I am trying to find a way to whitelist certain params in order to prevent the ability for these params to be manipulated into dangerous data.
I have ran brakeman on my app and it specifically highlights the lines:
new_entity_model = new_entity_type.camelize.constantize
and
new_entity_type_num = new_entity_type.upcase.constantize
Entity type and entity id are attriubutes in the home table.
def create_reassign_entity
@house=House.find(params[:id])
new_entity_id = params[:house].try(:[], :entity_id).presence
new_entity_type = params[:house].try(:[], :entity_type).presence
if new_entity_id.blank? || new_entity_type.blank?
flash[:error] = t('Please_select_an_entity')
else
new_entity_model = new_entity_type.camelize.constantize
new_entity_type_num = new_entity_type.upcase.constantize
new_entity = new_entity_model.find_cached(new_entity_id) rescue nil
if new_entity.is_a?(new_entity_model)
@house.update_attributes(entity_id: new_entity_id, entity_type: new_entity_type_num)
@house.update_entity_state_county
flash[:notice] = t('This_house_will_be_reassigned_to_entity_') + new_entity.to_label
else
flash[:error] = t('Unable_to_find')
end
end
respond_to do |format|
format.html { redirect_to(house_path(@house)) }
format.json { render json: @house, status: :ok }
format.xml { render xml: @house.as_json, status: :ok }
end
end
Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method `constantize` called on parameter value
Code: params[:home][:entity_type].camelize.constantize
File: app/controllers/houses_controller.rb
Line: 113
If any other information is needed in order to get a bigger picture I'm happy to help.
If your problem can be solved using nested attributes, use nested attributes.
If you really need to go this way, you can sanitize the params like this:
You should handle
allowed_classes[class_name].nil?with some kind of error 400.