From 22a8f8acff2649e0938d93e9556e9fd5a32ca83b Mon Sep 17 00:00:00 2001 From: Matt Schwager Date: Mon, 16 Dec 2024 09:27:46 -0500 Subject: [PATCH] Add additional params methods --- ruby/rails-params-json.rb | 6 ++++++ ruby/rails-params-json.yaml | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/ruby/rails-params-json.rb b/ruby/rails-params-json.rb index 142837d..5412cd7 100644 --- a/ruby/rails-params-json.rb +++ b/ruby/rails-params-json.rb @@ -12,6 +12,12 @@ def create # ok: rails-params-json id4 = params[:something][:id] + # ruleid: rails-params-json + id5 = params.fetch(:_json) + + # ruleid: rails-params-json + id6 = params.fetch(:_json, {}) + # ruleid: rails-params-json product_params = params.require(:_json).map do |product| product.permit(:name, :price) diff --git a/ruby/rails-params-json.yaml b/ruby/rails-params-json.yaml index ab1df82..56064ba 100644 --- a/ruby/rails-params-json.yaml +++ b/ruby/rails-params-json.yaml @@ -19,8 +19,13 @@ rules: references: - https://nastystereo.com/security/rails-_json-juggling-attack.html - https://api.rubyonrails.org/v5.1.7/classes/ActionDispatch/Http/Parameters.html + - https://api.rubyonrails.org/classes/ActionController/Parameters.html pattern-either: - pattern: "params[:_json]" - pattern: "params['_json']" - pattern: "params.require(:_json)" - pattern: "params.require('_json')" + - pattern: "params.fetch(:_json, ...)" + - pattern: "params.fetch('_json', ...)" + - pattern: "params.dig(:_json, ...)" + - pattern: "params.dig('_json', ...)"