Improper control of generation of code ('Code Injection')
Description
The application was found calling dynamic method invocations in Ruby using methods like `Object#send`, `Object#try`, `Object#send`, or `Object#public_send`. These methods can lead to severe security vulnerabilities, including arbitrary method execution and potentially arbitrary code execution, when combined with untrusted input.
Examples
Insecure Code
ruby
$PARAM = params[:method]
$RES = $MOD.send($PARAM)Secure Code
ruby
method_name = params[:method].to_sym
allowed_methods = [:allowed_method_1, :allowed_method_2, :safe_method]
if allowed_methods.include?(method_name)
result = object.public_send(method_name)
else
raise "Unauthorized method call"
endRemediation
Validate and sanitize any user input that might determine which methods are invoked. Consider using safer alternatives to direct method invocation based on user input, such as explicitly whitelisting allowed methods or using conditional logic to determine method calls.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0540 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | code injection, ruby |
| OWASP | A1:2017-Injection, A03:2021-Injection |
References
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/no-send.yaml
- https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html