Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

149 fixed remote-code-execution vulnerability, added tests for new code #180

Merged
merged 4 commits into from
Sep 11, 2023

Conversation

Janell-Huyck
Copy link
Contributor

Fixes #149

Fixed a remote-code-execution vulnerability.

The previous method Object.const_get(params[:controller_name].classify) uses user-supplied data (params[:controller_name]) to dynamically retrieve a constant. This is risky because a malicious user can potentially gain access to any constant in the Ruby environment, which could lead to various types of attacks including Remote Code Execution (RCE).

Proposed Fix
Instead of dynamically getting the constant using Object.const_get, we use a whitelist of allowable controller names that map to the models we want to work with. This way, we can ensure that only authorized models can be accessed.

Added logging if csv generation fails.

Added tests for future models to ensure that they are on the list of approved controller names and that the new models have the self.to_csv method that will be called to generate a CSV.

@Janell-Huyck Janell-Huyck force-pushed the 149-remote-code-execution-vulnerability branch from 5e44b17 to 3cb84a2 Compare September 7, 2023 20:03
@Janell-Huyck Janell-Huyck changed the title fixed remote-code-execution vulnerability, added tests for new code 149 fixed remote-code-execution vulnerability, added tests for new code Sep 8, 2023
@crowesn crowesn self-assigned this Sep 8, 2023
Copy link
Contributor

@crowesn crowesn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Merging.

@crowesn crowesn merged commit 3da27d4 into qa Sep 11, 2023
@crowesn crowesn deleted the 149-remote-code-execution-vulnerability branch September 11, 2023 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Brakeman: Remote Code Execution vulnerability
2 participants