GuardRails

GuardRails

  • Languages iconEnglish
    • 中文

›Ruby

Overview

  • Introduction
  • What is GuardRails
  • Getting started
  • Findings
  • Vulnerabilities
  • Configuration
  • Custom Engines
  • False Positives
  • Enforce Passing Checks
  • Build Status on Pull Requests
  • FAQ
  • Pricing
  • Glossary
  • Tools & Licenses

API

  • Usage Guide
  • Endpoints

Vulnerabilities

  • Introduction
  • General

    • Overview
    • Hard-Coded Secrets

    Apex

    • Overview
    • Insecure Access Control
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Language/Framework API
    • Insecure Use of SQL Queries

    C/C++

    • Overview
    • Insecure Access Control
    • Insecure File Management
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Dangerous Function

    Dotnet

    • Overview
    • Insecure Access Control
    • Insecure Configuration
    • Insecure File Management
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Dangerous Function
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Elixir

    • Overview
    • Insecure Configuration
    • Insecure File Management
    • Insecure Processing of Data
    • Insecure Network Communication
    • Insecure Use of Dangerous Function
    • Insecure Use of Language/Framework API
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Go

    • Overview
    • Insecure File Management
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Dangerous Function
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Java

    • Overview
    • Using Vulnerable Libraries
    • Insecure Use of SQL Queries
    • Insecure Use of Dangerous Function
    • Insecure Use of Regular Expressions
    • Insecure Authentication
    • Insecure Configuration
    • Insecure File Management
    • Insecure Use of Cryptography
    • Insecure Use of Language/Framework API
    • Insecure Processing of Data
    • Insecure Network Communication

    Javascript/TypeScript

    • Overview
    • Insecure Authentication
    • Insecure Processing of Data
    • Insecure Use of SQL Queries
    • Insecure Use of Regular Expressions
    • Insecure Use of Language/Framework API
    • Insecure Use of Dangerous Function
    • Using Vulnerable Libraries

    Kubernetes

    • Overview
    • Insecure Access Control
    • Insecure Configuration
    • Insecure Network Communication

    PHP

    • Overview
    • Insecure Configuration
    • Insecure File Management
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Dangerous Function
    • Insecure Use of Language/Framework API
    • Insecure Use of Regular Expressions
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Python

    • Overview
    • Insecure Configuration
    • Insecure Use of Cryptography
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Dangerous Function
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Ruby

    • Overview
    • Insecure Access Control
    • Insecure Configuration
    • Insecure File Management
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Dangerous Function
    • Insecure Use of Language/Framework API
    • Insecure Use of Regular Expressions
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Rust

    • Overview
    • Using Vulnerable Libraries

    Solidity

    • Overview
    • Insecure Integer Arithmetic
    • Insecure Use of Low-Level Call
    • Reliance on Insecure Random Numbers
    • State Change After External Call
    • Transaction Order Dependence
    • Unprotected Critical Function
    • Use of Insecure Function
    • Dependence on Predictable Environment Variables
    • Write to Arbitrary Storage Location
    • Call to Untrusted Contract

    Terraform

    • Overview
    • Hard-Coded Secrets
    • Insecure Access Control
    • Insecure Configuration
    • Insecure Network Communication
    • Insecure Use of Cryptography

Insecure Use of Dangerous Function

This vulnerability category covers the following issues:

  • Command Injection

Command Injection

Why is this important?

Ruby, like any other programming language, has dangerous functions. If these functions are not used properly, it can have a catastrophic impact on your app. Ruby offers several ways to execute operating system commands, such as:

  • exec(command)
  • syscall(command)
  • system(command)
  • eval()
  • constantize()
  • render()

Attacker controlled input, that is processed by any of these functions, can lead to attackers getting full access to your production environment.

Check out this video for a high-level explanation:

OS Command Injection

Read below to find out how to fix this issue in your code.

Fixing Insecure Use of Dangerous Function

Option A: Replace the dangerous function with a secure alternative

  1. Go through the issues that GuardRails identified in the PR.
  2. Locate the dangerous function. For example:
# One example is exec, but many other dangerous functions exist in Ruby.
exec("/path/to/cmd #{params[:input]}")
  1. If the functionality is not required, then remove it.
  2. Otherwise, replace the dangerous function with the following:
# The key point is that the user input is in the second part of the Array
# that is passed to the system function.
# Make sure that no user input is in the first part of the Array that
# contains the command itself.
system("/path/to/cmd","#{params[:input]}")
  1. Test it and ensure the functionality works as expected
  2. Ship it 🚢 and relax 🌴

Option B: Using constantize safely

  1. Go through the issues that GuardRails identified in the PR.
  2. Locate the constantize method. A vulnerable example is:
  class AlertsController < ApplicationController
    def create
      params[:alert][:type].constantize.new(params[:alert][:value])  # <-- bad code don't do this!
      # ... other work
      # render page
    end
  end
  1. If the functionality is not required, then remove it.
  2. Otherwise, apply the following pattern:
  # Some file where a constant definition is appropriate.
  ALERTS = {
    'info' => InfoAlert,
    'warn' => WarnAlert,
    'error' => ErrorAlert
  }

  class AlertsController < ApplicationController
    def create
      ALERTS.fetch(params[:alert][:type])).new(params[:alert][:value]))

      # ... other work
      # render page
    end
  end
  1. Test it and ensure the functionality works as expected
  2. Ship it 🚢 and relax 🌴

Option C: Restrict Allowed Input to Render()

  1. Go through the issues that GuardRails identified in the PR.
  2. Locate the render method. A vulnerable example is:
  def show
    render params[:template]
  end
  1. Apply the following pattern:
  def show
    template = params[:id]

    valid_templates = {
      "dashboard" => "dashboard",
      "profile"   => "profile",
      "deals"   => "deals"
    }

    if valid_templates.include?(template)
      render " #{valid_templates[template]}"
    else
      # throw exception or 404
    end
  end
  1. Test it and ensure the functionality works as expected
  2. Ship it 🚢 and relax 🌴

More information:

  • Rails Security Guide - Command Line Injection
  • Brakeman - Remote Code Execution
  • Brakeman - Command Injection
  • Common Weakness Enumeration (CWE-78)
  • Common Weakness Enumeration (CWE-95)
  • OWASP Top 10 - A1 Injection
  • The safest way to Constantize
  • Dynamic Render: Remote Code Execution - CVE 2016-0752
← Insecure Processing of DataInsecure Use of Language/Framework API →
  • Command Injection
    • Why is this important?
    • Fixing Insecure Use of Dangerous Function
    • More information:
  • Status
  • Help
  • Security
  • Terms
  • Privacy

© 2021 GuardRails