Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Viktor Vsk2015-12-29 00:07:01
ruby
Viktor Vsk, 2015-12-29 00:07:01

How safe is it to use send() on user input?

There is a class:

class Klass
 def method1(opts={})
 end

 def method2(*args)
 end
end

If I want to accept both method names and arguments from the user ({ "user_input": "method2('some, [evil], {parameters}')" }), would it be enough to restrict:
Klass.send(user_input_method_name, user_input_args) if user_input_method_name.in?(Klass.public_methods(false))

And inside the methods to consider arguments only as strings?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
N
Nikolai, 2015-12-29
@j_wayne

Never trust user input. Use whitelist to specify allowed methods.

Similar questions
O
Ord EO2021-09-01 02:25:44
How to sum the values ​​of multiple hashes in ruby? 1Reply
B
Bogdan2018-06-11 14:32:15
Change Reply Keyboard Markup? 1Reply
N
NakedFace2016-02-01 23:18:11
How to write a neural network for a family tree? 3Reply
S
sergebezborodov2013-06-16 10:23:32
Custom routes to Sinatra (Padrino)? 2Reply
A
Arthur Levenson2020-06-26 11:53:10
How to fix error in jekyll? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question