class Brakeman::CheckUnsafeReflection

Checks for string interpolation and parameters in calls to String#constantize, String#safe_constantize, Module#const_get and Module#qualified_const_get.

Exploit examples at: blog.conviso.com.br/exploiting-unsafe-reflection-in-rubyrails-applications/

Public Instance Methods

check_unsafe_reflection(result) click to toggle source
# File lib/brakeman/checks/check_unsafe_reflection.rb, line 20
def check_unsafe_reflection result
  return unless original? result

  call = result[:call] 
  method = call.method

  case method
  when :constantize, :safe_constantize
    arg = call.target
  else
    arg = call.first_arg
  end

  if input = has_immediate_user_input?(arg)
    confidence = :high
  elsif input = include_user_input?(arg)
    confidence = :medium
  end

  if confidence
    message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))

    warn :result => result,
      :warning_type => "Remote Code Execution",
      :warning_code => :unsafe_constantize,
      :message => message,
      :user_input => input,
      :confidence => confidence
  end
end
run_check() click to toggle source
# File lib/brakeman/checks/check_unsafe_reflection.rb, line 12
def run_check
  reflection_methods = [:constantize, :safe_constantize, :const_get, :qualified_const_get]

  tracker.find_call(:methods => reflection_methods, :nested => true).each do |result|
    check_unsafe_reflection result
  end
end