DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Ruby

Ruby

Made by DeepSource
Use Analyzer

Use of insecure Marshal class method detected RB-SC1003

Security
Critical

By design, load can deserialize almost any class loaded into the Ruby process. In many cases this can lead to remote code execution if the Marshal data is loaded from an untrusted source.

As a result, load is not suitable as a general purpose serialization format and you should never unmarshal user supplied input or other untrusted data.

If you need to deserialize untrusted data, use JSON or another serialization format that is only able to load simple, 'primitive' types such as String, Array, Hash, etc. Never allow user input to specify arbitrary types to deserialize into.

Bad practice

Marshal.load("{}")
Marshal.restore("{}")

Recommended

Marshal.dump("{}")

# okayish - deep copy hack
Marshal.load(Marshal.dump({}))