Objects in Ruby may be serialized to strings. The main method for doing so is the built-in Marshal class. The YAML, JSON, and CSV libraries also have methods for dumping Ruby objects into strings, and then creating objects from those strings.

Deserialization of arbitrary objects can lead to remote code execution, as was demonstrated with CVE-2013-0156.

Brakeman warns when loading user input with Marshal, YAML, or CSV. JSON is covered by the checks for CVE-2013-0333

Back to Warning Types