Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release of psych-4.0.0 breaks library with Date DisallowedClass #302

Closed
poloka opened this issue May 14, 2021 · 8 comments
Closed

Release of psych-4.0.0 breaks library with Date DisallowedClass #302

poloka opened this issue May 14, 2021 · 8 comments
Assignees
@postmodern
Labels
bug
Milestone
0.9.0

Comments

@poloka
Copy link

poloka commented May 14, 2021

Upon release of psych-4.0.0, receiving the following error from bundler-audit

Tried to load unspecified class: Date (Psych::DisallowedClass)

stack trace

> bundler-audit
Traceback (most recent call last):
	46: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/bin/ruby_executable_hooks:22:in `<main>'
	45: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/bin/ruby_executable_hooks:22:in `eval'
	44: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/bin/bundler-audit:23:in `<main>'
	43: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/bin/bundler-audit:23:in `load'
	42: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/bin/bundler-audit:3:in `<top (required)>'
	41: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/bin/bundler-audit:3:in `load'
	40: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/bin/bundle-audit:10:in `<top (required)>'
	39: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
	38: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
	37: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
	36: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
	35: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/cli.rb:44:in `check'
	34: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/scanner.rb:75:in `scan'
	33: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/scanner.rb:149:in `scan_specs'
	32: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/scanner.rb:149:in `each'
	31: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/scanner.rb:150:in `block in scan_specs'
	30: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/database.rb:187:in `check_gem'
	29: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/database.rb:163:in `advisories_for'
	28: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/database.rb:252:in `each_advisory_path_for'
	27: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/database.rb:252:in `glob'
	26: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/database.rb:164:in `block in advisories_for'
	25: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/bundler-audit-0.7.0.1/lib/bundler/audit/advisory.rb:48:in `load'
	24: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych.rb:586:in `safe_load_file'
	23: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych.rb:586:in `open'
	22: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych.rb:587:in `block in safe_load_file'
	21: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych.rb:334:in `safe_load'
	20: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:35:in `accept'
	19: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/visitor.rb:6:in `accept'
	18: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/visitor.rb:30:in `visit'
	17: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:318:in `visit_Psych_Nodes_Document'
	16: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:35:in `accept'
	15: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/visitor.rb:6:in `accept'
	14: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/visitor.rb:30:in `visit'
	13: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:167:in `visit_Psych_Nodes_Mapping'
	12: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:343:in `revive_hash'
	11: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:343:in `each_slice'
	10: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:343:in `each'
	 9: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:345:in `block in revive_hash'
	 8: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:35:in `accept'
	 7: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/visitor.rb:6:in `accept'
	 6: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/visitor.rb:30:in `visit'
	 5: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:128:in `visit_Psych_Nodes_Scalar'
	 4: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/visitors/to_ruby.rb:65:in `deserialize'
	 3: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/scalar_scanner.rb:60:in `tokenize'
	 2: from (eval):2:in `date'
	 1: from /Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/class_loader.rb:28:in `load'
/Users/gh7199/.rvm/gems/ruby-2.6.6@orion_github_bot/gems/psych-4.0.0/lib/psych/class_loader.rb:99:in `find': Tried to load unspecified class: Date (Psych::DisallowedClass)
@poloka
Copy link
Author

poloka commented May 14, 2021

Logged an issue to psych as well in case this is resolved by a change with their library. This issue will need to remain in case there is a needed change to the date format.
ruby/psych#489

@mvz
Copy link

mvz commented May 22, 2021
edited
Loading

I think this is fixed by a6f7e46. No, the code after that fix is still incompatible with Psych 4.

@alec-c4
Copy link

alec-c4 commented Jul 1, 2021

hey, any news with this issue?

bkuhlmann added a commit to bkuhlmann/pennyworth that referenced this issue Aug 7, 2021
@bkuhlmann
Updated project configuration to disable Bundler Audit
5c5798f 
Necessary due to an
[issue](rubysec/bundler-audit#302) with
Bundler Audit and Psych 4.0.0. This might also mean having to remove
Bundler Audit completely or find alternatives since this is breaking
builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/pennyworth that referenced this issue Aug 7, 2021
@bkuhlmann
Updated project configuration to disable Bundler Audit
9aad09c 
Necessary due to an
[issue](rubysec/bundler-audit#302) with
Bundler Audit and Psych 4.0.0. This might also mean having to remove
Bundler Audit completely or find alternatives since this is breaking
builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/pennyworth that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
3ebe850 
Necessary due to an
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
also mean having to find alternatives since this is breaking builds and
local development entirely.
bkuhlmann added a commit to bkuhlmann/pennyworth that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
96c29fe 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/gemsmith that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
824d6b5 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/auther that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
747719d 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/benchmarks that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
481f954 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/git-lint that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
6d4bc6f 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/navigator that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
91c6a65 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/prawn_plus that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
983230c 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/refinements that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
7750c6b 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/runcom that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
0cabe80 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/sublime_text_kit that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
1745b56 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/test that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
11ef630 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/versionaire that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
38e24a3 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/xdg that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
e45e7aa 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/milestoner that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
0dc5cd3 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/pragmater that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
3f50a46 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/tocer that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
9020c45 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
bkuhlmann added a commit to bkuhlmann/sublime_text_kit that referenced this issue Aug 7, 2021
@bkuhlmann
Removed Bundler Audit
b95aa34 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
@dmolesUC
Copy link

I'm getting this in CI when I try to run bundler-audit on ruby-head (3.1.0dev). Ruby 3 stable (3.0.2) doesn't have the problem. I'm not seeing Psych anywhere in my Gemfile.lock, so I assume it's part of the Ruby installation.

The Psych folks rejected @poloka's issue.

dmolesUC added a commit to BerkeleyLibrary/logging that referenced this issue Aug 19, 2021
@dmolesUC
Remove ruby-head from Travis matrix pro tem pending fix for rubysec/b…
6c3c2df 
…undler-audit#302
@postmodern
Copy link
Member

@dmolesUC could you try testing against bundler-audit from git? I suspect a6f7e46 might fix this as it explicitly allows loading Date objects.

@postmodern
Copy link
Member

Just updated the usage of YAML.safe_load to use the permitted_classes: keyword in 20e6b81. It appears that in Psych 4.0.0 they finally removed the legacy_permitted_classes positional argument.

@postmodern postmodern self-assigned this Aug 19, 2021
@postmodern postmodern added the bug label Aug 19, 2021
@postmodern postmodern added this to the 0.9.0 milestone Aug 31, 2021
@postmodern
Copy link
Member

postmodern commented Aug 31, 2021
edited
Loading

Due to my tests bundling psych 4.x and bundler-audit from git, the 20e6b81 commit fixes this. Marking as closed and will be released in 0.9.0 today.

postmodern added a commit that referenced this issue Aug 31, 2021
@postmodern
Mention that issue #302 will also affect ruby >= 3.1.0, if not fixed.
28f9495
@postmodern
Copy link
Member

bundler-audit-0.9.0 has been pushed to rubygems.org.

@samsonasu samsonasu mentioned this issue Jan 27, 2022
Merged
LewiGoddard pushed a commit to LewiGoddard/gemsmith that referenced this issue Jan 31, 2024
@bkuhlmann
Removed Bundler Audit
4b6fae1 
Necessary due to a
[bug](rubysec/bundler-audit#302) with Bundler
Audit and Psych 4.0.0. This is meant as a temporary removal but might
turn into a permanent removal if no good alternative can be found since
this is breaking builds and local development entirely.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@postmodern postmodern

Labels
bug
Projects
None yet
Milestone
0.9.0
Development

No branches or pull requests
5 participants
@mvz @postmodern @alec-c4 @poloka @dmolesUC