Dangerous Send

ID

ruby.checksend

Severity

low

Resource

Dangerous Send

Language

Ruby

Description

Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.

It is much safer to whitelist the desired target or method.

Unsafe use of method:

method = params[:method]
@result = User.send(method.to_sym)

Safe:

method = params[:method] == 1 ? :method_a : :method_b
@result = User.send(method, *args)

Unsafe use of target:

table = params[:table]
model = table.classify.constantize
@result = model.send(:method)

Safe:

target = params[:target] == 1 ? Account : User
@result = target.send(:method, *args)

Including user data in the arguments passed to an Object#send is safe, as long as the method can properly handle potentially bad data.

Safe:

args = params["args"] || []
@result = User.send(:method, *args)

Rationale

Check for unsafe use of Object#send

Remediation

Follow secure coding practices for Ruby on Rails applications. Review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References