fix: annotaterb (#173)

* fix: annotaterb

* fix: ensure Hash values are accessed with indifferent access in SerializedValueCoder

Also include missing annotaterb options

.annotaterb.yml

@@ -0,0 +1,45 @@
+additional_file_patterns: []
+routes: false
+models: true
+position_in_routes: before
+position_in_class: before
+position_in_test: before
+position_in_fixture: before
+position_in_factory: before
+position_in_serializer: before
+show_foreign_keys: true
+show_complete_foreign_keys: false
+show_indexes: true
+simple_indexes: false
+model_dir:
+  - app/models
+  - enterprise/app/models
+root_dir: ''
+include_version: false
+require: ''
+exclude_tests: true
+exclude_fixtures: true
+exclude_factories: true
+exclude_serializers: true
+exclude_scaffolds: true
+exclude_controllers: true
+exclude_helpers: true
+exclude_sti_subclasses: false
+ignore_model_sub_dir: false
+ignore_columns: null
+ignore_routes: null
+ignore_unknown_models: false
+hide_limit_column_types: integer,bigint,boolean
+hide_default_column_types: json,jsonb,hstore
+skip_on_db_migrate: false
+format_bare: true
+format_rdoc: false
+format_markdown: false
+sort: false
+force: false
+frozen: false
+classified_sort: true
+trace: false
+wrapper_open: null
+wrapper_close: null
+with_comment: true

app/models/installation_config.rb

@@ -15,11 +15,31 @@
 #  index_installation_configs_on_name_and_created_at  (name,created_at) UNIQUE
 #
 class InstallationConfig < ApplicationRecord
-  # https://stackoverflow.com/questions/72970170/upgrading-to-rails-6-1-6-1-causes-psychdisallowedclass-tried-to-load-unspecif
+  # The serialized_value column is jsonb but contains YAML strings (legacy data).
-  # https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
+  # We need a custom coder that handles both YAML strings and native JSON objects.
-  # FIX ME : fixes breakage of installation config. we need to migrate.
+  class SerializedValueCoder # rubocop:disable Style/OneClassPerFile
-  # Fix configuration in application.rb
+    def self.dump(value)
-  serialize :serialized_value, coder: YAML, type: ActiveSupport::HashWithIndifferentAccess
+      return value.with_indifferent_access if value.is_a?(Hash)
+
+      { value: value }.with_indifferent_access
+    end
+
+    def self.load(value)
+      return {}.with_indifferent_access if value.blank?
+
+      # Handle YAML strings stored in jsonb column (legacy data)
+      if value.is_a?(String)
+        YAML.safe_load(value, permitted_classes: [ActiveSupport::HashWithIndifferentAccess, Symbol])
+            .with_indifferent_access
+      elsif value.is_a?(Hash)
+        value.with_indifferent_access
+      else
+        {}.with_indifferent_access
+      end
+    end
+  end
+
+  serialize :serialized_value, coder: SerializedValueCoder
 
   before_validation :set_lock
   validates :name, presence: true

lib/tasks/auto_annotate_models.rake

@@ -4,58 +4,6 @@
 if Rails.env.development?
   require 'annotate_rb'
 
+  # Configuration is in .annotaterb.yml
   AnnotateRb::Core.load_rake_tasks
-
-  task :set_annotation_options do
-    # You can override any of these by setting an environment variable of the
-    # same name.
-    AnnotateRb::Options.set_defaults(
-      'additional_file_patterns' => [],
-      'routes' => 'false',
-      'models' => 'true',
-      'position_in_routes' => 'before',
-      'position_in_class' => 'before',
-      'position_in_test' => 'before',
-      'position_in_fixture' => 'before',
-      'position_in_factory' => 'before',
-      'position_in_serializer' => 'before',
-      'show_foreign_keys' => 'true',
-      'show_complete_foreign_keys' => 'false',
-      'show_indexes' => 'true',
-      'simple_indexes' => 'false',
-      'model_dir' => [
-        'app/models',
-        'enterprise/app/models',
-      ],
-      'root_dir' => '',
-      'include_version' => 'false',
-      'require' => '',
-      'exclude_tests' => 'true',
-      'exclude_fixtures' => 'true',
-      'exclude_factories' => 'true',
-      'exclude_serializers' => 'true',
-      'exclude_scaffolds' => 'true',
-      'exclude_controllers' => 'true',
-      'exclude_helpers' => 'true',
-      'exclude_sti_subclasses' => 'false',
-      'ignore_model_sub_dir' => 'false',
-      'ignore_columns' => nil,
-      'ignore_routes' => nil,
-      'ignore_unknown_models' => 'false',
-      'hide_limit_column_types' => 'integer,bigint,boolean',
-      'hide_default_column_types' => 'json,jsonb,hstore',
-      'skip_on_db_migrate' => 'false',
-      'format_bare' => 'true',
-      'format_rdoc' => 'false',
-      'format_markdown' => 'false',
-      'sort' => 'false',
-      'force' => 'false',
-      'frozen' => 'false',
-      'classified_sort' => 'true',
-      'trace' => 'false',
-      'wrapper_open' => nil,
-      'wrapper_close' => nil,
-      'with_comment' => 'true'
-    )
-  end
 end