class Railroader::CheckSend

Checks if user supplied data is passed to send

Public Instance Methods

get_send(exp) click to toggle source

Recursively check call chain for send call

# File lib/railroader/checks/check_send.rb, line 38
def get_send exp
  if call? exp
    if @send_methods.include? exp.method
      return exp
    else
      get_send exp.target
    end
  end
end
process_result(result) click to toggle source
# File lib/railroader/checks/check_send.rb, line 19
def process_result result
  return unless original? result

  send_call = get_send result[:call]
  process_call_args send_call
  process send_call.target

  if input = has_immediate_user_input?(send_call.first_arg)
    warn :result => result,
      :warning_type => "Dangerous Send",
      :warning_code => :dangerous_send,
      :message => "User controlled method execution",
      :code => result[:call],
      :user_input => input,
      :confidence => :high
  end
end
run_check() click to toggle source
# File lib/railroader/checks/check_send.rb, line 9
def run_check
  @send_methods = [:send, :try, :__send__, :public_send]
  Railroader.debug("Finding instances of #send")
  calls = tracker.find_call :methods => @send_methods, :nested => true

  calls.each do |call|
    process_result call
  end
end