Sha256: 488b1a26e52df25f3b8f5726a0f570a3c4c554c22c8aff802f67bebf5f9764be
Contents?: true
Size: 1.82 KB
Versions: 3
Compression:
Stored size: 1.82 KB
Contents
require 'brakeman/checks/base_check'
# Checks for string interpolation and parameters in calls to
# String#constantize, String#safe_constantize, Module#const_get and Module#qualified_const_get.
#
# Exploit examples at: http://blog.conviso.com.br/2013/02/exploiting-unsafe-reflection-in.html
class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Checks for Unsafe Reflection"
def run_check
reflection_methods = [:constantize, :safe_constantize, :const_get, :qualified_const_get]
tracker.find_call(:methods => reflection_methods, :nested => true).each do |result|
check_unsafe_reflection result
end
end
def check_unsafe_reflection result
return if duplicate? result
add_result result
call = result[:call]
method = call.method
case method
when :constantize, :safe_constantize
arg = call.target
else
arg = call.first_arg
end
if input = has_immediate_user_input?(arg)
confidence = CONFIDENCE[:high]
elsif input = include_user_input?(arg)
confidence = CONFIDENCE[:med]
end
if confidence
input_type = case input.type
when :params
"parameter value"
when :cookies
"cookies value"
when :request
"request value"
when :model
"model attribute"
else
"user input"
end
message = "Unsafe Reflection method #{method} called with #{input_type}"
warn :result => result,
:warning_type => "Remote Code Execution",
:warning_code => :unsafe_constantize,
:message => message,
:user_input => input.match,
:confidence => confidence
end
end
end
Version data entries
3 entries across 3 versions & 1 rubygems
| Version | Path |
|---|---|
| brakeman-1.9.5 | lib/brakeman/checks/check_unsafe_reflection.rb |
| brakeman-1.9.4 | lib/brakeman/checks/check_unsafe_reflection.rb |
| brakeman-1.9.3 | lib/brakeman/checks/check_unsafe_reflection.rb |