Possible dangerous serialization configuration
- Rule ID: ruby_rails_unsafe_cookie_serialization_strategy
- Languages: ruby
- Source: unsafe_cookie_serialization_strategy.yml
JSON is the safest serialization strategy for untrusted data, such as cookie data, to avoid malicious code injection. By default, Rails uses JSON to serialize cookie values.
❌ Avoid overriding the default cookie serializer
Rails.application.config.action_dispatch.cookies_serializer = :marshal
❌ Use the hybrid (Marshal and JSON) serializer option as a temporary solution only, for example when migrating from Marshal to JSON.
Rails.application.config.action_dispatch.cookies_serializer = :hybrid
OWASP Top 10
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_rails_unsafe_cookie_serialization_strategy
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_rails_unsafe_cookie_serialization_strategy
Ready to take the next step? Learn more about Bearer Cloud.