Small Issue about The fixed rails version (6.0.5.1) of Serialized Columns in Active Record

Site Feedback
,
1

Firstly, I want to thank Mr. Aaron Patterson for the topic: [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record

But I accidentally Find out an issue when I use Serialize :values, Array with the fixed version (6.0.5.1) Use Case: I got Psych::DisallowedClass: Tried to load unspecified class: Symbol when I serialize an array of hashes and each hash contains Symbol as a key or a value.

It also raises the same error when I retrieve the persisted data in DB (that I stored in the previous rails version - 6.0.5)

At the moment, I have no ideas to solve this problem (sorry because I’m just a rails newbie). Thanks everyone!

2

I solved it by adding

config.active_record.yaml_column_permitted_classes = [Symbol]

in config/application.rb.

My Rails version is 6.1 though.

1 Like
3

Thanks, brother! You won my heart :heart: :100:. It works and I’ll spend more time to test different kinds of data types.

Again, big Thank for your time :bowing_man: :bowing_man:

1 Like
4

Later Symbol type was added as a default one - Allow symbols in YAML columns by etiennebarrie · Pull Request #45584 · rails/rails · GitHub Not sure if it’s going to be back-ported but at least that means that manually adding Symbol to permitted classes is a correct solution

1 Like