Rails 5.2.8.1 security patch breaking change: are you 'psych'ed?

Upgrading a Rails app to 5.2.8.1 and also upgrading ruby to 2.5.9 broke all the models with a serialized Hash.

The error that popped up (hundreds of times in our specs) was:

serialization and unknown keywords: permitted_classes, aliases

There are two distinct issues:

1. The ‘pysch’ gem is no longer implicitly added to the Gemfile.lock, so it must be explicitly added to your Gemfile.
2. Activerecord serialization now requires you to whitelist all the permitted classes of the keys in any serialized Hash.

Once identified the solution was simple:

1. Add ruby gem 'psych', '~> 3.3' to the Gemfile
2. Add the following to config/application.rb (your list of classes may vary):

    config.active_record.yaml_column_permitted_classes = 
    [ Symbol, String, Date, Time, 
      BigDecimal, ActiveSupport::HashWithIndifferentAccess ]
   

HOWEVER this can mean playing a frustrating game of “whack-a-mole” with your production app as you discover, one by one, via Psych::DisallowedClass (Tried to load unspecified class fatal errors, each ‘new’ class that you need to declare.

So HERE’S the tip no one tells you: If that seems tiresome, you can disable the new (more secure) yaml parser by using: config.active_record.use_yaml_unsafe_load = true (instead of using yaml_column_permitted_classes). Not generally recommended, but for a legacy app with lots of old serialized data it might be your best bet for production stability until you get around to switching the serialized columns over to JSON or JSONB.

IMHO the Rails team SHOULD have had an intermediate option such as “warn_on_unsafe_yaml_class” that allowed logging all the warnings for a week or two BEFORE implementing the stricter yaml_column_permitted_classes method.

I’m posting this here because it doesn’t seem to be discussed very widely. I googled the error a while before I eventually found one excellent blog by Witold Rugowski which described the issue and the solution: nhw.pl/wp/2023/08/18/rails-5-2-ruby-2-5-9-serialization-and-unknown-keywords-permitted_classes-aliases

It looks like this yaml serialization issue was addressed in 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1