Class: Spektr::Checks::CookieSerialization
- Defined in:
- lib/spektr/checks/cookie_serialization.rb
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
-
#initialize(app, target) ⇒ CookieSerialization
constructor
A new instance of CookieSerialization.
- #run ⇒ Object
Methods inherited from Base
#app_version_between?, #dupe?, #model_attribute?, #should_run?, #target_affected?, #user_input?, #version_affected, #version_between?, #warn!
Constructor Details
#initialize(app, target) ⇒ CookieSerialization
Returns a new instance of CookieSerialization.
5 6 7 8 9 10 |
# File 'lib/spektr/checks/cookie_serialization.rb', line 5 def initialize(app, target) super @name = "Unsafe deserialisation" @type = "Insecure Deserialization" @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller"] end |
Instance Method Details
#run ⇒ Object
12 13 14 15 16 17 18 |
# File 'lib/spektr/checks/cookie_serialization.rb', line 12 def run return unless super calls = @target.find_calls(:cookies_serializer=) if calls.any?{ |call| call.receiver. == "Rails.application.config.action_dispatch" && call.arguments.first.name == :marshal } warn! @target, self, calls.first.location, "Marshal cookie serialization strategy can lead to remote code execution" end end |