ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request
semgrepAuthor
unknown
Download Count*
License
Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-tainted-http-request
metadata:
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
references:
- https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown
category: security
technology:
- rails
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
impact: MEDIUM
likelihood: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Server-Side Request Forgery (SSRF)
message: Using user input when accessing files is potentially dangerous. A
malicious actor could use this to modify or access files they have no
right to.
languages:
- ruby
severity: WARNING
mode: taint
pattern-sources:
- pattern: params
- pattern: cookies
- pattern: request.env
pattern-sinks:
- pattern-either:
- patterns:
- pattern: Net::HTTP::$METHOD.new(...)
- metavariable-pattern:
metavariable: $METHOD
patterns:
- pattern-either:
- pattern: Copy
- pattern: Delete
- pattern: Get
- pattern: Head
- pattern: Lock
- pattern: Mkcol
- pattern: Move
- pattern: Options
- pattern: Patch
- pattern: Post
- pattern: Propfind
- pattern: Proppatch
- pattern: Put
- pattern: Trace
- pattern: Unlock
- patterns:
- pattern: Net::HTTP.$X(...)
- metavariable-pattern:
metavariable: $X
patterns:
- pattern-either:
- pattern: get
- pattern: get2
- pattern: head
- pattern: head2
- pattern: options
- pattern: patch
- pattern: post
- pattern: post2
- pattern: post_form
- pattern: put
- pattern: request
- pattern: request_get
- pattern: request_head
- pattern: request_post
- pattern: send_request
- pattern: trace
- pattern: get_print
- pattern: get_response
- pattern: start
Examples
avoid-tainted-http-request.rb
require 'net/http'
def foo
url = params[:url]
# ruleid: avoid-tainted-http-request
Net::HTTP.get(url, "/index.html")
# ruleid: avoid-tainted-http-request
Net::HTTP.get_response(params[:url])
uri = URI(params[:url])
# ruleid: avoid-tainted-http-request
Net::HTTP.post(uri)
# ruleid: avoid-tainted-http-request
Net::HTTP.post_form(URI(params[:url]))
uri = URI(params[:server])
# ruleid: avoid-tainted-http-request
req = Net::HTTP::Get.new uri
# ruleid: avoid-tainted-http-request
Net::HTTP.start(uri.host, uri.port) do |http|
# ruleid: avoid-tainted-http-request
req = Net::HTTP::Get.new uri
resp = http.request request
end
# ruleid: avoid-tainted-http-request
Net::HTTP::Get.new(params[:url])
# ruleid: avoid-tainted-http-request
Net::HTTP::Post.new(URI(params[:url]))
# ok: avoid-tainted-http-request
Net::HTTP.get("example.com", "/index.html")
uri = URI("example.com/index.html")
# ok: avoid-tainted-http-request
Net::HTTP::Get.new(uri)
end
Short Link: https://sg.run/3rLb