From 6283f58aef7b3d1aa53cac4b8545ec9f466aca87 Mon Sep 17 00:00:00 2001 From: Matt Schwager Date: Wed, 11 Dec 2024 10:43:30 -0500 Subject: [PATCH] Add rule for Rails params _json juggling attack --- ruby/rails-params-json.rb | 20 ++++++++++++++++++++ ruby/rails-params-json.yaml | 26 ++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 ruby/rails-params-json.rb create mode 100644 ruby/rails-params-json.yaml diff --git a/ruby/rails-params-json.rb b/ruby/rails-params-json.rb new file mode 100644 index 0000000..142837d --- /dev/null +++ b/ruby/rails-params-json.rb @@ -0,0 +1,20 @@ +class ProductsController < ApplicationController + def create + # ruleid: rails-params-json + id1 = params[:_json][:id] + + # ruleid: rails-params-json + id2 = params["_json"]["id"] + + # ruleid: rails-params-json + id3 = params['_json']['id'] + + # ok: rails-params-json + id4 = params[:something][:id] + + # ruleid: rails-params-json + product_params = params.require(:_json).map do |product| + product.permit(:name, :price) + end + end +end diff --git a/ruby/rails-params-json.yaml b/ruby/rails-params-json.yaml new file mode 100644 index 0000000..ab1df82 --- /dev/null +++ b/ruby/rails-params-json.yaml @@ -0,0 +1,26 @@ +rules: + - id: rails-params-json + message: | + Found Rails parameters (`params`) using the `_json` parameter. This + parameter is subject to parser juggling. This may allow an attacker to + exploit differences in parameter processing at different points in the + request processing lifecycle. For example, object ID processing during + the authentication/authorization phase and action execution phase. + languages: [ruby] + severity: WARNING + metadata: + category: security + cwe: "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')" + subcategory: [audit] + confidence: LOW + likelihood: MEDIUM + impact: HIGH + technology: [rails] + references: + - https://nastystereo.com/security/rails-_json-juggling-attack.html + - https://api.rubyonrails.org/v5.1.7/classes/ActionDispatch/Http/Parameters.html + pattern-either: + - pattern: "params[:_json]" + - pattern: "params['_json']" + - pattern: "params.require(:_json)" + - pattern: "params.require('_json')"