Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Summary

The stimulus_reflex is a system to extends the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions, more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods than those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This issue affects stimulus_reflex versions prior to 3.4.2, and 3.5.x prior to 3.5.0.rc4.