projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
20300: Call safe_load explicitly instead of using safe_yaml gem.
[arvados.git] / services / api / lib / serializers.rb
diff --git a/services/api/lib/serializers.rb b/services/api/lib/serializers.rb
index e412f63f622dfca040afc418df856714e07dd0d3..c25b9060b4100871e2ec832e318120829db9ef4e 100644 (file)
--- a/services/api/lib/serializers.rb
+++ b/services/api/lib/serializers.rb
@@ -1,3 +1,7 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
 require 'safe_json'
 
 class Serializer
@@ -12,7 +16,7 @@ class Serializer
   end
 
   def self.legacy_load(s)
-    val = Psych.safe_load(s)
+    val = Psych.safe_load(s, permitted_classes: [Time])
     if val.is_a? String
       # If apiserver was downgraded to a YAML-only version after
       # storing JSON in the database, the old code would have loaded
@@ -28,7 +32,10 @@ class Serializer
   end
 
   def self.load(s)
-    if s.nil?
+    if s.is_a?(object_class)
+      # Rails already deserialized for us
+      s
+    elsif s.nil?
       object_class.new()
     elsif s[0] == first_json_char
       SafeJSON.load(s)