Unsafe cookie serialization strategy detected.
- Rule ID: ruby_rails_unsafe_cookie_serialization_strategy
- Languages: ruby
- Source: unsafe_cookie_serialization_strategy.yml
Description
JSON is the safest serialization strategy for untrusted data, such as cookie data, to avoid malicious code injection. By default, Rails uses JSON to serialize cookie values.
Remediations
❌ Avoid overriding the default cookie serializer
Rails.application.config.action_dispatch.cookies_serializer = :marshal
❌ Use the hybrid (Marshal and JSON) serializer option as a temporary solution only, for example when migrating from Marshal to JSON.
Rails.application.config.action_dispatch.cookies_serializer = :hybrid
Resources
Associated CWE
OWASP Top 10
Ready to take the next step? Join the Bearer Cloud waitlist.