Change from hybrid to JSON cookies serializer

JSON has been the default serializer since Rails 4.1. Hybrid serializer was meant to allow backward compatibility when upgrading pre-Rails 4.1. It's been some time since we upgraded to Rails 4.1 so now we don't need the hybrid serializer anymore. This also causes security concerns since the previous serializer was Marshal.

Change from hybrid to JSON cookies serializer
JSON has been the default serializer since Rails 4.1. Hybrid serializer was meant to allow backward compatibility when upgrading pre-Rails 4.1. It's been some time since we upgraded to Rails 4.1 so now we don't need the hybrid serializer anymore. This also causes security concerns since the previous serializer was Marshal.
65e6eb1b · Drew Blessing · GitLab Release Tools Bot · 31669d75 · 65e6eb1b · 65e6eb1b
Commit 65e6eb1b authored Jun 29, 2020 by Drew Blessing Committed by GitLab Release Tools Bot Jun 29, 2020
3 changed files
--- a/changelogs/unreleased/security-dblessing-cookie-serializer.yml
+++ b/changelogs/unreleased/security-dblessing-cookie-serializer.yml
+---
+title: Change from hybrid to JSON cookies serializer
+merge_request:
+author:
+type: security
--- a/config/initializers/cookies_serializer.rb
+++ b/config/initializers/cookies_serializer.rb
 # Be sure to restart your server when you modify this file.
 Rails.application.config.action_dispatch.use_cookies_with_metadata = true
-Rails.application.config.action_dispatch.cookies_serializer = :hybrid
+Rails.application.config.action_dispatch.cookies_serializer =
+  Gitlab::Utils.to_boolean(ENV['USE_UNSAFE_HYBRID_COOKIES']) ? :hybrid : :json
--- a/spec/initializers/cookies_serializer_spec.rb
+++ b/spec/initializers/cookies_serializer_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe 'Cookies serializer initializer' do
+  def load_initializer
+    load Rails.root.join('config/initializers/cookies_serializer.rb')
+  end
+  subject { Rails.application.config.action_dispatch.cookies_serializer }
+  it 'uses JSON serializer by default' do
+    load_initializer
+    expect(subject).to eq(:json)
+  end
+  it 'uses the unsafe hybrid serializer when the environment variables is set' do
+    stub_env('USE_UNSAFE_HYBRID_COOKIES', 'true')
+    load_initializer
+    expect(subject).to eq(:hybrid)
+  end
+end