Redmine

This problem comes up with ruby 3.1 and above, because the gem psych with version 4.0+ will be used then.
Because of security reasons in psych version 4.0 some default attribute values are modified.

Now you have three solutions:
1) Use ruby lower 3.1 (e.g. 3.0.5); then gem psych with version 3.x will be used - and the plugins are working fine

2) When you want to use ruby 3.1 and above - you have to modify the attributes of the gem psych
To do this - search your ruby library folder for gem psych.rb, e.g. when using rvm ... in my case ... ~/.rvm/rubies/ruby-3.0.0/lib/ruby/3.0.0
Modify your psych.rb; search for row def self.safe_load yaml, ... and change the attribute "aliases: false", to "aliases: true", and save your changes.

3) Downgrade your psych version in the Gemfile like "psych ~>3.0"; because the default version of psych which comes bundled with Ruby 3 starts giving errors as it doesn't quite understand how to handle aliases.
Bundle your redmine installation again.

However - Restart your redmine instance after changes.

First: I'm not a ruby developer - in my opinion - the plugins of redmineup have to be changed by the developers to run with psych 4.0 and ruby 3.1 - otherwise you have to change your system to reduce your security level at the defaults of psych 3.x

Solution (2) works fine for my system with ruby 3.0.5 and some plugins of redmineup.

Dear Robert,

This is Dimitar from the RedmineUP Support team here.

Mr. Göbel shared 3 great solutions to the reported problem. For additional information about solving the problem (or feedback on the already applied solutions), please contact us at support@redmineup.com. Thanks.

Best Regards,
Dimitar from the RedmineUP Support team

Robert Swanson wrote:

Hello, I've upgraded the redmine 5.0.5 with my current redmine agile pro (version 1.6.4).
I constantly keep getting blank page with Internal error.

Logs:
Psych::DisallowedClass (Tried to load unspecified class: Set):
app/models/setting.rb:111:in `value'
app/models/setting.rb:125:in `[]'
plugins/localizable/lib/localizable.rb:14:in `localize'
plugins/localizable/lib/custom_field_patch.rb:15:in `name'
app/models/query.rb:1475:in `add_custom_field_filter'
app/models/query.rb:1521:in `block in add_custom_fields_filters'
app/models/query.rb:1520:in `add_custom_fields_filters'
app/models/project_query.rb:78:in `initialize_available_filters'

I have done quite a bit of research and experimented with different gem versions,
explicitly allowing the 'Set' class in config/application.rb to no avail and thus
getting this part of interesting log: ActionView::Template::Error (Unknown alias: 1):

Is there anything that I am missing? Any help would be appreciated.

you should know that downgrading or hacking psych internals this way could fix the issue, but it also brings back security problems fixed by psych 4.

the right way is to fix plugins. Either upgrade them to a supported version (if there's one) or fix them manually (which requires some programming skills / db cleanup).

btw localizable does officially support Redmine 3 only. Many plugins aren't maintained anymore and this security fix could break some of them if they serialize settings with disallowed classes. https://github.com/redmine/redmine/blob/master/config/application.rb#L35 Unfortunately, there was no better way to keep the compatibility and support psych 4 + new versions of rails that depend on it...