diff --git a/ruby/rails-params-json.rb b/ruby/rails-params-json.rb new file mode 100644 index 0000000..5412cd7 --- /dev/null +++ b/ruby/rails-params-json.rb @@ -0,0 +1,26 @@ +class ProductsController < ApplicationController + def create + # ruleid: rails-params-json + id1 = params[:_json][:id] + + # ruleid: rails-params-json + id2 = params["_json"]["id"] + + # ruleid: rails-params-json + id3 = params['_json']['id'] + + # ok: rails-params-json + id4 = params[:something][:id] + + # ruleid: rails-params-json + id5 = params.fetch(:_json) + + # ruleid: rails-params-json + id6 = params.fetch(:_json, {}) + + # ruleid: rails-params-json + product_params = params.require(:_json).map do |product| + product.permit(:name, :price) + end + end +end diff --git a/ruby/rails-params-json.yaml b/ruby/rails-params-json.yaml new file mode 100644 index 0000000..56064ba --- /dev/null +++ b/ruby/rails-params-json.yaml @@ -0,0 +1,31 @@ +rules: + - id: rails-params-json + message: | + Found Rails parameters (`params`) using the `_json` parameter. This + parameter is subject to parser juggling. This may allow an attacker to + exploit differences in parameter processing at different points in the + request processing lifecycle. For example, object ID processing during + the authentication/authorization phase and action execution phase. + languages: [ruby] + severity: WARNING + metadata: + category: security + cwe: "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')" + subcategory: [audit] + confidence: LOW + likelihood: MEDIUM + impact: HIGH + technology: [rails] + references: + - https://nastystereo.com/security/rails-_json-juggling-attack.html + - https://api.rubyonrails.org/v5.1.7/classes/ActionDispatch/Http/Parameters.html + - https://api.rubyonrails.org/classes/ActionController/Parameters.html + pattern-either: + - pattern: "params[:_json]" + - pattern: "params['_json']" + - pattern: "params.require(:_json)" + - pattern: "params.require('_json')" + - pattern: "params.fetch(:_json, ...)" + - pattern: "params.fetch('_json', ...)" + - pattern: "params.dig(:_json, ...)" + - pattern: "params.dig('_json', ...)"