Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect identification of User input; Unable to dynamically render fully qualified path #1845

Closed
garettarrowood opened this issue May 23, 2024 · 1 comment
Closed

Incorrect identification of User input; Unable to dynamically render fully qualified path #1845

garettarrowood opened this issue May 23, 2024 · 1 comment

Comments

@garettarrowood
Copy link

garettarrowood commented May 23, 2024
edited
Loading

Background

Brakeman version: 6.1.2
Rails version: 6.1.7.7
Ruby version: 3.0.6

Link to Rails application code: private

False Positive

Full warning from Brakeman:

Dangerous Eval	General	User input in eval near line 16: eval("class ::#{ExportedReport::Base.where(:id => report_id).pluck(:report_type).first} < ::ExportedReport::Base; end")	High

Relevant code:

eval("class ::#{report_type} < ::ExportedReport::Base; end")

Why might this be a false positive?

There is no User input being processed in this snippet of code.
@presidentbeef
Copy link
Owner

Hi @garettarrowood - Brakeman warns about this code because it's pulling a value from the database and using it inside of an eval. Brakeman assumes any value coming from the database is potentially dangerous.

You might consider something like this instead of using eval:

Object.const_set(report_type, Class.new(::ExportedReport::Base))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@presidentbeef @garettarrowood