Ensure cookies are serialized using JSON

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: ruby-security/rails-cookies-serializer

Language: Ruby

Severity: Warning

Category: Security

CWE: 94

Description

This rule states that cookies in a Ruby on Rails application should be serialized using JSON. This is important because JSON is a safer method for serialization compared to others like :marshal and :hybrid. The :marshal method is known to have potential security vulnerabilities, and the :hybrid method, while safer than :marshal, is still not as secure as JSON.

Cookies often contain sensitive data, and if they are not properly serialized, it could lead to security issues such as unauthorized access to user data. Therefore, it’s crucial to use a secure method for cookie serialization to protect your application and its users.

To adhere to this rule, always set your cookie serializer to :json in your Rails application configuration. This can be done by adding the line Rails.application.config.action_dispatch.cookies_serializer = :json to your configuration file. This ensures that all cookies are serialized safely using JSON, thus reducing the risk of potential security vulnerabilities.

Non-Compliant Code Examples

Rails.application.config.action_dispatch.cookies_serializer = :hybrid
Rails.application.config.action_dispatch.cookies_serializer = :marshal

Compliant Code Examples

Rails.application.config.action_dispatch.cookies_serializer = :json
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis