Sha256: 53abfbf29e27fe0af2c27dd0267e9e2e237a2f4783800cb6c87d75e0df414557
Contents?: true
Size: 1.16 KB
Versions: 5
Compression:
Stored size: 1.16 KB
Contents
# frozen_string_literal: true
module RuboCop
module Cop
module GitlabSecurity
# Checks for the use of `public_send`, `send`, and `__send__` methods.
#
# If passed untrusted input these methods can be used to execute arbitrary
# methods on behalf of an attacker.
#
# @example
#
# # bad
# myobj.public_send("#{params[:foo]}")
#
# # good
# case params[:foo].to_s
# when 'choice1'
# items.choice1
# when 'choice2'
# items.choice2
# when 'choice3'
# items.choice3
# end
class PublicSend < RuboCop::Cop::Base
MSG = 'Avoid using `%s`.'
RESTRICT_ON_SEND = %i[send public_send __send__].freeze
# @!method send?(node)
def_node_matcher :send?, <<-PATTERN
({csend | send} _ ${:send :public_send :__send__} ...)
PATTERN
def on_send(node)
send?(node) do |match|
next unless node.arguments?
add_offense(node.loc.selector, message: format(MSG, match))
end
end
alias_method :on_csend, :on_send
end
end
end
end
Version data entries
5 entries across 5 versions & 1 rubygems