app/controllers/sdg_management/relations_controller.rb
Unsafe reflection method constantize called with parameter value Open
Open
params[:relatable_type].classify.constantize- Read upRead up
- Exclude checks
Brakeman reports on several cases of remote code execution, in which a user is able to control and execute code in ways unintended by application authors.
The obvious form of this is the use of eval with user input.
However, Brakeman also reports on dangerous uses of send, constantize, and other methods which allow creation of arbitrary objects or calling of arbitrary methods.