Upgrading to Ruby 3.1 causes Psych::DisallowedClass exception when using YAML.load_file

Question

When upgrading to ruby 3.1, I am seeing the following sort error message when using YAML.load_file some_file_name

 Psych::DisallowedClass:
   Tried to load unspecified class: Matrix

Other load statements cause similar errors but cite different unspecified classes e.g. OpenStruct. It appears that the latest version of YAML only loads classes from a permitted white list, so it is necessary to use a permitted_class keyword to allow other classes. I have tried

hsh = YAML.load_file some_file_name, permitted_classes: [Matrix, OpenStruct]

but this gives the error

 Psych::DisallowedClass:
   Tried to load unspecified class: Symbol

how do I fix this?

spickermann · Accepted Answer · 2023-04-28T05:01:25.817

Symbol is also not allowed per default. Therefore, you need to add Symbol to the permitted_classes too when loading a file:

hash = YAML.load_file(
  some_file_name, 
  permitted_classes: [Matrix, OpenStruct, Symbol]
)

See the list of default permitted_classes in Psych.

Or, when using in Ruby on Rails, you can configure what classes Rails should permit globally when using YAML files in your config/application.rb:

config.active_record.yaml_column_permitted_classes += [Matrix, OpenStruct, Symbol]

Note that for internal YAML parsing in Ruby on Rails Symbol is already the default for active_record.yaml_column_permitted_classes.

score 38 · Answer 2 · answered Jul 14 '22 at 08:06

The working solution is to add this line to config/application.rb

config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess]

You can do the same with any class name, like

config.active_record.yaml_column_permitted_classes = [Symbol, Hash, Array, ActiveSupport::HashWithIndifferentAccess]

score 19 · Answer 3 · answered Jul 15 '22 at 08:46

19

Had this on rails 6.1 upgrade. If you have no other choice, maybe this workaround will bring you some time (application.rb):

config.active_record.use_yaml_unsafe_load = true

answered Jul 15 '22 at 08:46

crazywulf

213
2
5

1

Full details explaining the change, including other workarounds, are here: https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017 – subelsky Aug 16 '22 at 14:37
worked for me...24-09-2022 – Carlos Morales Sep 25 '22 at 03:36

score 0 · Answer 4 · answered Mar 09 '23 at 13:16

When using the YAML.load_file directly, the config.yaml_column_permitted_classes is not used. That is only used, when Rails loads YAML (config files, serialized YAML).

You can:

a.) either, pass the list of allowed classes to the YAML.load_file(path, permitted_classes: [..]) like @spickermann has written, or:
b.) You can switch to YAML.unsafe_load_file (e.g. for Test cases).

score 0 · Answer 5 · answered Mar 16 '23 at 10:26

0

The “safe YAML” loading method does not allow all classes to be deserialized by default. This option allows you to specify classes deemed “safe” in your application. For example, if your application uses Symbol and Time in serialized data, you can add Symbol and Time to the allowed list.

Fixed by adding this to application.rb:

config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]

answered Mar 16 '23 at 10:26

maricavor

188
2
10

I tried this, both in config/application.rb and each environment config and it didn't work for me. – huertanix Jul 30 '23 at 03:25

score 0 · Answer 6 · answered Mar 22 '23 at 10:26

You can change the Rails configuration to use YAML/Psych's unsafe_load (see Mohamed's & crazywulf's answer). I needed to change this config without restarting the Rails app, so I did this:

ActiveRecord.use_yaml_unsafe_load = true

Please mind, this is just a temporary fix for the current process. It will be gone as soon as you restart the server.

Upgrading to Ruby 3.1 causes Psych::DisallowedClass exception when using YAML.load_file

6 Answers6

Linked