Class: RuboCop::Cop::GitlabSecurity::PublicSend

Inherits:

Cop

Object
Cop
RuboCop::Cop::GitlabSecurity::PublicSend

Defined in:: lib/rubocop/cop/gitlab-security/public_send.rb

Overview

Checks for the use of ‘public_send`, `send`, and `__send__` methods.

If passed untrusted input these methods can be used to execute arbitrary methods on behalf of an attacker.

Examples:


# bad
myobj.public_send("#{params[:foo]}")

# good
case params[:foo].to_s
when 'choice1'
  items.choice1
when 'choice2'
  items.choice2
when 'choice3'
  items.choice3
end

Constant Summary collapse

MSG =

'Avoid using `%s`.'.freeze

Instance Method Summary collapse

#on_send(node) ⇒ Object

Instance Method Details

#on_send(node) ⇒ `Object`

# File 'lib/rubocop/cop/gitlab-security/public_send.rb', line 30

def on_send(node)
  send?(node) do |match|
    next unless node.arguments?

    add_offense(node, location: :selector, message: format(MSG, match))
  end
end