Possible dangerous serialization configuration

• Rule ID: ruby_rails_unsafe_cookie_serialization_strategy
• Languages: ruby
• Source: unsafe_cookie_serialization_strategy.yml

Description

Using an unsafe serialization strategy can introduce vulnerabilities, particularly when handling untrusted data like cookies. By default, Rails uses JSON to serialize cookie values. JSON is the safest serialization strategy when dealing with untrusted data, to avoid malicious code injection. Changing this default setting can expose your application to attacks.

Remediations

• Do not change the default cookie serializer.

  Rails.application.config.action_dispatch.cookies_serializer = :marshal # unsafe

• Do consider the hybrid serializer option, but use this as a temporary measure only (such as during the transition from Marshal to JSON serialization). This should not be a permanent solution.

  Rails.application.config.action_dispatch.cookies_serializer = :hybrid

References

• OWASP Rails Goat on Marshal and Remote Code Execution

Associated CWE

• CWE-502: Deserialization of Untrusted Data

OWASP Top 10

• A08:2021 - Software and Data Integrity Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_unsafe_cookie_serialization_strategy

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_unsafe_cookie_serialization_strategy