Forum: Ruby on Rails ModelBecomesTaintedOnTransaction

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
E53841892547e6c37931e821c13a1ee3?d=identicon&s=25 Marcelino Debajo (mdebajo)
on 2006-12-27 02:09
Hi All,

I noticed that my model class becomes tainted, after referencing to a
different table in find_by_sql + using a transaction. Both, the User
model and the Profile model will become tainted, however all other
tables will stay untainted.

if either condition 1 or condition 2 is commented out, the model will
not be tainted. After the model is being tainted, all derived objects
will be tainted to, thus the last call will fail with an SecurityError
(cause the safe level will be turned to 4 on call if the method is
being tainted)

Please, anybody, tell me why this happens???!!!

       def self.test
               class << ActiveRecord::Base
                       alias find_by_sql__WRAPPED find_by_sql

                       def find_by_sql(*args, &block)
                               result = find_by_sql__WRAPPED *args,
                               result[0].profile if
result[0].class.to_s=="User" # condition 1
                               return result

               User.module_eval "def pedit;
self.class.transaction(self){}; end"  #
condition 2

               User.find(:first).method(:pedit).call # first call can be
done in any
way(thus direct, with send or with call), condition 3
               User.find(:first).method(:pedit).call # second call must
be with
"call", condition 4

Thanks in advance

This topic is locked and can not be replied to.