Menu
In my rails application I am getting the following security warning from brakeman. Unsafe reflection method constantize called with model attribute. Here is what my code is doing.
chart_type = Chart.where(
id: chart_id,
).pluck(:type).first
begin
ChartPresenter.new(chart_type.camelize.constantize.find(chart_id))
rescue
raise "Unable to find the chart presenter"
end
From my research I haven't found any concrete solution. I have heard that you can make a whitelist but I am not sure what brakeman is looking for. I tried to create an array and to check against that before calling constantize and breakman still complains. Any help with this would be great. If you feel it's not a needed fix can you give details as to why it shouldn't be a concern?
439
You can go the other way around, finding the class whose name is of chart_type:
chart_class = [User, Category, Note, Post].find { |x| x.name == chart_type.classify }
if chart_class.nil?
raise "Unable to find the chart presenter"
end
ChartPresenter.new(chart_class.find(chart_id))
This way Brakeman should be happy, and you are more secure...
111
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
