One of the interesting properties of Ruby is the fact that everything is an object. The manipulation of objects at runtime is what makes Ruby so flexible and interesting as a language. At its heart, this is the idea behind reflection. Reflection is a tool to allow a program to examine and modify its own behavior at runtime, granting programmers the ability to simpilify certain constructs (e.g. framework development, dependency resolution).

One of the features Ruby on Rails adds to Ruby is the String#constantize function. It provides a solution to the common problem of converting a String into a Class, then allowing the programmer to call methods or instantiate objects based on the contents of the String. The Rails documentation provides the following description and code examples:

String#constantize tries to find a constant with the name specified in the argument string.

		'Module'.constantize     # => Module'Test::Unit'.constantize # => Test::Unit	

The name is assumed to be the one of a top-level constant, no matter whether it starts with “::” or not. No lexical context is taken into account:

		C = 'outside'module M  C = 'inside'  C               # => 'inside'  'C'.constantize # => 'outside', same as ::Cend	

NameError is raised when the name is not in CamelCase or the constant is unknown.

Rails also provides a “safe” version of the function with String#safe_constantize. Safe, in this context, means the function does not raise an exception.

Recently, I was manually reviewing the source code of a Ruby on Rails application, and I discovered the use of this constantize function sprinkled throughout the codebase. As described above, the function is used to convert user input to a constant within the Ruby object space. This constant may then be used to call functions or instantiate objects. A generic example is shown below:

		class FooBarController < ApplicationController  # e.g. GET /foobar/13?klass=Baz::Small  def show    klass = params[:klass].constantize    klass.find(params[:id])  end  # e.g. POST /foobar?klass=Baz::Medium&name=bingo  def create    klass = params[:klass].constantize    klass.new(params[:name])  end  # e.g. PUT /foobar/13?klass=Baz::Large&name=bingo  def update    klass = params[:klass].constantize    baz = klass.find(params[:id])    baz.name = params[:name]    baz.save  endend	

For those unfamiliar with Ruby, the general concept of the above code can be boiled down to three user actions: get, create, and update. There is some class Baz with subclasses Small, Medium, and Large that must be accessible to the user. The user can query any of these subclasses and update the name attribute of their Baz object.

Unfortunately, this presents a massive security vulnerability. Reflection is a very dangerous beast, especially if used in conjunction with user input. Reflection is used to modifying the nature of a program at runtime and should not be used with Strings from untrusted sources. To demonstrate the danger of using constantize, imagine the following scenario.

A malicious attacker sifts through the Ruby standard library for any objects that execute commands after calling #new or #find. The Logger object fits these characteristics, allowing command execution based on the input parameter to Logger#new. The attacker then makes the following request to the server to test for code execution:

		POST /foobar HTTP/1.1Host: reflection.local	

		klass=Logger&name=|cat /etc/passwd	

Alternatively, the attacker can cause a denial of service by passing improper parameters to an object on instantiation. While creating content for this post, I discovered a few objects within the Ruby standard library that fit this characteristic. For example, at the time of this writing, the class OpenSSL::ASN1::Constructive contains a bug that causes a segmentation fault when the object is improperly constructed. An example request is shown below:

		POST /foobar HTTP/1.1Host: reflection.local	

		ng-xml --klass=OpenSSL::ASN1::Constructive&name=goodbye	

This request will not throw an exception within Ruby. Instead, this request will completely crash the server process yielding operating system stack trace. You can play along at home with the following:

		#!/usr/bin/env rubyrequire 'openssl'OpenSSL::ASN1::Primitive.new("hello")OpenSSL::ASN1::Constructive.new("world")	

Please consider the above when evaluating the use of reflection within web applications. Reflection, while a powerful tool, can be incredible harmful when used in improper contexts. In Ruby, there are a number of helpful ways to achieve reflection that all can lead to remote code execution or denial of service when called with user input (e.g. instance_eval, send, public_send, constantize).