Make MessagePack the default serialization format for RPC

Created by: Zapotek

Should be simple enough:

• Objects which are to be serialized should respond to:
  • #to_msgpack -- Converts the object's data to a MessagePack-serialized Hash.
    • The Hash should contain a _rubyclass key (or something), holding the class-name of the serialized object.
  • .from_msgpack -- Restores the object from the unserialized Hash data. Also serves as a de facto whitelist.
  • Optionally, to make the design cleaner, it may be a good idea for the objects to also respond to:
    • #to_hash
    • .from_hash -- .from_msgpack can be its alias.
• Add:
  • MessagePack.dump -- Delegates to the object's #to_msgpack.
  • MessagePack.load -- Unserializes the #to_msgpack data and pass them to the appropriate object's .from_msgpack.
• Pass MessagePack as the serializer to Arachni::RPC::Client::Base and Arachni::RPC::Server::Base.

Why

Current favorite is Marshal, with YAML as an automatic fallback to help with interoperability. In this case, Marshal is the compact, fast one (but only available in Ruby) and YAML is the globally available one, it is however bulky and slow.

Marshal is far from safe as it can load arbitrary language objects, which can sometimes lead to RCE vulnerablities. Even though RPC clients with access to Arachni's RPC facilities are considered trusted entities, this is just plain wrong.

MessagePack however covers all the bases by being:

• Safe
• Fast
• Compact
• Available in most common (and even some uncommon) languages.

References:

• MessagePack
• msgpack-ruby