ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: check-unsafe-reflection
    mode: taint
    pattern-sources:
      - pattern-either:
          - pattern: |
              cookies[...]
          - patterns:
              - pattern: |
                  cookies. ... .$PROPERTY[...]
              - metavariable-regex:
                  metavariable: $PROPERTY
                  regex: (?!signed|encrypted)
          - pattern: |
              params[...]
          - pattern: |
              request.env[...]
    pattern-sinks:
      - patterns:
          - pattern: $X
          - pattern-either:
              - pattern-inside: |
                  $X.constantize
              - pattern-inside: |
                  $X. ... .safe_constantize
              - pattern-inside: |
                  const_get(...)
              - pattern-inside: |
                  qualified_const_get(...)
    message: Found user-controllable input to Ruby reflection functionality. This
      allows a remote user to influence runtime behavior, up to and including
      arbitrary remote code execution. Do not provide user-controllable input to
      reflection functionality. Do not call symbol conversion on
      user-controllable input.
    languages:
      - ruby
    severity: ERROR
    metadata:
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unsafe_reflection.rb
      category: security
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      owasp:
        - A03:2021 - Injection
      technology:
        - ruby
        - rails
      references:
        - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb
      cwe2022-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection

Examples

check-unsafe-reflection.rb

class HomeController < ApplicationController

  def unsafe_reflection # not that safe
    table = params["table"]
    # ruleid: check-unsafe-reflection
    model = table.classify.constantize
    @result = model.send(:method)
  end

  # safe
  def ok_reflection
    foo = "SomeClass"
    #ok: check-unsafe-reflection
    foo.classify.constantize
  end

  def test_more_send_methods
    User.try(params[:meth])
    self.__send__(params[:meth])
    Account.public_send(params[:meth])

    table = params["table"]
    # ruleid: check-unsafe-reflection
    table.classify.constantize.try(:meth)
  end

end