Remote Code Execution: Use of Marshal for cookie serialization
ID |
ruby.checkcookieserialization |
Severity |
critical |
Resource |
Remote Code Execution |
Language |
Ruby |
Description
Improper neutralization of directives in dynamically evaluated code ('Eval Injection').
Code Injection vulnerabilities occur when an application dynamically executes code containing untrusted input from users.
Remediation
To mitigate Code Injection vulnerabilities, follow these best practices:
-
Avoid Dynamic Code Execution: Where possible, avoid using dynamic script execution or reflection with untrusted input.
-
Input Validation and Sanitization: Assume all input is potentially malicious. Rigorously validate all user inputs to confirm they adhere to expected formats, and sanitize them (a whitelisting approach is recommended) to remove potentially harmful content.
-
Canonicalization: Decode and canonicalize inputs to a standard internal representation before validation. This helps prevent bypassing input filters through encoding tricks
References
-
CWE-95 : Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection').
-
OWASP Top 10 2021 - A03 : Injection.
-
OWASP Code Injection explained.