The issue is not specifically the use of constantize; it’s to do with trusting user input not to be malicious. In order to make an application secure, you must consider all user input to be potentially malicious. There are plenty of convenient use cases for constantizing code, and security is unlikely to be an issue if there’s no user input involved.
However, I did find this hacking technique interesting/surprising, as I’ve never seen it before:
You can really run arbitrary shell scripts by simply creating an instance of
Logger??!! I looked into
this, and it’s true. Here’s a full breakdown, for the curious:
Creating a new instance of
instantiates a new instance of
LogDevice, with the given “filename”:
1 2 3 4 5 6 7 8 9 10 11
set_dev with the supplied “filename”:
1 2 3 4 5
… Which calls
1 2 3 4 5 6 7 8
… Which calls
1 2 3 4 5 6 7
And, looking at the documentation for
Creates an IO object connected to the given stream, file, or subprocess. If path does not start with a pipe character (|), treat it as the name of a file to open using the specified mode (defaulting to “r”).
If path starts with a pipe character (“|”), a subprocess is created, connected to the caller by a pair of pipes. The returned IO object may be used to write to the standard input and read from the standard output of this subprocess.
If the command following the pipe is a single minus sign (“|–”), Ruby forks, and this subprocess is connected to the parent. If the command is not “–”, the subprocess runs the command. […]
Wow, that’s definitely a possible attack vendor to be aware of!