Improper control of generation of code ('Code Injection')
Description
The application was found calling a reflection method with user-controllable input. Reflection in Ruby allows a program to examine and modify its own structure and behavior at runtime. When user input is used unsafely with reflection methods, it poses a significant security risk, potentially leading to arbitrary code execution.
Examples
Insecure Code
ruby
User input directly used with reflection methodsSecure Code
ruby
class SafeClassHandler
ALLOWED_CLASSES = {
'user' => User,
'product' => Product
}.freeze
def self.handle_class_action(class_key)
klass = ALLOWED_CLASSES[class_key]
raise ArgumentError, "Invalid class key" unless klass
klass.some_method
end
endRemediation
Avoid direct user input in reflection, validate and sanitize input, use indirect references, and do not provide user-controllable input to reflection functionality.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0545 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | code injection, reflection |
| OWASP | A1:2017-Injection, A03:2021-Injection |