist explicitly. This breaks Rails apps even without public_activity.