Since you are limiting the input to a whitelist of known values, I would consider this secure. Brakeman currently cannot tell that you are using a guard statement, so it warns about turning user input (params[:r]
) into a class name, but in this case I would consider it a false positive.
How to use polymorphic associations in a secured way
-
02-06-2022 - |
题
I have the following code which an object (rmodal
) is created.
That is class has a polymorphic association with a few other classes (cmodal
, umodal
, ccmodal
, pmodal
, emodal
)
The creation of rmodal
has a form with a hidden field that include its type (cmodal
, umodal
, etc) and its ID (r_id
)
Is the following code sufficiently secured? brakeman currently notes that this line could result in remote code exectuion
@r_type = params[:r].delete :r_type
if (%w(cmodal umodal ccmodal pmodal emodal).include? @r_type)
@rmodal = @r_type.classify.constantize.find(@r_id) rescue nil
I am guessing, that since I am checking that r_type
is one of the acceptable choices that it is fine.
Is this the right way to do this and is it secure enough?
解决方案
不隶属于 StackOverflow