move common config setting to application.rb

config/application.rb

@@ -30,6 +30,10 @@ class Application < Rails::Application
 
     config.autoload_paths += %W[#{config.root}/lib]
 
+    # CVE-2022-32224: add some compatibility with YAML.safe_load
+    # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer
+    config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time]
+
     # HTML tags that are allowed to pass through `sanitize`.
     config.action_view.sanitized_allowed_tags = %w[
       p br strong em a table thead tbody tr td th tfoot caption ul ol li

config/environments/development.rb

@@ -68,10 +68,6 @@
   # Use an evented file watcher to asynchronously detect changes in source code,
   # routes, locales, etc. This feature depends on the listen gem.
   config.file_watcher = ActiveSupport::EventedFileUpdateChecker
-
-  # CVE-2022-32224: add some compatibility with YAML.safe_load
-  # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer
-  config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time]
 end
 
 # Used by Rails' routes url_helpers (typically when including a link in an email)

config/environments/production.rb

@@ -82,10 +82,6 @@
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
 
-  # CVE-2022-32224: add some compatibility with YAML.safe_load
-  # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer
-  config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time]
-
   # Use syslog for logging
   config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant'))
 

config/environments/sandbox.rb

@@ -82,10 +82,6 @@
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
 
-  # CVE-2022-32224: add some compatibility with YAML.safe_load
-  # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer
-  config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time]
-
   # Use syslog for logging
   config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant'))
 

config/environments/staging.rb

@@ -81,10 +81,6 @@
     # Do not dump schema after migrations.
     config.active_record.dump_schema_after_migration = false
 
-    # CVE-2022-32224: add some compatibility with YAML.safe_load
-    # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer
-    config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time]
-
     # Use syslog for logging
     config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant'))
 

config/environments/test.rb

@@ -50,10 +50,6 @@
   # config.action_view.raise_on_missing_translations = true
 
   config.i18n.enforce_available_locales = false
-
-  # CVE-2022-32224: add some compatibility with YAML.safe_load
-  # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer
-  config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time]
 end
 
 # Used by Rails' routes url_helpers (typically when including a link in an email)

config/environments/uat.rb

@@ -80,10 +80,6 @@
   # Use syslog for logging
   config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new('dmp_assistant'))
 
-  # CVE-2022-32224: add some compatibility with YAML.safe_load
-  # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer
-  config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time]
-
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false