activity_notification icon indicating copy to clipboard operation
activity_notification copied to clipboard

Published 20 hours ago verified publisher icon simukappu

Broken serialization with latest Rails security patch

Open kiskoza opened this issue 2 years ago • 3 comments

Steps to reproduce

A new security patch came out for Rails which changes how YAML serialized columns work. See details here.

  1. Check out the repo
  2. bundle install (make sure you don't have a previous Gemfile.lock and it chooses 6.0.5.1)
  3. rake

Expected behavior

It should work as before - all tests pass.

Actual behavior

It had 126 failing spec due to Psych::DisallowedClass: Tried to load unspecified class: Symbol

System configuration

activity_notification gem version: latest master commit, e56faea7f555be861711da3cc3cf927897e0131a Rails version: 6.0.5.1 ORM (ActiveRecord, Mongoid or Dynamoid): ActiveRecord

kiskoza avatar Jul 13 '22 09:07 kiskoza

@kiskoza This was due to a upstream Rails bug with the last security patch, they were supposed to allow Symbol by default but didn't. It's since been patched. https://github.com/rails/rails/commit/05ae3faaf3779d53935ab983b75f2dc7c6dfb7fa

supairish avatar Jul 15 '22 00:07 supairish

if you check my associated PR, you can see that not just Symbol was missing from the list, I had to add a few other classes as well. let's wait for a new Rails release, of course, then I'm going to revisit this issue (and the PR) and update them accordingly

kiskoza avatar Jul 15 '22 07:07 kiskoza

FYI Subscription#optional_targets is failing too because it serializes ActiveSupport::TimeZone

markedmondson avatar Jul 25 '22 22:07 markedmondson