diff --git a/ruby/rails/security/brakeman/check-unsafe-reflection-methods.rb b/ruby/rails/security/brakeman/check-unsafe-reflection-methods.rb index fa805f9829..bf286fd538 100644 --- a/ruby/rails/security/brakeman/check-unsafe-reflection-methods.rb +++ b/ruby/rails/security/brakeman/check-unsafe-reflection-methods.rb @@ -8,6 +8,11 @@ def dynamic_method_invocations # ruleid: check-unsafe-reflection-methods Kernel.tap(¶ms[:method].to_sym) User.method("#{User.first.some_method_thing}_stuff") + user_input_value = params[:my_user_input] + # ruleid: check-unsafe-reflection-methods + anything.tap(&user_input_value.to_sym) + # ruleid: check-unsafe-reflection-methods + anything_else.tap { |thing| thing + user_input_value() } end def dynamic_method_invocations_ok @@ -17,6 +22,9 @@ def dynamic_method_invocations_ok SomeClass.method("some_method").("some_argument") # ok: check-unsafe-reflection-methods Kernel.tap("SomeClass".to_sym) + user_input_value = params[:my_user_input] + # ok: check-unsafe-reflection-methods + user_input_value.tap("some_method") end end diff --git a/ruby/rails/security/brakeman/check-unsafe-reflection-methods.yaml b/ruby/rails/security/brakeman/check-unsafe-reflection-methods.yaml index 68ac23d53e..edbe2cf3c7 100644 --- a/ruby/rails/security/brakeman/check-unsafe-reflection-methods.yaml +++ b/ruby/rails/security/brakeman/check-unsafe-reflection-methods.yaml @@ -21,10 +21,18 @@ rules: - pattern-either: - pattern-inside: | $X. ... .to_proc - - pattern-inside: | - $Y.method(...) - - pattern-inside: | - $Y.tap(...) + - patterns: + - pattern-inside: | + $Y.method($Z) + - focus-metavariable: $Z + - patterns: + - pattern-inside: | + $Y.tap($Z) + - focus-metavariable: $Z + - patterns: + - pattern-inside: | + $Y.tap{ |$ANY| $Z } + - focus-metavariable: $Z message: Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`