Class: RuboCop::Cop::GitlabSecurity::PublicSend

Inherits:

Base

Object
Base
RuboCop::Cop::GitlabSecurity::PublicSend

show all

Defined in:: lib/rubocop/cop/gitlab_security/public_send.rb

Overview

Checks for the use of ‘public_send`, `send`, and `__send__` methods.

If passed untrusted input these methods can be used to execute arbitrary methods on behalf of an attacker.

Examples:


# bad
myobj.public_send("#{params[:foo]}")

# good
case params[:foo].to_s
when 'choice1'
  items.choice1
when 'choice2'
  items.choice2
when 'choice3'
  items.choice3
end

Constant Summary collapse

MSG =

'Avoid using `%s`.'

RESTRICT_ON_SEND =

%i[send public_send __send__].freeze

Instance Method Summary collapse

#on_send(node) ⇒ Object (also: #on_csend)
#send?(node) ⇒ Object

Instance Method Details

#on_send(node) ⇒ `Object` Also known as: on_csend

# File 'lib/rubocop/cop/gitlab_security/public_send.rb', line 35

def on_send(node)
  send?(node) do |match|
    next unless node.arguments?

    add_offense(node.loc.selector, message: format(MSG, match))
  end
end

#send?(node) ⇒ `Object`



31
32
33

# File 'lib/rubocop/cop/gitlab_security/public_send.rb', line 31

def_node_matcher :send?, <<-PATTERN
  ({csend | send} _ ${:send :public_send :__send__} ...)
PATTERN