config active support: migrate message serializer to `ActiveSupport::…

…JSON` GitHub: rangubaGH-34 As of Rails v7.1, this setting is default. - ref: https://guides.rubyonrails.org/v7.1/configuring.html#config-active-support-message-serializer We migrated it to `ActiveSupport::JSO`. Because `Marshal` is a potential vector for deserialization attacks in cases where a message signing secret has been leaked. In Ranguba, we don't explicitly use it, so there is no impact on us.
otegami · Aug 28, 2024 · 547f210 · 547f210
1 parent 37951af
commit 547f210
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/config/initializers/new_framework_defaults_7_1.rb b/config/initializers/new_framework_defaults_7_1.rb
@@ -75,7 +75,7 @@
 # servers, first deploy without changing the serializer, then set the serializer
 # in a subsequent deploy.
 #++
-# Rails.application.config.active_support.message_serializer = :json_allow_marshal
+Rails.application.config.active_support.message_serializer = :json_allow_marshal
 
 ###
 # Enable a performance optimization that serializes message data and metadata