nyx/tests/fixtures/real_world/ruby/taint/constantize.expect.json

39 lines
811 B
JSON
Raw Normal View History

{
"description": "Unsafe constantize on user-controlled class name enabling arbitrary class instantiation",
"tags": [
"taint",
"reflect",
"constantize",
"sinatra",
"ruby"
],
"modes": [
"full",
"ast"
],
"expected": [
{
"rule_id": "rb.reflection.constantize",
"severity": null,
"must_match": true,
"line_range": [
3,
7
],
"evidence_contains": [],
"notes": "constantize on user input allows instantiation of arbitrary classes"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"line_range": [
2,
8
],
"evidence_contains": [],
"notes": "params[:type] flows into constantize - aspirational taint finding"
}
]
}