Merge pull request #3269 from semgrep/merge-develop-to-release

Merge Develop into Release
semgrep · Jan 11, 2024 · a7d1278 · a7d1278
2 parents a40e5fa + 138966d
commit a7d1278
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 4 deletions.
diff --git a/ruby/rails/security/brakeman/check-unsafe-reflection-methods.rb b/ruby/rails/security/brakeman/check-unsafe-reflection-methods.rb
@@ -8,6 +8,11 @@ def dynamic_method_invocations
     # ruleid: check-unsafe-reflection-methods
     Kernel.tap(&params[:method].to_sym)
     User.method("#{User.first.some_method_thing}_stuff")
+    user_input_value = params[:my_user_input]
+    # ruleid: check-unsafe-reflection-methods
+    anything.tap(&user_input_value.to_sym)
+    # ruleid: check-unsafe-reflection-methods
+    anything_else.tap { |thing| thing + user_input_value() }
   end
 
   def dynamic_method_invocations_ok
@@ -17,6 +22,9 @@ def dynamic_method_invocations_ok
     SomeClass.method("some_method").("some_argument")
     # ok: check-unsafe-reflection-methods
     Kernel.tap("SomeClass".to_sym)
+    user_input_value = params[:my_user_input]
+    # ok: check-unsafe-reflection-methods
+    user_input_value.tap("some_method")
   end
 
 end
diff --git a/ruby/rails/security/brakeman/check-unsafe-reflection-methods.yaml b/ruby/rails/security/brakeman/check-unsafe-reflection-methods.yaml
@@ -21,10 +21,18 @@ rules:
     - pattern-either:
       - pattern-inside: |
           $X. ... .to_proc
-      - pattern-inside: |
-          $Y.method(...)
-      - pattern-inside: |
-          $Y.tap(...)
+      - patterns:
+          - pattern-inside: |
+              $Y.method($Z)
+          - focus-metavariable: $Z
+      - patterns:
+          - pattern-inside: |
+              $Y.tap($Z)
+          - focus-metavariable: $Z
+      - patterns:
+          - pattern-inside: |
+              $Y.tap{ |$ANY| $Z }
+          - focus-metavariable: $Z
   message: Found user-controllable input to a reflection method. This may allow a user to alter program
     behavior and potentially execute arbitrary instructions in the context of the process. Do not provide
     arbitrary user input to `tap`, `method`, or `to_proc`