ruby.rails.security.injection.rails-check-json-parsing-rce.rails-check-json-parsing-rce

profile photo of semgrepsemgrep
Author
unknown
Download Count*

This rule is deprecated.

Run Locally

Run in CI

Defintion

rules:
  - id: rails-check-json-parsing-rce
    patterns:
      - pattern: a()
      - pattern: b()
    message: This rule is deprecated.
    languages:
      - generic
    severity: WARNING
    metadata:
      cwe:
        - "CWE-74: Improper Neutralization of Special Elements in Output Used by
          a Downstream Component ('Injection')"
      owasp:
        - A03:2021 - Injection
      technology:
        - rails
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_json_parsing.rb
      category: security
      references:
        - https://nvd.nist.gov/vuln/detail/CVE-2013-0333
        - https://groups.google.com/g/rubyonrails-security/c/1h2DR63ViGo
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other

Examples

rails-check-json-parsing-rce.Gemfile

source 'https://rubygems.org'

gem 'rails', '2.3.16'

gem 'rails', '3.0.20'

gem 'rails', '~> 2.3.15'

gem 'rails', '~> 0.99.99'

gem 'rails', '~> 2.2.99'

gem 'rails', '2.3.0'

gem 'rails', '~> 2.3.0'

gem 'rails', '3.0.15'

gem 'rails', '~> 3.0.15'