ruby.lang.security.cookie-serialization.cookie-serialization

rules:
  - id: cookie-serialization
    message: Checks if code allows cookies to be deserialized using Marshal. If the
      attacker can craft a valid cookie, this could lead to remote code
      execution. The hybrid check is just to warn users to migrate to :json for
      best practice.
    metadata:
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      references:
        - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb
        - https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/
      category: security
      technology:
        - ruby
      owasp:
        - A03:2021 - Injection
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    languages:
      - ruby
    severity: ERROR
    pattern-either:
      - pattern: |
          Rails.application.config.action_dispatch.cookies_serializer = :marshal
      - pattern: |
          Rails.application.config.action_dispatch.cookies_serializer = :hybrid