logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Improper type assignation - Ruby

Need

Enforce proper type declaration and assignment in the source code

Context

  1. Usage of Ruby 2.0+ for developing Ruby applications
  2. Usage of Rails framework for building web applications

Description

Insecure Code Example

def show
  var = params[:id]
  @user = User.find(var)
  ...
end

In the above code snippet, we have a method `show` which is used to find a user based on the `id` passed in the parameters. The `id` is stored in a variable `var` which doesn't have a specific type declared. This is a potential vulnerability because Ruby is a dynamically typed language, which means it determines the type of variable at runtime. Here, `var` could potentially hold any type of data, making the code prone to type-related errors at runtime, if the data passed is not an `id` or integer. For example, if a string or an array is passed instead of an integer, the `User.find(var)` would throw an error because it expects an integer as an argument. This could lead to application crashes or unexpected behavior. Moreover, it can also lead to potential security risks. If an attacker passes a string that can be executed as a script, it could lead to script injection attacks. Therefore, it is crucial to ensure that the type of `var` is checked before it is used, to prevent any potential issues.

Steps

  1. Declare the data type for the 'var' variable.
  2. Ensure that the data type of 'var' matches the expected data type for the 'id' parameter.
  3. Perform proper input validation and sanitization on the 'id' parameter to prevent any potential security vulnerabilities.
  4. Consider using strong parameter techniques to whitelist and validate the 'id' parameter before using it in the query.
  5. Use the appropriate method to find the user based on the 'id' parameter, considering the declared data type.
  6. Handle any potential errors or exceptions that may occur during the process of finding the user.

Secure Code Example

def show
  var = params[:id].to_i
  @user = User.find_by(id: var)
  ...
end

The above code fixes the vulnerability by explicitly converting the `params[:id]` to an integer using the `to_i` method. This ensures that the variable `var` is always of integer type, which is the expected data type for the 'id' parameter in the `User.find_by` method. The `find_by` method is used instead of `find` to prevent `ActiveRecord::RecordNotFound` exception from being raised when a user with the specified id does not exist. Instead, `find_by` will return `nil`, which can be handled gracefully in the application. The code does not include input validation and sanitization for the 'id' parameter. It is recommended to add these as well, to prevent potential security vulnerabilities such as SQL Injection. This could be done using Rails' strong parameters feature. Also, error handling is not included in the code. It is recommended to add appropriate error handling to manage situations where the user is not found or other potential issues. This could be done using exception handling techniques provided by Ruby.

References

  • 113 - Improper type assignation

    • Last updated

    2023/09/18