Autoload Rails Models unless called from safe_load #19701

jrafanie · 2020-01-08T21:57:14Z

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1789153

Psych::ClassLoader::Restricted is the class_loader if you use safe_load and was
added in psych 2.0.0:
ruby/psych@2c644e1

Note, ruby 2.4.0 shipped with psych 2.2.2+. This class_loader would not work with ruby 2.3 and older.

From the BZ:

Steps to Reproduce:

bundle exec rails c
YAML.load("--- !ruby/object:PidFile {}\n")
exit console and do step 1 again
YAML.safe_load("--- !ruby/object:PidFile {}\n")

Actual results:

$ bundle exec rails c
...
irb(main):001:0> defined?(PidFile)
=> nil
irb(main):002:0> YAML.load("--- !ruby/object:PidFile {}\n")
=> #<PidFile:0x00007fd988e9b718>

$ bundle exec rails c
...
irb(main):001:0> defined?(PidFile)
=> nil
irb(main):002:0> YAML.safe_load("--- !ruby/object:PidFile {}\n")
=> #<PidFile:0x00007f9ba73d5a28>

This should have failed ^^^

Expected results:

$ bundle exec rails c
...
irb(main):001:0> defined?(PidFile)
=> nil
irb(main):002:0> YAML.load("--- !ruby/object:PidFile {}\n")
=> #<PidFile:0x00007f9d55bdd8b0>

$ bundle exec rails c
...
irb(main):001:0> defined?(PidFile)
=> nil
irb(main):002:0> YAML.safe_load("--- !ruby/object:PidFile {}\n")
Traceback (most recent call last):
       16: from railties (5.1.7) lib/rails/commands/console/console_command.rb:17:in `start'
        ...
        1: from /Users/joerafaniello/.rubies/ruby-2.6.5/lib/ruby/2.6.0/psych/class_loader.rb:97:in `find'
Psych::DisallowedClass (Tried to load unspecified class: PidFile)

This is what should be happening ^^^

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1789153 Psych::ClassLoader::Restricted is the class_loader if you use safe_load and was added in psych 2.0.0: ruby/psych@2c644e1 Note, ruby 2.4.0 shipped with psych 2.2.2+. This class_loader would not work with ruby 2.3 and older.

miq-bot · 2020-01-08T22:46:24Z

Checked commits jrafanie/manageiq@85adac0~...11a69b5 with ruby 2.5.5, rubocop 0.69.0, haml-lint 0.20.0, and yamllint 1.10.0
3 files checked, 3 offenses detected

spec/initializers/yaml_autoloader_spec.rb

❗ - Line 26, Col 17 - Security/YAMLLoad - Prefer using YAML.safe_load over YAML.load.

spec/lib/rbac/filterer_spec.rb

❗ - Line 2243, Col 20 - Security/YAMLLoad - Prefer using YAML.safe_load over YAML.load.
❗ - Line 2272, Col 20 - Security/YAMLLoad - Prefer using YAML.safe_load over YAML.load.

https://bugzilla.redhat.com/show_bug.cgi?id=1789153 Followup to ManageIQ/manageiq#19701 At the very least, we know MiqExpression objects are in the YAML but other custom classes could be in the YAML so we need to use YAML.load to return to the prior behavior.

https://bugzilla.redhat.com/show_bug.cgi?id=1789153 Followup to ManageIQ/manageiq#19701 We're trying to load MiqAeMethodService::MiqAeServiceService and ActiveSupport::HashWithIndifferentAccess in these places. The prior behavior in core was to treat YAML.safe_load like YAML.load so let's change these to .load for now. If we want to use safe_load, we'll need to enumerate all of the additional classes we want to allow to be loaded beyond the ruby basic types.

https://bugzilla.redhat.com/show_bug.cgi?id=1789153 Followup to ManageIQ/manageiq#19701 The prior behavior in core was to treat YAML.safe_load like YAML.load so let's change some of these to .load for now. We'll enumerate the list of classes where we can.

https://bugzilla.redhat.com/show_bug.cgi?id=1789153 Followup to ManageIQ/manageiq#19701 Seen when run locally or in travis output: ``` 472.50s$ bundle exec rake ** ManageIQ master, codename: Jansa [Coveralls] Set up the SimpleCov formatter. [Coveralls] Using SimpleCov's 'rails' settings. ** ManageIQ master, codename: Jansa /home/travis/build/ManageIQ/manageiq-automation_engine/vendor/bundle/gems/rspec-core-3.9.1/exe/rspec: No such file or directory - does /home/travis/build/ManageIQ/manageiq-automation_engine/vendor/bundle/gems/rspec-core-3.9.1/exe/rspec: No such file or directory - does Randomized with seed 8807 .... ```

https://bugzilla.redhat.com/show_bug.cgi?id=1789153 Followup to ManageIQ/manageiq#19701 The prior behavior in core was to treat YAML.safe_load like YAML.load so let's change some of these to .load for now. We'll enumerate the list of classes where we can.

https://bugzilla.redhat.com/show_bug.cgi?id=1789153 Followup to ManageIQ/manageiq#19701 Seen when run locally or in travis output: ``` 472.50s$ bundle exec rake ** ManageIQ master, codename: Jansa [Coveralls] Set up the SimpleCov formatter. [Coveralls] Using SimpleCov's 'rails' settings. ** ManageIQ master, codename: Jansa /home/travis/build/ManageIQ/manageiq-automation_engine/vendor/bundle/gems/rspec-core-3.9.1/exe/rspec: No such file or directory - does /home/travis/build/ManageIQ/manageiq-automation_engine/vendor/bundle/gems/rspec-core-3.9.1/exe/rspec: No such file or directory - does Randomized with seed 8807 .... ```

https://bugzilla.redhat.com/show_bug.cgi?id=1789153 Followup to ManageIQ/manageiq#19701 The prior behavior in core was to treat YAML.safe_load like YAML.load so let's change some of these to .load for now. We'll enumerate the list of classes where we can.

https://bugzilla.redhat.com/show_bug.cgi?id=1789153 Followup to ManageIQ/manageiq#19701 Seen when run locally or in travis output: ``` 472.50s$ bundle exec rake ** ManageIQ master, codename: Jansa [Coveralls] Set up the SimpleCov formatter. [Coveralls] Using SimpleCov's 'rails' settings. ** ManageIQ master, codename: Jansa /home/travis/build/ManageIQ/manageiq-automation_engine/vendor/bundle/gems/rspec-core-3.9.1/exe/rspec: No such file or directory - does /home/travis/build/ManageIQ/manageiq-automation_engine/vendor/bundle/gems/rspec-core-3.9.1/exe/rspec: No such file or directory - does Randomized with seed 8807 .... ```

jrafanie added bug core hammer/yes labels Jan 8, 2020

jrafanie requested a review from Fryguy January 8, 2020 21:57

jrafanie force-pushed the do_not_autoload_models_in_safe_load branch from 60a6372 to 85adac0 Compare January 8, 2020 22:37

Use YAML.load for loading autoloadable constants

11a69b5

Fryguy merged commit b91909c into ManageIQ:master Jan 9, 2020

Fryguy added this to the Sprint 128 Ending Jan 20, 2020 milestone Jan 9, 2020

Fryguy self-assigned this Jan 9, 2020

jrafanie deleted the do_not_autoload_models_in_safe_load branch January 9, 2020 15:17

jrafanie mentioned this pull request Jan 9, 2020

Use YAML.load to load classes beyond the basic types ManageIQ/manageiq-ui-classic#6596

Merged

jrafanie mentioned this pull request Jan 9, 2020

Use YAML.load to load classes beyond the basic types ManageIQ/manageiq-automation_engine#407

Merged

jrafanie mentioned this pull request Mar 27, 2020

Add kafka as an option for prototype.queue_type #19984

Merged

Fryguy added ivanchuk/yes? and removed ivanchuk/yes labels Nov 8, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Autoload Rails Models unless called from safe_load #19701

Autoload Rails Models unless called from safe_load #19701

jrafanie commented Jan 8, 2020

miq-bot commented Jan 8, 2020

Autoload Rails Models unless called from safe_load #19701

Autoload Rails Models unless called from safe_load #19701

Conversation

jrafanie commented Jan 8, 2020

miq-bot commented Jan 8, 2020