Insecure use of Rails parameters with _json
Description
The Rails parameters (`params`) are using the `_json` parameter, which is subject to parser juggling. This may allow an attacker to exploit differences in parameter processing at different points in the request processing lifecycle.
Examples
Insecure Code
ruby
params[:_json]Secure Code
ruby
JSON.parse(params[:json])Remediation
Avoid using the `_json` parameter directly. Instead, use a secure method to parse JSON parameters, such as using the `JSON.parse` method or a library like `json_parser`.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0635 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-843 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | rails, json, parser juggling |
| OWASP | N/A |
References
- https://nastystereo.com/security/rails-_json-juggling-attack.html
- https://api.rubyonrails.org/classes/ActionController/Parameters.html
- https://api.rubyonrails.org/v5.1.7/classes/ActionDispatch/Http/Parameters.html