Unsafe reflection method constantize called with parameter value Confirmed
(params[:nested] || params[:resource] || controller_name).classify.constantize
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Brakeman reports on several cases of remote code execution, in which a user is able to control and execute code in ways unintended by application authors.
The obvious form of this is the use of eval
with user input.
However, Brakeman also reports on dangerous uses of send
, constantize
, and other methods which allow creation of arbitrary objects or calling of arbitrary methods.
Orderable#parse_attr doesn't depend on instance state (maybe move it to another class?) Open
def parse_attr(attr)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
A Utility Function is any instance method that has no dependency on the state of the instance.
Orderable#parse_sign performs a nil-check Open
attr.match(/\A[+-]/).nil? ? '+': attr.slice!(0)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
A NilCheck
is a type check. Failures of NilCheck
violate the "tell, don't ask" principle.
Additionally, type checks often mask bigger problems in your source code like not using OOP and / or polymorphism when you should.
Example
Given
class Klass
def nil_checker(argument)
if argument.nil?
puts "argument isn't nil!"
end
end
end
Reek would emit the following warning:
test.rb -- 1 warning:
[3]:Klass#nil_checker performs a nil-check. (NilCheck)
Orderable#parse_sign doesn't depend on instance state (maybe move it to another class?) Open
def parse_sign(attr)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
A Utility Function is any instance method that has no dependency on the state of the instance.
Orderable#parse_attr performs a nil-check Open
return attr[1..-1] unless attr.match(/\A[+-]/).nil?
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
A NilCheck
is a type check. Failures of NilCheck
violate the "tell, don't ask" principle.
Additionally, type checks often mask bigger problems in your source code like not using OOP and / or polymorphism when you should.
Example
Given
class Klass
def nil_checker(argument)
if argument.nil?
puts "argument isn't nil!"
end
end
end
Reek would emit the following warning:
test.rb -- 1 warning:
[3]:Klass#nil_checker performs a nil-check. (NilCheck)
unexpected token error
(Using Ruby 2.1 parser; configure using TargetRubyVersion
parameter, under AllCops
) Open
params[:sort]&.delete(' ').try(:split, ',').try(:each) do |attr|
- Create a ticketCreate a ticket
- Exclude checks