Sha256: 26fff3326a8f18e7c427a161b40d0b5711d2348d6c9dce8a5f5ec53e0c4a56f0
Contents?: true
Size: 1.41 KB
Versions: 2
Compression:
Stored size: 1.41 KB
Contents
require 'railroader/checks/base_check'
# Checks for string interpolation and parameters in calls to
# String#constantize, String#safe_constantize, Module#const_get and Module#qualified_const_get.
#
# Exploit examples at: http://blog.conviso.com.br/exploiting-unsafe-reflection-in-rubyrails-applications/
class Railroader::CheckUnsafeReflection < Railroader::BaseCheck
Railroader::Checks.add self
@description = "Checks for unsafe reflection"
def run_check
reflection_methods = [:constantize, :safe_constantize, :const_get, :qualified_const_get]
tracker.find_call(:methods => reflection_methods, :nested => true).each do |result|
check_unsafe_reflection result
end
end
def check_unsafe_reflection result
return unless original? result
call = result[:call]
method = call.method
case method
when :constantize, :safe_constantize
arg = call.target
else
arg = call.first_arg
end
if input = has_immediate_user_input?(arg)
confidence = :high
elsif input = include_user_input?(arg)
confidence = :medium
end
if confidence
message = "Unsafe reflection method #{method} called with #{friendly_type_of input}"
warn :result => result,
:warning_type => "Remote Code Execution",
:warning_code => :unsafe_constantize,
:message => message,
:user_input => input,
:confidence => confidence
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| railroader-4.3.8 | lib/railroader/checks/check_unsafe_reflection.rb |
| railroader-4.3.7 | lib/railroader/checks/check_unsafe_reflection.rb |