Objects in Ruby may be serialized to strings. The main method for doing so is the built-in
Marshal class. The
CSV libraries also have methods for dumping Ruby objects into strings, and then creating objects from those strings.
Deserialization of arbitrary objects can lead to remote code execution, as was demonstrated with CVE-2013-0156.
Railroader warns when loading user input with
JSON is covered by the checks for CVE-2013-0333
Back to Warning Types