使用 YAML.load_file 时升级到 Ruby 3.1 会导致 Psych::DisallowedClass 异常
升级到 ruby 3.1 时,在使用 YAML.load_file some_file_name 时,我看到以下排序错误消息。
Psych::DisallowedClass:
Tried to load unspecified class: Matrix
其他加载语句会导致类似的错误,但引用不同的未指定类,例如 OpenStruct。看来最新版本的 YAML 只加载允许的白名单中的类,因此需要使用 allowed_class 关键字来允许其他类。我已经尝试过
hsh = YAML.load_file some_file_name, permitted_classes: [Matrix, OpenStruct]
,但这给出了错误,
Psych::DisallowedClass:
Tried to load unspecified class: Symbol
我该如何解决这个问题?
When upgrading to ruby 3.1, I am seeing the following sort error message when using YAML.load_file some_file_name
Psych::DisallowedClass:
Tried to load unspecified class: Matrix
Other load statements cause similar errors but cite different unspecified classes e.g. OpenStruct. It appears that the latest version of YAML only loads classes from a permitted white list, so it is necessary to use a permitted_class keyword to allow other classes. I have tried
hsh = YAML.load_file some_file_name, permitted_classes: [Matrix, OpenStruct]
but this gives the error
Psych::DisallowedClass:
Tried to load unspecified class: Symbol
how do I fix this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
在 Ruby 中加载 YAML 时,默认情况下也不允许使用
Symbol。因此,在读取 YAML 文件时,您还需要将Symbol添加到您的情况下的permissed_classes中:请参阅默认
permissed_classes中Psych(Ruby 使用的 YAML 解析器)。或者,在 Ruby on Rails 中使用时,您可以在
config/application.rb中全局配置 Ruby on Rails 应用程序在读取 YAML 时应允许哪些类作为允许的类文件:请注意,对于 Ruby on Rails 中的内部 YAML 解析,
Symbol已经是active_record.yaml_column_permissed_classes。Symbolis also not allowed per default when loading YAML in Ruby. Therefore, you need to addSymbolto thepermitted_classesin your case too when reading the YAML file:See the list of default
permitted_classesin Psych (the YAML parser used by Ruby).Or, when using in Ruby on Rails, you can configure globally in your
config/application.rbwhat classes your Ruby on Rails application should allow as permitted classes when reading a YAML files:Note that for internal YAML parsing in Ruby on Rails
Symbolis already the default foractive_record.yaml_column_permitted_classes.可行的解决方案是将这一行添加到 config/application.rb
您可以对任何类名执行相同的操作,例如
The working solution is to add this line to config/application.rb
You can do the same with any class name, like
在 Rails 6.1 升级上有这个。如果您没有其他选择,也许这个解决方法会给您带来一些时间(application.rb):
Had this on rails 6.1 upgrade. If you have no other choice, maybe this workaround will bring you some time (application.rb):
您可以更改 Rails 配置以使用 YAML/Psych 的 unsafe_load (请参阅 Mohamed 和crazywulf 的回答)。我需要在不重新启动 Rails 应用程序的情况下更改此配置,因此我这样做了:
请注意,这只是当前进程的临时修复。重启服务器后它就会消失。
You can change the Rails configuration to use YAML/Psych's unsafe_load (see Mohamed's & crazywulf's answer). I needed to change this config without restarting the Rails app, so I did this:
Please mind, this is just a temporary fix for the current process. It will be gone as soon as you restart the server.
直接使用
YAML.load_file时,不使用config.yaml_column_permissed_classes。仅当 Rails 加载 YAML(配置文件、序列化 YAML)时才使用它。您可以:
YAML.load_file(path, allowed_classes: [..])就像 @spickermann 所写的那样,或者:YAML.unsafe_load_file(例如,对于测试用例)。When using the
YAML.load_filedirectly, theconfig.yaml_column_permitted_classesis not used. That is only used, when Rails loads YAML (config files, serialized YAML).You can:
YAML.load_file(path, permitted_classes: [..])like @spickermann has written, or:YAML.unsafe_load_file(e.g. for Test cases).“安全YAML”加载方法默认不允许所有类被反序列化。此选项允许您在应用程序中指定被视为“安全”的类。例如,如果您的应用程序在序列化数据中使用符号和时间,您可以将符号和时间添加到允许列表中。
通过将其添加到 application.rb 来修复:
The “safe YAML” loading method does not allow all classes to be deserialized by default. This option allows you to specify classes deemed “safe” in your application. For example, if your application uses Symbol and Time in serialized data, you can add Symbol and Time to the allowed list.
Fixed by adding this to application.rb: