Safety of Raising Exception

Traci_Reynolds · May 6, 2007, 4:18am

Let's say I have a url like

/controller/method/id?some_param=whatever

if I put some_param into an exception, such as

raise MyException, "I don't like the value #{some_param}"

or

log("I don't like the value #{some_param}")

I'm trying to inject filesystem calls into the raised exception. I'm seeing some application failures, but haven't quite got it refined. However, it implies to me that it is having some effect on the application.

This seems to me the filesystem equivalent of SQL injection, but I don't see it listed anywhere.

eden_li · May 6, 2007, 5:12am

Does this mean you're passing some_param to a system call? I guess the proper term for that would be "code injection" (http:// en.wikipedia.org/wiki/Code_injection).

You should escape some_param somehow before passing it to a call on the command line. If you could paste some example code of what you're doing, we could probably provide pointers on how to make it safe...

Traci_Reynolds · May 6, 2007, 6:17am

Sure, here's an example using log, and one using exceptions:

Assuming there is a parameter klass, which is used as the class for lookup:

/controller/method/id?klass=Blog

def list begin raise SecurityError, "Class not found: #{params[:klass]}" if !params[:klass].legal_class? ... rescue => e log.error("Cannot find class #{params[:klass]} #{params[:id]}) raise end

eden_li · May 6, 2007, 3:00pm

Sorry I'm a little lost. Nothing in that snippet seems like code injection unless #legal_class? is implemented insecurely. Or unless it's hiding in the ...

Care to reveal a bit more?

Traci_Reynolds · May 6, 2007, 4:42pm

Really I'm concerned about the two lines:

raise SecurityError, "Class not found: #{params[:klass]}" log.error("Cannot find class #{params[:klass]} #{params[:id]})

where a user could pass code through the url parameters, and code injection occurs on the two message types.

I need to clean up my code, and then send an example. If you see any problems with the above, let me know.

eden_li · May 7, 2007, 3:11am

There is nothing wrong with those two lines. Code injection is only an issue if you actually treat what the user gave you as code. In this case you're just telling ruby to dump strings. Ruby doesn't execute the contents in any way. There's very little security concern.

If you're unconvinced, then you can dump out the inspected versions of the strings. Most non-ASCII characters will show up as escaped octets:

log.error("Cannot find class #{params[:klass].inspect} #{params[:id].inspect}")

Traci_Reynolds · May 7, 2007, 4:06am

Ah. So the reason SQL injection occurs in :conditions=>"something=#{params[:something]}" because the SQL command is dependent on a string. I wasn't clear on the distinction between the two evaluation contexts that are obviously safe, and the SQL injection example.

Thanks for the great help!

Topic		Replies	Views
handling my custom exceptions , is that right ? rubyonrails-talk	2	113	July 2, 2011
Params & Class Methods rubyonrails-talk	1	91	March 19, 2007
5-second code syntax question rubyonrails-talk	6	122	February 5, 2009
about the sql injection rubyonrails-talk	2	132	March 18, 2008
rails named scopes and sql injection rubyonrails-talk	4	138	April 15, 2013

Safety of Raising Exception

Related topics

More Resources