it is safe to call send with untrusted arguments?

Question

Having an activerecord object, it is safe to call send on it with user provided argument?

example:

string_provided_by_user.gsub(/@invoice\.([^ ]*)/) { |a| @invoice.send($1) }

this is to allow user to use @invoice object on string

Answer 1

What do you expect to achieve with this? If you have no problems with user destroying your invoices from db or in general invoking any methods which cannot be called without arguments then they shouldn't be able to do anything harmful.

However it would be much better to define a list of acceptable methods first.

allowed_methods = [:amount, :date]
string_provided_by_user.gsub(/@invoice\.([^ ]*)/) do |a| 
  raise 'Nice try!' unless allowed_methods.include? a
  @invoice.send(a)
end