Unsanitized user input in session key

• Rule ID: ruby_rails_session_key_using_user_input
• Languages: ruby
• Source: session_key_using_user_input.yml

Description

Unsanitized user input in session key poses a security risk. When user-defined data is directly used in session keys, attackers could be able to manipulate session data or perform unauthorized actions by exploiting the predictability or vulnerability of the session mechanism.

Remediations

• Do not use user-defined data directly in session keys. This can lead to security vulnerabilities.

  session["test-#{params[:unsafe]}"] = 42

• Do sanitize user input before incorporating it into session keys. Ensure that any data derived from user input is properly validated and sanitized to prevent injection attacks.

References

• OWASP Session Management Cheat Sheet

Associated CWE

• CWE-1018:

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_session_key_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_session_key_using_user_input