V
V
Viktor Vsk2015-12-29 00:07:01
ruby
Viktor Vsk, 2015-12-29 00:07:01

How safe is it to use send() on user input?

There is a class:

class Klass
 def method1(opts={})
 end

 def method2(*args)
 end
end

If I want to accept both method names and arguments from the user ({ "user_input": "method2('some, [evil], {parameters}')" }), would it be enough to restrict:
Klass.send(user_input_method_name, user_input_args) if user_input_method_name.in?(Klass.public_methods(false))

And inside the methods to consider arguments only as strings?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
N
Nikolai, 2015-12-29
@j_wayne

Never trust user input. Use whitelist to specify allowed methods.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question