Export to GitHub

ruby-security - issue #4

Recomend using String#dump when embedding user-input into output/exceptions/log messages


Posted on Sep 21, 2012 by Helpful Rhino

Simply embedding a variable into a String, which is then printed or written to a log file may result in forged messages. Instead, String#dump should be called.

puts "Received message: #{mesg.dump}"

log.info "User logged in: #{username.dump}"

raise("invalid command: #{command.dump}")

Comment #1

Posted on Sep 21, 2012 by Happy Bird

are you referring to attackers embedding new line characters in say 'username' to create additional log entries?

Comment #2

Posted on Sep 21, 2012 by Helpful Rhino

Correct, or embedding terminal control characters.

Comment #3

Posted on Sep 21, 2012 by Helpful Rhino

Also, using String#dump will prevent code injection, if the program is generating other source code using String interpolation or Erb templates.

Comment #4

Posted on Sep 25, 2012 by Happy Bird

while interesting I think the issue of log forging is a generic enough concept that does not necessarily need to be mentioned in the guide.

re: code generation: do you have a good example for that? maybe with meta programming example we could work .dump into the guide.

In any case, the suggestion to use .dump is a good one and seems like a good fit for the future "secure coding" section that I'll be adding (added label for that).

Comment #5

Posted on Sep 25, 2012 by Helpful Rhino

A good example of Ruby code insecurely generating other Ruby code was the code injection in RubyGems:

Patch: https://github.com/rubygems/rubygems/commit/f6db093abe0840118808acfe843c7931fdcbb27f Explanation: https://github.com/sophsec/rubygems-pwn#readme

This is basically the same problem as SQL/XPath/Command injection, except with generated source-code.

Status: New

Labels:
Type-Defect Priority-Medium Future-SecureCoding