app/controllers/communities_controller.rb
User controlled method execution Open
Open
@topics = @community.topics.send("sort_by_#{@order}").page(params[:page])
- Read upRead up
- Exclude checks
Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.
It is much safer to whitelist the desired target or method.
Unsafe use of method:
method = params[:method]
@result = User.send(method.to_sym)
Safe:
method = params[:method] == 1 ? :method_a : :method_b
@result = User.send(method, *args)
Unsafe use of target:
table = params[:table]
model = table.classify.constantize
@result = model.send(:method)
Safe:
target = params[:target] == 1 ? Account : User
@result = target.send(:method, *args)
Including user data in the arguments passed to an Object#send is safe, as long as the method can properly handle potentially bad data.
Safe:
args = params["args"] || []
@result = User.send(:method, *args)
%w
-literals should be delimited by [
and ]
. (https://github.com/bbatsov/ruby-style-guide#percent-literal-braces) Open
Open
TOPIC_ORDERS = %w{newest most_commented oldest}.freeze
- Read upRead up
- Exclude checks
This cop enforces the consistent usage of %
-literal delimiters.
Specify the 'default' key to set all preferred delimiters at once. You can continue to specify individual preferred delimiters to override the default.
Example:
# Style/PercentLiteralDelimiters:
# PreferredDelimiters:
# default: '[]'
# '%i': '()'
# good
%w[alpha beta] + %i(gamma delta)
# bad
%W(alpha #{beta})
# bad
%I(alpha beta)