Skip to content

Commit

Permalink
feat(ruby rule): add rails render to path rule (#656)
Browse files Browse the repository at this point in the history 
* fix: name of rails redirect rule

* feat: add rails render to ruby path rule
  • Loading branch information
@didroe
didroe authored Feb 27, 2023
1 parent 8c341ce commit f018419
Show file tree
Hide file tree
Showing 12 changed files with 76 additions and 41 deletions.
30 changes: 30 additions & 0 deletions pkg/commands/process/settings/rules/ruby/lang/path_using_user_input.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,36 @@ patterns:
detection: ruby_lang_path_using_user_input_pathname
- variable: USER_INPUT
detection: ruby_lang_path_using_user_input_user_input
- pattern: |
$<METHOD>($<ARGUMENT>: $<USER_INPUT>)
filters:
- variable: METHOD
values:
- render
- render_to_string
- variable: ARGUMENT
values:
- action
- file
- partial
- template
- variable: USER_INPUT
detection: ruby_lang_path_using_user_input_user_input
- pattern: |
$<METHOD>({ $<ARGUMENT>: $<USER_INPUT> })
filters:
- variable: METHOD
values:
- render
- render_to_string
- variable: ARGUMENT
values:
- action
- file
- partial
- template
- variable: USER_INPUT
detection: ruby_lang_path_using_user_input_user_input
auxiliary:
- id: ruby_lang_path_using_user_input_user_input
patterns:
Expand Down
10 changes: 0 additions & 10 deletions ...by/lang/path_using_user_input/.snapshots/TestRubyLangPathUsingUserInput--unsafe_event.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,15 +111,5 @@ low:
filename: unsafe_event.rb
parent_line_number: 20
parent_content: path.join("a", event["three"])
- rule:
cwe_ids:
- "22"
id: ruby_lang_path_using_user_input
description: Do not use user input to form file paths.
documentation_url: https://docs.bearer.com/reference/rules/ruby_lang_path_using_user_input
line_number: 22
filename: unsafe_event.rb
parent_line_number: 22
parent_content: Rails.root.join(event["oops"])


10 changes: 0 additions & 10 deletions ...y/lang/path_using_user_input/.snapshots/TestRubyLangPathUsingUserInput--unsafe_params.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,15 +111,5 @@ low:
filename: unsafe_params.rb
parent_line_number: 19
parent_content: path.join("a", params[:four])
- rule:
cwe_ids:
- "22"
id: ruby_lang_path_using_user_input
description: Do not use user input to form file paths.
documentation_url: https://docs.bearer.com/reference/rules/ruby_lang_path_using_user_input
line_number: 21
filename: unsafe_params.rb
parent_line_number: 21
parent_content: Rails.root.join(params[:oops])


33 changes: 33 additions & 0 deletions ...by/lang/path_using_user_input/.snapshots/TestRubyLangPathUsingUserInput--unsafe_rails.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
low:
- rule:
cwe_ids:
- "22"
id: ruby_lang_path_using_user_input
description: Do not use user input to form file paths.
documentation_url: https://docs.bearer.com/reference/rules/ruby_lang_path_using_user_input
line_number: 1
filename: unsafe_rails.rb
parent_line_number: 1
parent_content: Rails.root.join(params[:oops])
- rule:
cwe_ids:
- "22"
id: ruby_lang_path_using_user_input
description: Do not use user input to form file paths.
documentation_url: https://docs.bearer.com/reference/rules/ruby_lang_path_using_user_input
line_number: 3
filename: unsafe_rails.rb
parent_line_number: 3
parent_content: 'render(partial: params[:oops])'
- rule:
cwe_ids:
- "22"
id: ruby_lang_path_using_user_input
description: Do not use user input to form file paths.
documentation_url: https://docs.bearer.com/reference/rules/ruby_lang_path_using_user_input
line_number: 4
filename: unsafe_rails.rb
parent_line_number: 4
parent_content: 'render_to_string({ file: "/templates/#{params[:oops]}" })'


10 changes: 0 additions & 10 deletions .../lang/path_using_user_input/.snapshots/TestRubyLangPathUsingUserInput--unsafe_request.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,15 +111,5 @@ low:
filename: unsafe_request.rb
parent_line_number: 19
parent_content: path.join("a", request.body)
- rule:
cwe_ids:
- "22"
id: ruby_lang_path_using_user_input
description: Do not use user input to form file paths.
documentation_url: https://docs.bearer.com/reference/rules/ruby_lang_path_using_user_input
line_number: 21
filename: unsafe_request.rb
parent_line_number: 21
parent_content: Rails.root.join(request.env[:oops])


4 changes: 4 additions & 0 deletions ...commands/process/settings/rules/ruby/lang/path_using_user_input/testdata/ok_not_unsafe.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,8 @@
path / x
path.join("a", x)


Rails.root.join(x)

render(partial: x, locals: { z: params[:ok] })
render_to_string({ file: "/templates/#{x}", locals: { z: params[:ok] } })
2 changes: 0 additions & 2 deletions pkg/commands/process/settings/rules/ruby/lang/path_using_user_input/testdata/unsafe_event.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,4 @@ def my_handler(event:, context:)
path + event["two"]
path / event["two"]
path.join("a", event["three"])

Rails.root.join(event["oops"])
end
2 changes: 0 additions & 2 deletions ...commands/process/settings/rules/ruby/lang/path_using_user_input/testdata/unsafe_params.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,3 @@
path + params[:two]
path / params[:three]
path.join("a", params[:four])

Rails.root.join(params[:oops])
4 changes: 4 additions & 0 deletions pkg/commands/process/settings/rules/ruby/lang/path_using_user_input/testdata/unsafe_rails.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Rails.root.join(params[:oops])

render(partial: params[:oops])
render_to_string({ file: "/templates/#{params[:oops]}" })
2 changes: 0 additions & 2 deletions ...ommands/process/settings/rules/ruby/lang/path_using_user_input/testdata/unsafe_request.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,3 @@
path + request.headers[:oops]
path / request.query_parameters[:oops]
path.join("a", request.body)

Rails.root.join(request.env[:oops])
6 changes: 3 additions & 3 deletions pkg/commands/process/settings/rules/ruby/rails/open_redirect.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ patterns:
redirect_to($<USER_INPUT>)
filters:
- variable: USER_INPUT
detection: rails_redirect_to_user_input
detection: ruby_rails_redirect_to_user_input
languages:
- ruby
auxiliary:
- id: rails_redirect_to_user_input
- id: ruby_rails_redirect_to_user_input
patterns:
- params
- request
Expand All @@ -22,4 +22,4 @@ metadata:
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
cwe_id:
- 601
id: "rails_redirect_to"
id: ruby_rails_redirect_to
4 changes: 2 additions & 2 deletions ...ettings/rules/ruby/rails/open_redirect/.snapshots/TestRubyRailsOpenRedirect--unsecure.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ low:
- rule:
cwe_ids:
- "601"
id: rails_redirect_to
id: ruby_rails_redirect_to
description: Open redirect detected
documentation_url: https://docs.bearer.com/reference/rules/rails_redirect_to
documentation_url: https://docs.bearer.com/reference/rules/ruby_rails_redirect_to
line_number: 3
filename: unsecure.rb
parent_line_number: 3
Expand Down

0 comments on commit f018419

Please sign in to comment.