Insecure Use of Language/Framework API

This category covers the following Ruby/Rails APIs:

Why is this important?

Ruby, like any other programming language, has dangerous APIs. If these APIs are not used properly, it can have a catastrophic impact on your app. There are several APIs that can allow attackers to cause unintended behavior for your application.

Read below to find out how to fix this issues in your code.

Fixing Insecure Use of Object#send

The following methods are dangerous if used incorrectly:

  • send
  • try
  • __send__
  • public_send

Option A: Using Object#send securely

  1. Go through the issues that GuardRails identified in the PR.
  2. An example of an insecure usage of send is shown below.
  method = params[:method]
  @result = User.send(method.to_sym)
  1. Modify the code like shown below:
  args = params["args"] || []
  @result = User.send(:method, *args)
  1. Ship it 🚢 and relax 🌴

Fixing Insecure Use of Symbols

The following methods can cause extensive memory consumption that lead to Denial of Service.

  • to_sym
  • literal_to_sym
  • intern
  • symbolize_keys
  • symbolize_keys!

Option A: Using Symbols Securely

  1. Go through the issues that GuardRails identified in the PR.
  2. An example of an insecure usage of symbols is shown below.
  symbolized = params[:value].to_sym
  1. Whitelist the expected symbols like shown below:
  valid_values = ["valid", "values", "here"]

  if valid_values.include? params[:value]
    symbolized = params[:value].to_sym
  end
  1. Ship it 🚢 and relax 🌴

More information: