Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace 'Marshal' with JSON serialiser #6

Open
koenrh opened this issue Oct 24, 2017 · 1 comment
Open

Replace 'Marshal' with JSON serialiser #6

koenrh opened this issue Oct 24, 2017 · 1 comment

Comments

@koenrh
Copy link
Contributor

koenrh commented Oct 24, 2017

The use of Marshal.load poses a security risk. It could lead to remote code execution when loading untrusted data. I don't think it is not beyond the realm of possibilities that for some reason some program or piece of code manages to update data stored at 'object-cache'-defined keys, which in turn is deserialised by 'object-cache' (and thus Marshal.load).

As far as I can tell this library only supports the serialisation and deserialisation of simple types, which means it is probably as easy as replacing Marshal with a JSON serialiser?
@koenrh
Copy link
Contributor Author

koenrh commented Dec 7, 2017

A similar vulnerability was found in 'redis-store'. It was assigned CVE-2017-1000248. They solved it by adding support for pluggable serialisers (and eventually removing support for 'Marshaller'). See: redis-store/redis-store#290

cc @JeanMertz @jurriaan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@koenrh