object-cache icon indicating copy to clipboard operation
object-cache copied to clipboard
verified publisher icon blendle

Replace 'Marshal' with JSON serialiser

Open koenrh opened this issue 8 years ago • 1 comments

The use of Marshal.load poses a security risk. It could lead to remote code execution when loading untrusted data. I don't think it is not beyond the realm of possibilities that for some reason some program or piece of code manages to update data stored at 'object-cache'-defined keys, which in turn is deserialised by 'object-cache' (and thus Marshal.load).

As far as I can tell this library only supports the serialisation and deserialisation of simple types, which means it is probably as easy as replacing Marshal with a JSON serialiser?

koenrh avatar Oct 24 '17 20:10 koenrh

A similar vulnerability was found in 'redis-store'. It was assigned CVE-2017-1000248. They solved it by adding support for pluggable serialisers (and eventually removing support for 'Marshaller'). See: https://github.com/redis-store/redis-store/pull/290

cc @JeanMertz @jurriaan

koenrh avatar Dec 07 '17 10:12 koenrh