Sha256: f6e0f2168e682cf674e7c2dbda568fb3f996a59c1b53aeb532acb6ad3144339b
Contents?: true
Size: 884 Bytes
Versions: 40
Compression:
Stored size: 884 Bytes
Contents
require 'brakeman/checks/base_check'
class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Check for use of Marshal for cookie serialization"
def run_check
tracker.find_call(target: :'Rails.application.config.action_dispatch', method: :cookies_serializer=).each do |result|
setting = result[:call].first_arg
if symbol? setting and [:marshal, :hybrid].include? setting.value
warn :result => result,
:warning_type => "Remote Code Execution",
:warning_code => :unsafe_cookie_serialization,
:message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
:confidence => :medium,
:link_path => "unsafe_deserialization",
:cwe_id => [565, 502]
end
end
end
end
Version data entries
40 entries across 40 versions & 3 rubygems