Add two more classes allowed for YAML deserialization

The soft enforcement of the Rails 6.1.6.1 security update in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92400 picked up two more classes that were serialized in the database with YAML: 1. `Gitlab::Color`: This is used when a label is stored with an issue event in the `web_hook_logs` table (https://gitlab.com/gitlab-org/gitlab/-/issues/368844). 2. `BigDecimal`: This is used for storing x/y coordinates for image diff notes (https://gitlab.com/gitlab-org/gitlab/issues/368846). Changelog: fixed

Add two more classes allowed for YAML deserialization
10667b34 · Stan Hu · eb752ced · 10667b34
--- a/config/application.rb
+++ b/config/application.rb
@@ -535,6 +535,7 @@ class Application < Rails::Application
    config.after_initialize do
      config.active_record.yaml_column_permitted_classes = [
        Symbol, Date, Time,
+        BigDecimal, # https://gitlab.com/gitlab-org/gitlab/issues/368846
        Gitlab::Diff::Position,
        # Used in:
        # app/models/concerns/diff_positionable_note.rb
@@ -545,7 +546,8 @@ class Application < Rails::Application
        ActiveModel::Attribute.const_get(:FromDatabase, false), # https://gitlab.com/gitlab-org/gitlab/-/issues/368072
        # Used in app/services/web_hooks/log_execution_service.rb: log_execution
        ActiveSupport::TimeWithZone,
-        ActiveSupport::TimeZone
+        ActiveSupport::TimeZone,
+        Gitlab::Color # https://gitlab.com/gitlab-org/gitlab/-/issues/368844
      ]
      # on_master_start yields immediately in unclustered environments and runs