Insecure Use of Language/Framework API

This category covers the following Ruby/Rails APIs:

• Object#send
• Symbols

Using APIs securely

About insecure use of language/framework APIs

What is insecure use of language/framework APIs?

Insecure use of language or framework API refers to a security vulnerability that arises when an application uses an API in an unsafe or insecure manner. This can result in unintended behavior or access, which can be exploited by attackers to gain unauthorized access, steal data, or perform other malicious actions.

This type of vulnerability can arise due to a lack of understanding on the part of the developer, or it can result from the use of outdated or deprecated APIs that are no longer considered secure.

What is the impact of insecure use of language/framework APIs?

Insecure use of language/framework APIs can have a wide-ranging impact, depending on the type of vulnerability and the attacker's goals.

Here are some potential impacts of insecure use of language or framework API:

• Unauthorized access: An attacker may be able to gain unauthorized access to a system or application, giving them access to sensitive data or functionality.
• Data theft: An attacker may be able to steal data from the system, including personally identifiable information, financial data, or other sensitive data.
• Denial of service: An attacker may be able to launch a denial-of-service attack by exploiting vulnerabilities in the API.
• System compromise: In some cases, a successful attack on an insecure API can lead to a complete compromise of the system, allowing the attacker to take full control.

How to prevent the insecure use of language/Framework APIs?

Here are some measures that can help prevent insecure use of language or framework API:

• Use secure APIs: Use up-to-date and secure APIs that are well-maintained and well-documented. This can help prevent the use of deprecated APIs that are no longer considered secure.
• Regular security audits: Regularly audit your system and application for security vulnerabilities, including insecure use of language or framework API vulnerabilities. Use automated tools and manual testing to identify potential issues and fix them before they can be exploited.
• Education and training: Educate your development team about the risks of insecure use of language or framework API and the measures that can be taken to prevent them. Ensure that everyone on the team is aware of secure coding practices and understands the importance of security in application development.

Fixing Insecure Use of Object#send

The following methods are dangerous if used incorrectly:

• send
• try
• __send__
• public_send

Option A: Using Object#send securely

1. Go through the issues that GuardRails identified in the PR/MR

2. An example of an insecure usage of send is shown below

   method = params[:method]
   @result = User.send(method.to_sym)

3. Modify the code like shown below:

   args = params["args"] || []
   @result = User.send(:method, *args)

4. Ship it 🚢 and relax 🌴

Fixing Insecure Use of Symbols

The following methods can cause extensive memory consumption that lead to Denial of Service.

• to_sym
• literal_to_sym
• intern
• symbolize_keys
• symbolize_keys!

Option A: Using Symbols Securely

1. Go through the issues that GuardRails identified in the PR/MR

2. An example of an insecure usage of symbols is shown below

   symbolized = params[:value].to_sym

3. allowlist the expected symbols like shown below:

   valid_values = ["valid", "values", "here"]
   
   if valid_values.include? params[:value]
     symbolized = params[:value].to_sym
   end

4. Ship it 🚢 and relax 🌴