Insecure Rails Cache Store Configuration
Description
The Rails cache store is configured to allow Marshaling, which can lead to code execution if an attacker can inject data into the cache store. This is because the default serializer in Rails 7.1 is `:marshal_7_1`. Consider using a custom serializer like JSON or MessagePack that does not fallback on Marshal.
Examples
Insecure Code
ruby
config.cache_store = :mem_cache_storeSecure Code
ruby
config.cache_store = :mem_cache_store, { serializer: :json }Remediation
Configure the Rails cache store to use a custom serializer like JSON or MessagePack. For example, set `config.cache_store` to `:mem_cache_store` with a custom serializer: `config.cache_store = :mem_cache_store, { serializer: :json }`
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0434 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | LOW |
| Exploitability | MODERATE |
| Tags | cache, serialization, deserialization |
| OWASP | N/A |
References
- https://github.com/rails/rails/blob/v7.1.4/activesupport/lib/active_support/cache.rb#L327
- https://api.rubyonrails.org/v7.1.3.4/classes/ActiveSupport/Cache/Store.html
- https://github.com/rails/rails/blob/v7.1.4/activesupport/lib/active_support/cache/serializer_with_fallback.rb#L166-L172
- https://api.rubyonrails.org/v7.1.3.4/classes/ActiveSupport/Cache/MemCacheStore.html