Improper control of generation of code ('Code Injection')
Description
The application was found calling a reflection method with user-controllable input. This practice can lead to unauthorized alteration of program behavior, including the potential execution of arbitrary code. Reflection methods allow dynamic execution of code, which is powerful but risky if not properly sanitized, as it could enable attackers to execute unintended methods or blocks.
Examples
Insecure Code
user_method = params[:method_name]; my_object.send(user_method)Secure Code
user_method = params[:method_name]; allowed_methods = ['safe_method_1','safe_method_2']; if allowed_methods.include?(user_method); my_object.public_send(user_method); else; raise 'Unauthorized method access'; endRemediation
Validate and sanitize input: Ensure that any user input is strictly validated against a whitelist of allowed values before being passed to reflection methods. Avoid direct mapping of user input to method names or proc conversions. Limit reflection use: Minimize the use of reflection with user input. Prefer direct method calls or other non-reflective approaches whenever possible. Use safer alternatives: When dynamic behavior is necessary, use controlled methods like `public_send` with proper input validation to reduce risk.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0546 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | code injection, reflection methods |
| OWASP | A1:2017-Injection, A03:2021-Injection |