Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add rule for Rails params _json juggling attack #70

Merged
merged 2 commits into from
Dec 17, 2024
Merged

Add rule for Rails params _json juggling attack #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6283f58
Add rule for Rails params _json juggling attack
mschwager Dec 11, 2024
22a8f8a
Add additional params methods
mschwager Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions ruby/rails-params-json.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
class ProductsController < ApplicationController
def create
# ruleid: rails-params-json
id1 = params[:_json][:id]

# ruleid: rails-params-json
id2 = params["_json"]["id"]

# ruleid: rails-params-json
id3 = params['_json']['id']

# ok: rails-params-json
id4 = params[:something][:id]

# ruleid: rails-params-json
id5 = params.fetch(:_json)

# ruleid: rails-params-json
id6 = params.fetch(:_json, {})

# ruleid: rails-params-json
product_params = params.require(:_json).map do |product|
product.permit(:name, :price)
end
end
end
31 changes: 31 additions & 0 deletions ruby/rails-params-json.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
rules:
- id: rails-params-json
message: |
Found Rails parameters (`params`) using the `_json` parameter. This
parameter is subject to parser juggling. This may allow an attacker to
exploit differences in parameter processing at different points in the
request processing lifecycle. For example, object ID processing during
the authentication/authorization phase and action execution phase.
languages: [ruby]
severity: WARNING
metadata:
category: security
cwe: "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"
subcategory: [audit]
confidence: LOW
likelihood: MEDIUM
impact: HIGH
technology: [rails]
references:
- https://nastystereo.com/security/rails-_json-juggling-attack.html
- https://api.rubyonrails.org/v5.1.7/classes/ActionDispatch/Http/Parameters.html
- https://api.rubyonrails.org/classes/ActionController/Parameters.html
pattern-either:
- pattern: "params[:_json]"
- pattern: "params['_json']"
- pattern: "params.require(:_json)"
mschwager marked this conversation as resolved.
Show resolved Hide resolved
- pattern: "params.require('_json')"
- pattern: "params.fetch(:_json, ...)"
- pattern: "params.fetch('_json', ...)"
- pattern: "params.dig(:_json, ...)"
- pattern: "params.dig('_json', ...)"
Loading