Ruby Unsafe Input Resource Injection
Description
Detects unsafe dynamic class loading in Ruby code where user-controlled input is passed to constantize() or safe_constantize() methods. This vulnerability could allow attackers to load and execute arbitrary Ruby classes, potentially leading to remote code execution.
Detection Strategy
• Identifies calls to constantize() or safe_constantize() methods in Ruby code
• Checks if the input to these methods comes from external/user-controlled sources
• Reports a vulnerability when user input can influence which class gets loaded dynamically
• Examines both direct method calls and method chaining scenarios
Vulnerable code example
class UsersController < ApplicationController
def show
# VULNERABLE: Allows arbitrary constant lookup from user input
klass = params[:class].constantize
@result = klass.all
render json: @result
end
end✅ Secure code example
class UsersController < ApplicationController
def show
# SECURE: Define whitelist of allowed classes to prevent arbitrary constant resolution
ALLOWED_CLASSES = ["User", "Product", "Category"].freeze
if ALLOWED_CLASSES.include?(params[:class])
klass = Module.const_get(params[:class]) # Safe: only whitelisted classes allowed
@result = klass.all...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.