Skip to content

Potential fix for code scanning alert no. 29: Code injection #3340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: rp/codeql-fix
Choose a base branch
from
Draft

Potential fix for code scanning alert no. 29: Code injection #3340

wants to merge 3 commits into from

Conversation

RajeshPaul38
Copy link
Contributor

Potential fix for https://github.com/chef/supermarket/security/code-scanning/29

The root problem is allowing user-controlled input to be dynamically constantized into a class name using constantize, which can lead to code injection. Instead, the solution is to create a static mapping of the permitted resource types ("Cookbook" and "Tool") to their respective classes. We replace

resource = collaborator_params[:resourceable_type].constantize.find(
  collaborator_params[:resourceable_id]
)

with a safe mapping, e.g.:

RESOURCEABLE_MODELS = {
  "Cookbook" => Cookbook,
  "Tool" => Tool
}

resourceable_klass = RESOURCEABLE_MODELS[collaborator_params[:resourceable_type]]
resource = resourceable_klass.find(collaborator_params[:resourceable_id])

This eliminates dynamic constantization. Also, ensure this mapping is defined in the same class or as a private constant.

The only file to modify is src/supermarket/app/controllers/collaborators_controller.rb, in the create action (lines 34-52).

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@RajeshPaul38 @github-advanced-security
Potential fix for code scanning alert no. 29: Code injection
e140768 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@RajeshPaul38 RajeshPaul38 changed the base branch from main to rp/codeql-fix September 26, 2025 07:33
Copilot
Copilot AI reviewed Sep 26, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a code injection security vulnerability (Alert #29) by replacing dynamic constantization with a safe static mapping. The change prevents potential code injection attacks that could occur when user-controlled input is passed to Ruby's constantize method.

  • Replaces constantize call with a static mapping of permitted resource types
  • Changes validation logic from array inclusion to hash key lookup
  • Eliminates the security risk of arbitrary class instantiation

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

src/supermarket/app/controllers/collaborators_controller.rb Outdated
Comment on lines 36 to 39
RESOURCEABLE_MODELS = {
"Cookbook" => Cookbook,
"Tool" => Tool
}
Copy link

Copilot AI Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The constant RESOURCEABLE_MODELS should be defined at the class level rather than inside the method. Constants defined within method scope are recreated on every method call, which is inefficient and goes against Ruby conventions. Move this constant outside the method definition.

Copilot uses AI. Check for mistakes.

@RajeshPaul38
moved constant outside the method
61e2a0d 
Signed-off-by: Rajesh Paul <[email protected]>
@RajeshPaul38
lint fix
7048bb0 
Signed-off-by: Rajesh Paul <[email protected]>
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RajeshPaul38