Insecure Cookie Serialization
Description
The use of Ruby's Marshal module for deserializing cookies poses a significant security risk. Marshal can serialize and deserialize Ruby objects, which can lead to remote code execution (RCE) on the server if an attacker crafts a malicious cookie. To mitigate this risk, developers should switch from Marshal to JSON for cookie serialization.
Examples
Insecure Code
ruby
Rails.application.config.action_dispatch.cookies_serializer = :marshalSecure Code
ruby
Rails.application.config.action_dispatch.cookies_serializer = :jsonRemediation
Configure the cookie serializer to :json in config/initializers/cookies_serializer.rb: Rails.application.config.action_dispatch.cookies_serializer = :json
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0519 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | injection, cookie, serialization |
| OWASP | A1:2017-Injection, A03:2021-Injection |
References
- https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/cookie-serialization.yaml