[woodruffw]

Marshal is Ruby's version of pickle in Python: it serializes arbitrary objects, which means that correct deserialization requires arbitrary code execution.

This is bad enough on its own, but it also makes pivoting a file read/write primitive into code execution much easier.

[nurettin]

Why the "don't use it"? Just say "use it with caution" or, since we are being rude telling people what to do whenever pickle or marshal comes up, just don't say anything and assume people know what they are doing.

[woodruffw]

I don't think I phrased that in a particularly rude way, but I'm sorry if it came across as rude.

The answer is that we have serialization techniques that are as good on all the dimensions that matter (speed, serialized size, etc.) and better in terms of security. Pickle and Marshal are, at best, footguns in otherwise very safe language ecosystems.

[nurettin]

> The answer is that we have serialization techniques that are as good on all the dimensions that matter

I'd look at that sentence with great skepticism. What could possibly surpass a conversion to raw object representation? Do you mean libraries which require you to use protocol languages like protobuf or inheritance?

[Rafert]

https://github.com/ruby/psych defaults to only loading permitted classes since 4.0 so that seems less of a concern now?

[jrochkind1]

`psych`, used for YAML, is a different thing than Marshal. pstore uses Marshal. https://ruby-doc.org/core-2.6.3/Marshal.html. I don't believe psych will be involved with pstore.

I'm honestly not sure, though, how much I should be worried about the fact that someone who has write access to my database can maybe escalate that to an arbitrary code execution if I use pstore. Literally not sure. Write access to my DB seems pretty disastrous already...

[solarkraft]

Pickle is fine (in a pinch). It's not meant for untrusted data.

[woodruffw]

Anything is fine when the data is trusted. The problem is that the data is almost never actually trusted :-)