ruby.lang.security.cookie-serialization.cookie-serialization
Community Favorite
semgrep
Author
46,077
Download Count*
License
Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.
Run Locally
Run in CI
Defintion
rules:
- id: cookie-serialization
message: Checks if code allows cookies to be deserialized using Marshal. If the
attacker can craft a valid cookie, this could lead to remote code
execution. The hybrid check is just to warn users to migrate to :json for
best practice.
metadata:
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
references:
- https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb
- https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/
category: security
technology:
- ruby
owasp:
- A03:2021 - Injection
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- ruby
severity: ERROR
pattern-either:
- pattern: |
Rails.application.config.action_dispatch.cookies_serializer = :marshal
- pattern: |
Rails.application.config.action_dispatch.cookies_serializer = :hybrid
Examples
cookie-serialization.rb
class Bad_cookie_serialization
# ruleid: cookie-serialization
Rails.application.config.action_dispatch.cookies_serializer = :hybrid
# ruleid: cookie-serialization
Rails.application.config.action_dispatch.cookies_serializer = :marshal
end
class Cookie_serialization
# ok.
Rails.application.config.action_dispatch.cookies_serializer = :json
end
Short Link: https://sg.run/Wg3y