Unsafe cookie serialization strategy detected.

Rule ID: ruby_rails_unsafe_cookie_serialization_strategy
Languages: ruby
Source: unsafe_cookie_serialization_strategy.yml

Description

JSON is the safest serialization strategy for untrusted data, such as cookie data, to avoid malicious code injection. By default, Rails uses JSON to serialize cookie values.

Remediations

❌ Avoid overriding the default cookie serializer

Rails.application.config.action_dispatch.cookies_serializer = :marshal

❌ Use the hybrid (Marshal and JSON) serializer option as a temporary solution only, for example when migrating from Marshal to JSON.

Rails.application.config.action_dispatch.cookies_serializer = :hybrid

Resources

OWASP Rails Goat on Marshal and Remote Code Execution

Associated CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

OWASP Top 10

A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_unsafe_cookie_serialization_strategy

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_unsafe_cookie_serialization_strategy

Ready to take the next step? Learn more about Bearer Cloud.