Unsafe programmatic construct referencing
Dynamic referencing of functions and classes through user input is dangerous and should never be done, some examples are listed below.
Unsafe PHP examples
- Anonymous function implementation example:
$func = $_GET['func'];
- Anonymous object implementation example:
$class = $_GET['object_type'];
$object = new $class();
- Anonymous object method implementation example:
$class = $_GET['object_type'];
$method = $_GET['method'];
$object = new $class();
Unsafe Perl examples
- Anonymous function implementation example:
$func = <>;
- Anonymous object implementation example:
$class = <>;
$object = $class->new();
- Anonymous object method implementation example:
$class = <>;
$method = <>;
$object = $class->new()->method();
Unsafe Python examples
- Anonymous function implementation example:
var = "function_name"
locals()[var]() # or globals()
- Anonymous object implementation example:
class_name = input()
instance = globals()[class_name]()
# OR
instance = locals()[class_name]()
# OR
any_scoped_class = lambda x: dict(target for classlist in [inspect.getmembers(sys.modules[module],inspect.isclass) for module in sys.modules] for target in classlist)[x]()
instance = any_scoped_class(class_name)
- Anonymous object method implementation example:
ClassName = "ObjectName"
func_name = "object_method"
instance = globals()[ClassName]()
func = getattr(instance, func_name)
Unsafe Ruby examples
- Anonymous function implementation example:
- Anonymous object implementation example:
- Anonymous object method implementation example:
These functions are best left unused unless the data is whitelisted and not directly based on user input. There is no safe way to allow users to call arbitrary (non-whitelisted) classes and functions. Do not do this! Whitelists should always be in place when referencing objects from user input.
Whitelisting examples:
$class_whitelist['class_name'] = 'real_class_name';
if (isset($_GET['module']) && # Check that input is defined
isset($class_whitelist[$_GET['module']] && # Be sure the class is in the whitelist
class_exists($class_whitelist[$_GET['module']])) { # even if its whitelisted, lets make sure its a class... typos exist.
$class = new $class_whitelist[$_GET['module']](); # new real_class_name() - this way user input isn't trusted directly for instantiation.
} else {
# Handle Error...
To audit:
find -name \*.py -exec grep -EHnC2 "[a-zA-Z0-9\)]\[[^\'\"\]]\\+\]\(" '{}' \; \
-o -name \*.rb -exec grep -EHnC2 "const_get\(\|send\(\|eval\(" '{}' \;