Drop soft enforcement of restricted YAML deserialization classes (!94301) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-drop-soft-enforcement-yaml-serialization into master Aug 05, 2022

What does this MR do and why?

!92400 (merged) upgraded Rails to v6.1.6.1 and monkey patched Rails to allow soft enforcement of deserializing classes with YAML. Now that we have run with two weeks without any more classes showing up in the production logs, we should be able to drop this soft enforcement now and actively prevent a potential CVE.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/367742

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Aug 05, 2022 by Stan Hu

Drop soft enforcement of restricted YAML deserialization classes

What does this MR do and why?

Merge request reports