Merge pull request #1391 from philipturnbull/custom-cookies-serializer

Fix exception in CheckCookieSerialization
presidentbeef · Aug 13, 2019 · 4e661d9 · 4e661d9
2 parents 3915a79 + 6950196
commit 4e661d9
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/lib/brakeman/checks/check_cookie_serialization.rb b/lib/brakeman/checks/check_cookie_serialization.rb
@@ -9,7 +9,7 @@ def run_check
     tracker.find_call(target: :'Rails.application.config.action_dispatch', method: :cookies_serializer=).each do |result|
       setting = result[:call].first_arg
 
-      if symbol? setting and setting.value == :marshal or setting.value == :hybrid
+      if symbol? setting and [:marshal, :hybrid].include? setting.value
         warn :result => result,
           :warning_type => "Remote Code Execution",
           :warning_code => :unsafe_cookie_serialization,

diff --git a/test/apps/rails5.2/config/initializers/cookies_serializer.rb b/test/apps/rails5.2/config/initializers/cookies_serializer.rb
@@ -3,3 +3,10 @@
 # Specify a serializer for the signed and encrypted cookie jars.
 # Valid options are :json, :marshal, and :hybrid.
 Rails.application.config.action_dispatch.cookies_serializer = :hybrid
+
+module Custom
+  module Serializer
+  end
+end
+
+Rails.application.config.action_dispatch.cookies_serializer = Custom::Serializer