Safer "fuzzy" find -- how would you do this?

I was just looking over some code I wrote last year, and found this in
one of my mailers:

@item = eval(params[:item].classify).send(:find, params[:item_id])

The idea here is that I can have the mailer respond to a polymorphic
link helper, and respond with an object reference of the referenced
object, regardless which it was – a Project, Campaign, Asset, Lightbox
– whatever. Inside the mailer erb, any links to that object would be as
simple as

link_to @item.label, polymorphic_url(@item)

…so my mailer messages don’t have to care what sort of object they are
sending a link to. This year, seeing send in the same line as params is
giving me the willies. Hence my question here.

Besides adding some guards around which classes I want to allow this for
(which just occurred to me as I was typing this out) can you recommend
any other techniques to make this less risky? Is there anything built
into the framework that I am overlooking?

Thanks in advance,

Walter

On Sunday, July 10, 2016 at 4:28:39 PM UTC+1, Walter Lee D. wrote:

simple as
framework that I am overlooking?

I would prefer constantize over eval(foo.classify) and public_send over
send. I’d still be happier with a whitelist though, or translating
between
the class name and some string that represents it - security aside,
having
an implementation detail leak out like that doesn’t smell too good.

Fred

link_to @item.label, polymorphic_url(@item)

…so my mailer messages don’t have to care what sort of object they are sending
a link to. This year, seeing send in the same line as params is giving me the
willies. Hence my question here.

Besides adding some guards around which classes I want to allow this for (which
just occurred to me as I was typing this out) can you recommend any other
techniques to make this less risky? Is there anything built into the framework
that I am overlooking?

I would prefer constantize over eval(foo.classify) and public_send over send.
I’d still be happier with a whitelist though, or translating between the class
name and some string that represents it - security aside, having an implementation
detail leak out like that doesn’t smell too good.

Fred

Those are good ideas, thanks, Fred!

Walter

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs