Product SiteDocumentation Site

2.4.1. Marshal.load

Marshal.dump and Marshal.load can serialize and deserialize most of the classes in Ruby. If application deserializes data from untrusted source, attacker can abuse this to execute arbitrary code. Therefore, this method is not suitable most of the time and should never be be used on data from unstrusted source.