ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation
semgrep
Author
unknown
Download Count*
License
This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-session-manipulation
metadata:
shortDescription: Allowing an attacker to manipulate the session may lead to
unintended behavior.
tags:
- security
owasp:
- A01:2021 - Broken Access Control
cwe:
- "CWE-276: Incorrect Default Permissions"
references:
- https://brakemanscanner.org/docs/warning_types/session_manipulation/
category: security
technology:
- rails
help: >
## Remediation
Session manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.
## References
[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
message: This gets data from session using user inputs. A malicious user may be
able to retrieve information from your session that you didn't intend them
to. Do not use user input as a session key.
languages:
- ruby
severity: WARNING
mode: taint
pattern-sources:
- pattern: params
- pattern: cookies
- pattern: request.env
pattern-sinks:
- pattern: session[...]
Examples
avoid-session-manipulation.rb
# ruleid: avoid-session-manipulation
id = session[params[:uid]]
uid = params[:uid]
# ruleid: avoid-session-manipulation
id = session[uid]
# ok: avoid-session-manipulation
id = session[user_id]
Short Link: https://sg.run/86q7