Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add check for unsafe cookie serialization configuration #1364

Merged
merged 2 commits into from Jun 12, 2019

Conversation

@presidentbeef
Copy link
Owner

commented Jun 11, 2019

The :hybrid and :marshal cookie serialization strategies use Marshal to (de)serialization cookie values. If an attacker is able to send a forged cookie, they may be able to execute arbitrary Ruby code on the server.

:json is the preferred cookie serialization strategy.

@presidentbeef presidentbeef force-pushed the cookies_serializer branch from ac2f664 to dce65ed Jun 12, 2019

@presidentbeef presidentbeef merged commit 51b6c83 into master Jun 12, 2019

10 checks passed

ci/circleci: default Your tests passed on CircleCI!
Details
ci/circleci: test-2-3 Your tests passed on CircleCI!
Details
ci/circleci: test-2-4 Your tests passed on CircleCI!
Details
ci/circleci: test-2-5 Your tests passed on CircleCI!
Details
ci/circleci: test-2-6 Your tests passed on CircleCI!
Details
ci/circleci: test-jruby Your tests passed on CircleCI!
Details
ci/circleci: upload-coverage Your tests passed on CircleCI!
Details
codeclimate All good!
Details
codeclimate/diff-coverage 100% (98% threshold)
Details
codeclimate/total-coverage 95% (0.0% change)
Details

@presidentbeef presidentbeef deleted the cookies_serializer branch Jun 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.