I want to serialize and deserialize models that contain user input. Marshal is a serialization library built into Ruby.
By design, ::load can deserialize almost any class loaded into the Ruby process. In many cases this can lead to remote code execution if the Marshal data is loaded from an untrusted source.
As a result, ::load is not suitable as a general purpose serialization format and you should never unmarshal user supplied input or other untrusted data.
If you need to deserialize untrusted data, use JSON or another serialization format that is only able to load simple, 'primitive' types such as String, Array, Hash, etc. Never allow user input to specify arbitrary types to deserialize into.
https://ruby-doc.org/core-2.6.3/Marshal.html#module-Marshal-label-Security+considerations
Does this mean that
a) Marshal.load(ActiveRecord model including fields with user input) and Marshal.load(Marshal.dump(ActiveRecord model including fields with user input)) are both unsafe
or just that
b) Marshal.load(ActiveRecord model including fields with user input) is unsafe
?
Is it safe to deserialize data with Marshal that was serialized with Marshal, or could I end up serializing a malicious string and deserializing into another type entirely?
