mirror of
https://github.com/github/codeql.git
synced 2026-03-05 23:26:51 +01:00
43ddc54f2b
Module#const_get takes a single string argument and interprets it as the
name of a constant. It then looks up the constant and returns its value.
Object.const_get("Math::PI")
# => 3.141592653589793
By itself, this method is not as dangerous as e.g. eval, but if the
value returned is a class that is then instantiated, this can allow an
attacker to instantiate arbitrary Ruby classes.
As a result, I think it's safe to say that any remote input flowing into
this call is a potential vulnerability. A real-world example of this is
https://github.com/advisories/GHSA-52p9-v744-mwjj.
27 lines
471 B
Ruby
27 lines
471 B
Ruby
Object.const_get("Math")
|
|
self.class.const_get("Math")
|
|
Math.const_get("PI")
|
|
Math.const_get(:PI)
|
|
|
|
module Foo
|
|
class Bar
|
|
VAL = 10
|
|
|
|
def const_get(x)
|
|
"my custom const_get method"
|
|
end
|
|
end
|
|
|
|
class Baz < Bar
|
|
def self.const_get(x)
|
|
"another custom const_get method"
|
|
end
|
|
end
|
|
end
|
|
|
|
Object.const_get("Foo::Baz::VAL")
|
|
Foo.const_get("Bar::VAL")
|
|
|
|
# Should not be identified as a use of Module#const_get
|
|
Foo::Bar.new.const_get 5
|
|
Foo::Baz.const_get 5 |