From production.log: Started POST "/users/sign_in" for _MY_IP_ at 2022-07-19 16:51:42 +0300 Processing by SessionsController#create as HTML Parameters: {"authenticity_token"=>"[FILTERED]", "user"=>{"login"=>"USER", "password"=>"[FILTERED]", "remember_me"=>"1"}} Completed 500 Internal Server Error in 239ms (ActiveRecord: 48.4ms | Elasticsearch: 0.0ms | Allocations: 34231) Psych::DisallowedClass (Tried to load unspecified class: Symbol): (eval):2:in `symbol' app/models/audit_event.rb:60:in `initialize_details' app/services/audit_event_service.rb:124:in `log_security_event_to_database' app/services/audit_event_service.rb:53:in `security_event' app/controllers/sessions_controller.rb:283:in `log_audit_event' app/controllers/sessions_controller.rb:83:in `block in create' app/controllers/sessions_controller.rb:68:in `create' app/controllers/application_controller.rb:527:in `set_current_admin' lib/gitlab/session.rb:11:in `with_session' app/controllers/application_controller.rb:518:in `set_session_storage' lib/gitlab/i18n.rb:105:in `with_locale' lib/gitlab/i18n.rb:111:in `with_user_locale' app/controllers/application_controller.rb:512:in `set_locale' app/controllers/application_controller.rb:506:in `set_current_context' lib/gitlab/middleware/memory_report.rb:13:in `call' lib/gitlab/middleware/speedscope.rb:13:in `call' lib/gitlab/database/load_balancing/rack_middleware.rb:23:in `call' lib/gitlab/jira/middleware.rb:19:in `call' lib/gitlab/middleware/go.rb:20:in `call' lib/gitlab/etag_caching/middleware.rb:21:in `call' lib/gitlab/middleware/query_analyzer.rb:11:in `block in call' lib/gitlab/database/query_analyzer.rb:37:in `within' lib/gitlab/middleware/query_analyzer.rb:11:in `call' lib/gitlab/middleware/multipart.rb:173:in `call' lib/gitlab/middleware/read_only/controller.rb:50:in `call' lib/gitlab/middleware/read_only.rb:18:in `call' lib/gitlab/middleware/same_site_cookies.rb:27:in `call' lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call' lib/gitlab/middleware/basic_health_check.rb:25:in `call' lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call' lib/gitlab/middleware/request_context.rb:21:in `call' lib/gitlab/middleware/webhook_recursion_detection.rb:15:in `call' config/initializers/fix_local_cache_middleware.rb:11:in `call' lib/gitlab/middleware/compressed_json.rb:26:in `call' lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call' lib/gitlab/middleware/sidekiq_web_static.rb:20:in `call' lib/gitlab/metrics/requests_rack_middleware.rb:77:in `call' lib/gitlab/middleware/release_env.rb:13:in `call' Was updated: redis-7.0.2 redis-7.0.4 rubygem-aws-partitions-1.605.0 rubygem-aws-partitions-1.607.0 rubygem-bundler-2.3.17,1 rubygem-bundler-2.3.18,1 rubygem-dry-core-0.7.1 rubygem-dry-core-0.8.0 rubygem-fog-google-1.18.0_1 rubygem-fog-google-1.19.0 rubygem-fog-openstack-1.0.11 rubygem-fog-openstack-1.1.0 rubygem-github-linguist-7.21.0_2 rubygem-github-linguist-7.22.0 rubygem-i18n-1.11.0,2 rubygem-i18n-1.12.0,2 rubygem-mustermann-1.1.1 rubygem-mustermann-1.1.2 rubygem-oauth2-2.0.5 rubygem-oauth2-2.0.6 rubygem-rack-protection-2.2.0 rubygem-rack-protection-2.2.1 rubygem-rails61-6.1.6 rubygem-activemodel61-6.1.6 rubygem-activesupport61-6.1.6 rubygem-activesupport61-6.1.6.1 rubygem-activemodel61-6.1.6.1 rubygem-activerecord61-6.1.6 rubygem-activerecord61-6.1.6.1 rubygem-actionview61-6.1.6 rubygem-actionview61-6.1.6.1 rubygem-activejob61-6.1.6 rubygem-activejob61-6.1.6.1 rubygem-actionmailbox61-6.1.6 rubygem-activestorage61-6.1.6 rubygem-actionpack61-6.1.6 rubygem-actionpack61-6.1.6.1 rubygem-activestorage61-6.1.6.1 rubygem-actionmailbox61-6.1.6.1 rubygem-actionmailer61-6.1.6 rubygem-actionmailer61-6.1.6.1 rubygem-actiontext61-6.1.6 rubygem-actiontext61-6.1.6.1 rubygem-actioncable61-6.1.6 rubygem-actioncable61-6.1.6.1 rubygem-railties61-6.1.6 rubygem-rails61-6.1.6.1 rubygem-activemodel60-6.0.5 rubygem-activesupport60-6.0.5 rubygem-activesupport60-6.0.5.1 rubygem-activemodel60-6.0.5.1 rubygem-activerecord60-6.0.5 rubygem-activerecord60-6.0.5.1
Have you followed the steps described here? https://gitlab.fechner.net/mfechner/Gitlab-docu/-/blob/master/update/freebsd_patch_versions.md If not, if you follow these steps, does it solve your problem?
(In reply to Matthias Fechner from comment #1) After commit "security update to 15.1.2" (https://cgit.freebsd.org/ports/commit/www/gitlab-ce?id=61e677748877875d05008c1a76111e6fef95c39f) of course yes. But I can try one more time. BTW, yesterday I removed and reinstalled all gems (558), but it didn't help: pkg delete -yfg 'rubygem-*' && portmaster gitaly gitlab-ce
I can reproduce it (in a virtual machine with an existing snapshot). Must be related to a commit that was done as you mentioned. I will look into it, but this is maybe something that has to be fixed upstream.
Could be related to this: https://github.com/rails/rails/blob/6-1-stable/activerecord/CHANGELOG.md @sunpoet
(In reply to Matthias Fechner from comment #4) Yes, look like this. Yesterday I search by keywords "Psych::DisallowedClass (Tried to load unspecified class: Symbol):" and found an issue (in random project) with keywords "YAML safe_load".
(In reply to VVD from comment #2) >> https://gitlab.fechner.net/mfechner/Gitlab-docu/-/blob/master/update/freebsd_patch_versions.md > But I can try one more time. Did this and nothing changed. :-(
https://github.com/rails/rails/issues/45585
In the meantime you can use the following commit from ports, that is working here: git checkout 3d0af791687599d4e65403bdbd97faee5c5f572e We need to wait till @sunpoet adds a patch or a new version of activerecord is released.
(In reply to Matthias Fechner from comment #8) Upstream patch https://github.com/Shopify/rails/commit/05fdb3edfd0abe9b7e99f6b1fbb518e791a5c3ec didn't help me. But I manually edit file /usr/local/lib/ruby/gems/3.0/gems/activerecord-6.1.6.1/lib/active_record/store.rb.
Obligatory: "Me too!!!!" post. I just finished a fresh/brand-new install using 15.1 instructions (https://gitlab.fechner.net/mfechner/Gitlab-docu/-/blob/master/install/15.1-freebsd.md), so wanted to add that it's not just an issue after an existing system upgrade as well; it also happens from a brand-new install as well. I also manually added the patch mentioned in the threads and get the same result; it did not correct the problem... I still get a 500 error immediately after logging in.
And another "me too" :) I noticed only because I was trying to sign in from a new computer, while Gitlab was working perfectly from my usual laptop, where I am permanently signed in - well, *was* signed in, because I wanted to test it, and now I'm locked out from my Gitlab.
(In reply to Laurent Daverio from comment #11) I was a bit smarter - open new private window in browser! :-o In main browser I'm still can work with it. :-D
(In reply to VVD from comment #12) Ah yes, that's clever :) I often like to "burn my bridges", but that isn't always the best move...
Me too. I resolved this problem by adding "config.active_record.use_yaml_unsafe_load = true" or config.active_record.yaml_column_permitted_classes = [Symbol]" in config/application.rb. However it may vulnerable against CVE-2022-3224. [[[ --- ./config/application.rb.orig 2022-07-05 19:24:01.000000000 +0900 +++ ./config/application.rb 2022-07-24 10:16:14.019979000 +0900 @@ -234,6 +234,9 @@ module Gitlab config.active_record.collection_cache_versioning = false config.active_record.has_many_inversing = false config.active_record.belongs_to_required_by_default = false + # Rails 6.1.6.1 incompatible changes for CVE-2022-3224 + # config.active_record.use_yaml_unsafe_load = true + config.active_record.yaml_column_permitted_classes = [Symbol] # Enable the asset pipeline config.assets.enabled = true ]]]
Thank you Yasuhito-san, the workaround fixes the problem for me, awesome! :)
(In reply to Laurent Daverio from comment #15) You're welcome :) By the way, I found I wrote incorrect CVE number in comment #14. In #14, %s/CVE-2022-3224/CVE-2022-32224/g, of course.
(In reply to Laurent Daverio from comment #15) Another me too and the work around lets me log in again with ldap. Thanks!
(In reply to ruben from comment #17) The curious thing there is that the official "Omnibus" distribution (Linux) doesn't suffer from this problem, not sure why. Maybe they are linked to an older version of Rails? The downside for us (FreeBSD) is that Gitlab will have no incentive to fix it, because it doesn't exist in the official distribution...
(In reply to Laurent Daverio from comment #18) Update for Rails 6.1.6.1 was commited on upstream, master branch at 25 July, 2022. https://gitlab.com/gitlab-org/gitlab/-/commit/c10bfb87583a8a750d88f582d2655b86935cf0a5 As far as I saw this change, "[Symbol]" is not enough for permitted classes. (Please see the change of config/application.rb https://gitlab.com/gitlab-org/gitlab/-/commit/c10bfb87583a8a750d88f582d2655b86935cf0a5#7ff7049c1c8745b54f0a9ef78996f60b38f36268)
Note: Yasuhito's patch applies to Gitlab 5.1.4, too (just tested)
Created attachment 235571 [details] patch for support Rails v6.1.6.1 It seems that the change to support Rails v6.1.6.1 is not back ported to gitlab-ce yet, both on 15-1-stable and 15-2-stable branch. Perhaps it will be back ported just before next feature release. For those who can't wait for it, like us, here is a patch brought from https://gitlab.com/gitlab-org/gitlab/ master branch.
(In reply to Yasuhito FUTATSUKI from comment #21) Your patch works fine for me, I haven't come across the need to fix other types of objects yet. Thank you :) Now, the next most annoying bug is the one about commmitGraph, not sure what causes it, but luckily there's
(continued from previous comment) there's a half-satisfactory workaround for it
This patch work for me too.
(In reply to Yasuhito FUTATSUKI from comment #21) Thanks, I will include this patch into the 15.2.2 release which I currently test.
(In reply to Matthias Fechner from comment #25) I've been applying Yasuhito's p
(In reply to Matthias Fechner from comment #25) I've been applying Yasuhito's patch manually after each upgrade, it always works for me. Lifesaver :)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ea7afbecaab1f910ce1b7cbb776cfcf04ef387bb commit ea7afbecaab1f910ce1b7cbb776cfcf04ef387bb Author: Yasuhito FUTATSUKI <freebsd-bug-report-yf@yf.bsdclub.org> AuthorDate: 2022-08-18 20:59:45 +0000 Commit: Matthias Fechner <mfechner@FreeBSD.org> CommitDate: 2022-08-24 04:22:27 +0000 www/gitlab-ce: whitelist classes to fix problem related to rails 6.1.6.1 PR: 265314 .../files/patch-config_application.rb (new) | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+)
Committed, thank a lot for this nice preparation!
A commit in branch 2022Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b08aac2a1e4bf2cb9aa49b8e406950f8471c868a commit b08aac2a1e4bf2cb9aa49b8e406950f8471c868a Author: Yasuhito FUTATSUKI <freebsd-bug-report-yf@yf.bsdclub.org> AuthorDate: 2022-08-18 20:59:45 +0000 Commit: Matthias Fechner <mfechner@FreeBSD.org> CommitDate: 2022-08-25 13:20:20 +0000 www/gitlab-ce: whitelist classes to fix problem related to rails 6.1.6.1 PR: 265314 (cherry picked from commit ea7afbecaab1f910ce1b7cbb776cfcf04ef387bb) .../files/patch-config_application.rb (new) | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+)