Updating rails with the secrurity update CVE-2022-32224, "Possible RCE escalation bug with Serialized Columns in Active Record".
can cause troubles in rails projects. (I had several project that has issues with this fix).
https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
The main change is that the YAML loader is using safe_load to parse the string. Most classes aren't supported anymore.
Several essential classes have been removed.
To support my Spree Commerce rails projects, I've had to add the following initializer.
ActiveRecord::Base.yaml_column_permitted_classes += [BigDecimal, Symbol]Other projects requried the HasWithIndifferentAccess
ActiveRecord::Base.yaml_column_permitted_classes += [ ActiveSupport::HashWithIndifferentAccess]Please try to keep the number of supported classes.
I personally prefer to use JSON for new projects. Because it's simple and clean.