Skip to content

Commit 6b4738c

Browse files
mschwagermschwager
authored
Merge pull request #70 from trailofbits/mschwager-params-json-rule
Add rule for Rails params _json juggling attack
2 parents 71b9ec1 + 22a8f8a commit 6b4738c

File tree

2 files changed

+57
-0
lines changed

2 files changed

+57
-0
lines changed

ruby/rails-params-json.rb

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
class ProductsController < ApplicationController
2+
def create
3+
# ruleid: rails-params-json
4+
id1 = params[:_json][:id]
5+
6+
# ruleid: rails-params-json
7+
id2 = params["_json"]["id"]
8+
9+
# ruleid: rails-params-json
10+
id3 = params['_json']['id']
11+
12+
# ok: rails-params-json
13+
id4 = params[:something][:id]
14+
15+
# ruleid: rails-params-json
16+
id5 = params.fetch(:_json)
17+
18+
# ruleid: rails-params-json
19+
id6 = params.fetch(:_json, {})
20+
21+
# ruleid: rails-params-json
22+
product_params = params.require(:_json).map do |product|
23+
product.permit(:name, :price)
24+
end
25+
end
26+
end

ruby/rails-params-json.yaml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
rules:
2+
- id: rails-params-json
3+
message: |
4+
Found Rails parameters (`params`) using the `_json` parameter. This
5+
parameter is subject to parser juggling. This may allow an attacker to
6+
exploit differences in parameter processing at different points in the
7+
request processing lifecycle. For example, object ID processing during
8+
the authentication/authorization phase and action execution phase.
9+
languages: [ruby]
10+
severity: WARNING
11+
metadata:
12+
category: security
13+
cwe: "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"
14+
subcategory: [audit]
15+
confidence: LOW
16+
likelihood: MEDIUM
17+
impact: HIGH
18+
technology: [rails]
19+
references:
20+
- https://nastystereo.com/security/rails-_json-juggling-attack.html
21+
- https://api.rubyonrails.org/v5.1.7/classes/ActionDispatch/Http/Parameters.html
22+
- https://api.rubyonrails.org/classes/ActionController/Parameters.html
23+
pattern-either:
24+
- pattern: "params[:_json]"
25+
- pattern: "params['_json']"
26+
- pattern: "params.require(:_json)"
27+
- pattern: "params.require('_json')"
28+
- pattern: "params.fetch(:_json, ...)"
29+
- pattern: "params.fetch('_json', ...)"
30+
- pattern: "params.dig(:_json, ...)"
31+
- pattern: "params.dig('_json', ...)"

0 commit comments

Comments
 (0)