Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a check for method #1488

Closed
gavingmiller opened this issue Jun 25, 2020 · 1 comment · Fixed by #1527
Closed

Create a check for method #1488

gavingmiller opened this issue Jun 25, 2020 · 1 comment · Fixed by #1527
Labels
new check
Milestone
5.0

Comments

@gavingmiller
Copy link
Contributor

Is your feature request related to a problem? Please describe.

The following code does not get flagged as a vulnerability by Brakeman:

def show
  (params[:klass].to_s).method(params[:method]).(params[:argument])
end

While this minimal example seems overly obvious that it shouldn't be written, Brakeman doesn't flag it at all 😢 (using brakeman 4.8.2)

Describe the solution you'd like

It would be great if this got caught by Brakeman! 😁 I believe the main issue here is method is dangerous if given user controlled input.
@presidentbeef
Copy link
Owner

😐

Agree, this should be flagged and it is not difficult to do so.

@presidentbeef presidentbeef added this to the 5.0 milestone Sep 18, 2020
presidentbeef added a commit that referenced this issue Oct 30, 2020
@presidentbeef
Add check for #method(user_input)
9a62afc 
Fixes #1488
presidentbeef added a commit that referenced this issue Oct 31, 2020
@presidentbeef
Add check for #method(user_input)
ba2d4ff 
Fixes #1488
@presidentbeef presidentbeef mentioned this issue Oct 31, 2020
Merged
This was referenced Mar 17, 2021
Closed
Closed
Repository owner locked and limited conversation to collaborators Jan 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
new check
Projects
None yet
Milestone
5.0
Development

Successfully merging a pull request may close this issue.

Add check for unsafe reflection to access methods presidentbeef/brakeman
2 participants
@presidentbeef @gavingmiller