mcp-server-semgrep/semgrep-rules/ruby/lang/security/cookie-serialization.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: cookie-serialization
  message: >-
    Checks if code allows cookies to be deserialized using Marshal. If the attacker
    can craft a valid cookie, this could lead to
    remote code execution. The hybrid check is just to warn users to migrate to :json
    for best practice.
  metadata:
    cwe:
    - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
    references:
    - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb
    - https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/
    category: security
    technology:
    - ruby
    owasp:
    - A03:2021 - Injection
    cwe2022-top25: true
    subcategory:
    - audit
    likelihood: LOW
    impact: HIGH
    confidence: LOW
  languages:
  - ruby
  severity: ERROR
  pattern-either:
  - pattern: |
      Rails.application.config.action_dispatch.cookies_serializer = :marshal
  - pattern: |
      Rails.application.config.action_dispatch.cookies_serializer = :hybrid