How to use polymorphic associations in a secured way

Question

I have the following code which an object (rmodal) is created.

That is class has a polymorphic association with a few other classes (cmodal, umodal, ccmodal, pmodal, emodal)

The creation of rmodal has a form with a hidden field that include its type (cmodal, umodal, etc) and its ID (r_id)

Is the following code sufficiently secured? brakeman currently notes that this line could result in remote code exectuion

 @r_type = params[:r].delete :r_type

 if (%w(cmodal umodal ccmodal pmodal emodal).include? @r_type)

      @rmodal = @r_type.classify.constantize.find(@r_id) rescue nil

I am guessing, that since I am checking that r_type is one of the acceptable choices that it is fine.

Is this the right way to do this and is it secure enough?

Answer 1

Since you are limiting the input to a whitelist of known values, I would consider this secure. Brakeman currently cannot tell that you are using a guard statement, so it warns about turning user input (params[:r]) into a class name, but in this case I would consider it a false positive.