How to fix security Unsafe reflection method constantize called with parameter value

tivanvodich · June 8, 2023, 3:22pm

My code: job = param[:worker_name].constantize.get_meta(params[:key]) I when I use brakeman I see error Unsafe reflection method constantize called with parameter value How to fix it

Lorin_Thwaits · June 8, 2023, 9:46pm

What Brakeman is trying to warn you about is that anyone could pass in a goofy class name and there would be the attempt to #constantize that class. So if you had, say, three possible workers that could be provided, you could allow only these by hard coding things something like this:

job = case param[:worker_name]
      when 'Ascending'
        Ascending
      when 'Descending'
        Descending
      when 'Unordered'
        Unordered
      end.get_meta(params[:key])

Then if someone passed in GoofyClass it would not be attempted. Although the above is not as DRY as your existing code, thankfully no one can try hacking things or load up tons of classes in an attempt to slow your server down.

tivanvodich · June 9, 2023, 1:33am

how can I get all worker class, I use resque gem for job GitHub - resque/resque: Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later.

Lorin_Thwaits · June 9, 2023, 2:47am

Oh! You might be using the resque-meta gem which extends Resque. If so then try doing this:

job = Resque::Plugins::Meta.get_meta(params[:key])

And if that doesn’t work then a little more goofy, and perhaps more of a long shot, but you could try:

job = Resque::Plugins::Meta::Metadata.new(Resque.decode(Resque.redis.get("meta:#{params[:key]}")))

tivanvodich · June 9, 2023, 4:07am

Why do You can use Meta.get_meta. Please show document for this syntax. I cannot find anything for this

tivanvodich · June 9, 2023, 4:14am

When I try run Meta.get_meta in console I get error uninitialized constant Meta

tivanvodich · June 9, 2023, 5:33am

Do you use Skype, Please help me, thank you very much! My task is urgent

Lorin_Thwaits · June 9, 2023, 6:48am

Heya! Have just had my morning coffee and saw your note. Started up a Google Hangouts session and have sent you the link.

Lorin_Thwaits · June 9, 2023, 8:03am

So after going through things, in your job class make sure the @queue instance variable is set, something like:

class MyJob
  extend Resque::Plugins::Meta
  @queue = :my_worker_queue
end

Then we can enqueue a job:

x = MyJob.enqueue('hello')

and then you should be able to reference the metadata for a queued job:

Resque::Plugins::Meta.get_meta(x.meta_id)

When I run the above inside of a rails c then here’s what it looks like on my machine:

tivanvodich · June 9, 2023, 2:07pm

Yes, I see. Thank you very much!

tivanvodich · July 11, 2023, 2:50pm

Can you help me, I have one issue and Cannot fix them