Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.
It is much safer to whitelist the desired target or method.
Unsafe use of method:
method = params[:method] @result = User.send(method.to_sym)
method = params[:method] == 1 ? :method_a : :method_b @result = User.send(method, *args)
Unsafe use of target:
table = params[:table] model = table.classify.constantize @result = model.send(:method)
target = params[:target] == 1 ? Account : User @result = target.send(:method, *args)
Including user data in the arguments passed to an Object#send is safe, as long as the method can properly handle potentially bad data.
args = params["args"] ||  @result = User.send(:method, *args)
Back to Warning Types