Possible dangerous serialization configuration

• Rule ID: ruby_rails_unsafe_cookie_serialization_strategy
• Languages: ruby
• Source: unsafe_cookie_serialization_strategy.yml

Description

JSON is the safest serialization strategy for untrusted data, such as cookie data, to avoid malicious code injection. By default, Rails uses JSON to serialize cookie values.

Remediations

❌ Avoid overriding the default cookie serializer

Rails.application.config.action_dispatch.cookies_serializer = :marshal

❌ Use the hybrid (Marshal and JSON) serializer option as a temporary solution only, for example when migrating from Marshal to JSON.

Rails.application.config.action_dispatch.cookies_serializer = :hybrid

Resources

• OWASP Rails Goat on Marshal and Remote Code Execution

Associated CWE

• CWE-502: Deserialization of Untrusted Data

OWASP Top 10

• A08:2021 - Software and Data Integrity Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_unsafe_cookie_serialization_strategy

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_unsafe_cookie_serialization_strategy