-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce security risk on remote_census_api #3784
Reduce security risk on remote_census_api #3784
Conversation
The use of eval is a serious security risk, so we change by JSON.parse method
@@ -84,7 +84,7 @@ def client | |||
end | |||
|
|||
def request(document_type, document_number, date_of_birth, postal_code) | |||
structure = eval(Setting["remote_census.request.structure"]) | |||
structure = JSON.parse(Setting["remote_census.request.structure"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since now we aren't using eval
anymore 🎉, would it be possible to move the Security/Eval
rubocop rule from .rubocop.yml
to .rubocop_basic.yml
(where rules are in alphabetic order, by the way)? That way our dear Hound will report about it 😄.
34745d9
to
432e823
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! 🎉
…ity-risk Reduce security risk on remote_census_api
References
Related PR: #3498
Related Documentation PR: Update remote census doc #86
Objectives
The use of eval is a serious security risk, so we change by JSON.parse method.
Describe expected format for Setting["remote_census.request.structure"]
Visual Changes
Notes
You can find this section on:
Settings
>Global Settings
>Remote Census configuration
Example for old expected format value:
Example for new expected format value: