ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection
semgrep
Author
unknown
Download Count*
License
Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.
Run Locally
Run in CI
Defintion
rules:
- id: check-unsafe-reflection
mode: taint
pattern-sources:
- pattern-either:
- pattern: |
cookies[...]
- patterns:
- pattern: |
cookies. ... .$PROPERTY[...]
- metavariable-regex:
metavariable: $PROPERTY
regex: (?!signed|encrypted)
- pattern: |
params[...]
- pattern: |
request.env[...]
pattern-sinks:
- patterns:
- pattern: $X
- pattern-either:
- pattern-inside: |
$X.constantize
- pattern-inside: |
$X. ... .safe_constantize
- pattern-inside: |
const_get(...)
- pattern-inside: |
qualified_const_get(...)
message: Found user-controllable input to Ruby reflection functionality. This
allows a remote user to influence runtime behavior, up to and including
arbitrary remote code execution. Do not provide user-controllable input to
reflection functionality. Do not call symbol conversion on
user-controllable input.
languages:
- ruby
severity: ERROR
metadata:
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unsafe_reflection.rb
category: security
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
technology:
- ruby
- rails
references:
- https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb
cwe2022-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
Examples
check-unsafe-reflection.rb
class HomeController < ApplicationController
def unsafe_reflection # not that safe
table = params["table"]
# ruleid: check-unsafe-reflection
model = table.classify.constantize
@result = model.send(:method)
end
# safe
def ok_reflection
foo = "SomeClass"
#ok: check-unsafe-reflection
foo.classify.constantize
end
def test_more_send_methods
User.try(params[:meth])
self.__send__(params[:meth])
Account.public_send(params[:meth])
table = params["table"]
# ruleid: check-unsafe-reflection
table.classify.constantize.try(:meth)
end
end
Short Link: https://sg.run/vpEX