Remove Session serialize/deserialize methods to fix RCE vulnerability

   The Session.deserialize method used Oj.load without safe mode, which allows
   instantiation of arbitrary Ruby objects. If an attacker could control session
   storage (e.g., compromise a Redis instance or database), they could inject
   malicious serialized data to achieve remote code execution.

   These methods were vestigial code from when the library handled session
   storage (deprecated in v12.3.0). After that deprecation, apps became
   responsible for their own session persistence, rendering serialize/deserialize
   unnecessary for their original purpose. Investigation confirmed no external
   usage - the shopify_app gem stores individual session attributes in database
   columns and reconstructs sessions using Session.new().

   The only internal usage was copy_attributes_from, which called serialize just
   to enumerate attribute names via JSON.parse(other.serialize).keys before
   copying instance variables. This has been refactored to directly copy each
   attribute, eliminating the dependency on serialize.

   Breaking change: Session#serialize and Session.deserialize removed.
   Migration: Apps should use Session.new() to reconstruct sessions from stored
   attributes (the pattern already used by shopify_app).

   Complete removal eliminates the RCE vector entirely while maintaining all
   functionality.

Author: lizkenyon

CHANGELOG.md

@@ -6,6 +6,7 @@ Note: For changes to the API, see https://shopify.dev/changelog?filter=api
 ### 15.0.0
 
 - ⚠️ [Breaking] Removed deprecated `ShopifyAPI::Webhooks::Handler` interface. Apps must migrate to `ShopifyAPI::Webhooks::WebhookHandler` which provides `webhook_id` and `api_version` in addition to `topic`, `shop`, and `body`. See [BREAKING_CHANGES_FOR_V15.md](BREAKING_CHANGES_FOR_V15.md) for migration guide.
+- ⚠️ [Breaking] Removed `Session#serialize` and `Session.deserialize` methods due to security concerns (RCE vulnerability via `Oj.load`). These methods were not used internally by the library. If your application relies on session serialization, use `Session.new()` to reconstruct sessions from stored attributes instead.
 - Add support for 2025-10 API version
   - Updated `LATEST_SUPPORTED_ADMIN_VERSION` to `2025-10`
 - [#1411](https://github.com/Shopify/shopify-api-ruby/pull/1411) Remove `LATEST_SUPPORTED_ADMIN_VERSION` and `RELEASE_CANDIDATE_ADMIN_VERSION` constants to prevent semver violations. Developers must now explicitly specify API versions. See the [migration guide](BREAKING_CHANGES_FOR_V15.md#removal-of-latest_supported_admin_version-and-release_candidate_admin_version-constants) for details.

lib/shopify_api/auth/session.rb

@@ -118,28 +118,22 @@ def from(shop:, access_token_response:)
           )
         end
 
-        sig { params(str: String).returns(Session) }
-        def deserialize(str)
-          Oj.load(str)
-        end
       end
 
       sig { params(other: Session).returns(Session) }
       def copy_attributes_from(other)
-        JSON.parse(other.serialize).keys.each do |key|
-          next if key.include?("^")
-
-          variable_name = "@#{key}"
-          instance_variable_set(variable_name, other.instance_variable_get(variable_name))
-        end
+        @shop = other.shop
+        @state = other.state
+        @access_token = other.access_token
+        @scope = other.scope
+        @associated_user_scope = other.associated_user_scope
+        @expires = other.expires
+        @associated_user = other.associated_user
+        @is_online = other.online?
+        @shopify_session_id = other.shopify_session_id
         self
       end
 
-      sig { returns(String) }
-      def serialize
-        Oj.dump(self)
-      end
-
       alias_method :eql?, :==
       sig { params(other: T.nilable(Session)).returns(T::Boolean) }
       def ==(other)