From 6283f58aef7b3d1aa53cac4b8545ec9f466aca87 Mon Sep 17 00:00:00 2001 From: Matt Schwager Date: Wed, 11 Dec 2024 10:43:30 -0500 Subject: [PATCH 1/2] Add rule for Rails params _json juggling attack --- ruby/rails-params-json.rb | 20 ++++++++++++++++++++ ruby/rails-params-json.yaml | 26 ++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 ruby/rails-params-json.rb create mode 100644 ruby/rails-params-json.yaml diff --git a/ruby/rails-params-json.rb b/ruby/rails-params-json.rb new file mode 100644 index 0000000..142837d --- /dev/null +++ b/ruby/rails-params-json.rb @@ -0,0 +1,20 @@ +class ProductsController < ApplicationController + def create + # ruleid: rails-params-json + id1 = params[:_json][:id] + + # ruleid: rails-params-json + id2 = params["_json"]["id"] + + # ruleid: rails-params-json + id3 = params['_json']['id'] + + # ok: rails-params-json + id4 = params[:something][:id] + + # ruleid: rails-params-json + product_params = params.require(:_json).map do |product| + product.permit(:name, :price) + end + end +end diff --git a/ruby/rails-params-json.yaml b/ruby/rails-params-json.yaml new file mode 100644 index 0000000..ab1df82 --- /dev/null +++ b/ruby/rails-params-json.yaml @@ -0,0 +1,26 @@ +rules: + - id: rails-params-json + message: | + Found Rails parameters (`params`) using the `_json` parameter. This + parameter is subject to parser juggling. This may allow an attacker to + exploit differences in parameter processing at different points in the + request processing lifecycle. For example, object ID processing during + the authentication/authorization phase and action execution phase. + languages: [ruby] + severity: WARNING + metadata: + category: security + cwe: "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')" + subcategory: [audit] + confidence: LOW + likelihood: MEDIUM + impact: HIGH + technology: [rails] + references: + - https://nastystereo.com/security/rails-_json-juggling-attack.html + - https://api.rubyonrails.org/v5.1.7/classes/ActionDispatch/Http/Parameters.html + pattern-either: + - pattern: "params[:_json]" + - pattern: "params['_json']" + - pattern: "params.require(:_json)" + - pattern: "params.require('_json')" From 22a8f8acff2649e0938d93e9556e9fd5a32ca83b Mon Sep 17 00:00:00 2001 From: Matt Schwager Date: Mon, 16 Dec 2024 09:27:46 -0500 Subject: [PATCH 2/2] Add additional params methods --- ruby/rails-params-json.rb | 6 ++++++ ruby/rails-params-json.yaml | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/ruby/rails-params-json.rb b/ruby/rails-params-json.rb index 142837d..5412cd7 100644 --- a/ruby/rails-params-json.rb +++ b/ruby/rails-params-json.rb @@ -12,6 +12,12 @@ def create # ok: rails-params-json id4 = params[:something][:id] + # ruleid: rails-params-json + id5 = params.fetch(:_json) + + # ruleid: rails-params-json + id6 = params.fetch(:_json, {}) + # ruleid: rails-params-json product_params = params.require(:_json).map do |product| product.permit(:name, :price) diff --git a/ruby/rails-params-json.yaml b/ruby/rails-params-json.yaml index ab1df82..56064ba 100644 --- a/ruby/rails-params-json.yaml +++ b/ruby/rails-params-json.yaml @@ -19,8 +19,13 @@ rules: references: - https://nastystereo.com/security/rails-_json-juggling-attack.html - https://api.rubyonrails.org/v5.1.7/classes/ActionDispatch/Http/Parameters.html + - https://api.rubyonrails.org/classes/ActionController/Parameters.html pattern-either: - pattern: "params[:_json]" - pattern: "params['_json']" - pattern: "params.require(:_json)" - pattern: "params.require('_json')" + - pattern: "params.fetch(:_json, ...)" + - pattern: "params.fetch('_json', ...)" + - pattern: "params.dig(:_json, ...)" + - pattern: "params.dig('_json', ...)"