Possible dangerous serialization configuration

Description

JSON is the safest serialization strategy for untrusted data, such as cookie data, to avoid malicious code injection. By default, Rails uses JSON to serialize cookie values.

Remediations

❌ Avoid overriding the default cookie serializer

Rails.application.config.action_dispatch.cookies_serializer = :marshal

❌ Use the hybrid (Marshal and JSON) serializer option as a temporary solution only, for example when migrating from Marshal to JSON.

Rails.application.config.action_dispatch.cookies_serializer = :hybrid

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_unsafe_cookie_serialization_strategy

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_unsafe_cookie_serialization_strategy

Ready to take the next step? Learn more about Bearer Cloud.