Improper type assignation - Ruby

Improper type assignation - Ruby

Need

Enforce proper type declaration and assignment in the source code

Context

  • Usage of Ruby 2.0+ for developing Ruby applications
  • Usage of Rails framework for building web applications

Description

Non compliant code

        def show
  var = params[:id]
  @user = User.find(var)
  ...
end
        
        

In the above code snippet, we have a method show which is used to find a user based on the id passed in the parameters. The id is stored in a variable var which doesn't have a specific type declared.

This is a potential vulnerability because Ruby is a dynamically typed language, which means it determines the type of variable at runtime. Here, var could potentially hold any type of data, making the code prone to type-related errors at runtime, if the data passed is not an id or integer.

For example, if a string or an array is passed instead of an integer, the User.find(var) would throw an error because it expects an integer as an argument. This could lead to application crashes or unexpected behavior.

Moreover, it can also lead to potential security risks. If an attacker passes a string that can be executed as a script, it could lead to script injection attacks.

Therefore, it is crucial to ensure that the type of var is checked before it is used, to prevent any potential issues.

Steps

  • Declare the data type for the 'var' variable.
  • Ensure that the data type of 'var' matches the expected data type for the 'id' parameter.
  • Perform proper input validation and sanitization on the 'id' parameter to prevent any potential security vulnerabilities.
  • Consider using strong parameter techniques to whitelist and validate the 'id' parameter before using it in the query.
  • Use the appropriate method to find the user based on the 'id' parameter, considering the declared data type.
  • Handle any potential errors or exceptions that may occur during the process of finding the user.

Compliant code

        def show
  var = params[:id].to_i
  @user = User.find_by(id: var)
  ...
end
        
        

The above code fixes the vulnerability by explicitly converting the params[:id] to an integer using the to_i method. This ensures that the variable var is always of integer type, which is the expected data type for the 'id' parameter in the User.find_by method.

The find_by method is used instead of find to prevent ActiveRecord::RecordNotFound exception from being raised when a user with the specified id does not exist. Instead, find_by will return nil, which can be handled gracefully in the application.

The code does not include input validation and sanitization for the 'id' parameter. It is recommended to add these as well, to prevent potential security vulnerabilities such as SQL Injection. This could be done using Rails' strong parameters feature.

Also, error handling is not included in the code. It is recommended to add appropriate error handling to manage situations where the user is not found or other potential issues. This could be done using exception handling techniques provided by Ruby.

References