Hyrax should upgrade the versions of Ruby on Rails and Blacklight it supports.

[rotated8]

All versions of Rails are affected by a remote code execution bug, CVE-2022-32224, affecting serialized YAML. There are no workarounds- Rails expects everyone to upgrade to safe versions: 7.0.3.1, 6.1.6.1, 6.0.5.1, or 5.2.8.1. These new versions of Rails appear to have caught the community off guard, and frequently require other code changes to successfully upgrade.

Hyrax does not call serialize itself, but Blacklight does. Blacklight version 7.28.0 supports the Rails versions above.

Community feedback to the Rails team has led to new tickets and pull requests to make this upgrade easier, and the consensus from the Hyrax Working Group and Tech calls this week is to wait a little while for the dust to settle before implementing this upgrade. The current versions of Ruby on Rails and Blacklight may not be the best to target for this work.

[no-reply]

cc: @mcritchlow: is there any useful info you can share from our local approach on Surfliner?

[mcritchlow]

What we experienced largely aligns with what @rotated8 noted. Essentially nearly all our calls that flagged/caused errors either in tests and/or the application itself stemmed from Blacklight. A "wait a little while" approach might be wise, as we ended up setting the configuration flag:

config.active_record.use_yaml_unsafe_load = true

Which probably is equivalent to just not upgrading at all. This was also a way of moving on without spending too much time on it while on a Sprint (and we did create issues in the backlog to circle back and address this properly).

[jlhardes]

From @cjcolvar: "For those on Rails 5.2 and want to upgrade to 5.2.8.1 due to the RCE vulnerability, there is now Blacklight 6.25.0 which is compatible." Not sure if this helps with Hyrax 4 using Blacklight 7, but maybe useful for earlier Hyrax versions.

[dlpierce]

This was resolved by blacklight updates 7.28.0 and 6.25.0