Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Viktor Vsk2015-12-29 00:07:01
ruby
Viktor Vsk, 2015-12-29 00:07:01

How safe is it to use send() on user input?

There is a class:

class Klass
 def method1(opts={})
 end

 def method2(*args)
 end
end

If I want to accept both method names and arguments from the user ({ "user_input": "method2('some, [evil], {parameters}')" }), would it be enough to restrict:
Klass.send(user_input_method_name, user_input_args) if user_input_method_name.in?(Klass.public_methods(false))

And inside the methods to consider arguments only as strings?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
N
Nikolai, 2015-12-29
@j_wayne

Never trust user input. Use whitelist to specify allowed methods.

Similar questions
T
TeiSinTai2017-10-19 11:32:57
Can the following code work? 1Reply
A
Anton Ivanov2020-03-09 07:00:48
How in Rails, in the parent class, to define a constant so that the value is different for "children"? 3Reply
B
Bogdan2017-11-20 16:01:28
String to number - incorrectly processed? 1Reply
O
Ord EO2020-03-27 22:54:21
How to replace text with regular expressions in Ruby? 1Reply
K
Karina2018-01-05 15:20:08
Why do we need puma, rack? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question