Safer "fuzzy" find -- how would you do this?

[Walter Lee Davis]

I was just looking over some code I wrote last year, and found this in one of my mailers:

@item = eval(params[:item].classify).send(:find, params[:item_id])

The idea here is that I can have the mailer respond to a polymorphic link helper, and respond with an object reference of the referenced object, regardless which it was -- a Project, Campaign, Asset, Lightbox -- whatever. Inside the mailer erb, any links to that object would be as simple as

link_to @item.label, polymorphic_url(@item)

...so my mailer messages don't have to care what sort of object they are sending a link to. This year, seeing send in the same line as params is giving me the willies. Hence my question here.

Besides adding some guards around which classes I want to allow this for (which just occurred to me as I was typing this out) can you recommend any other techniques to make this less risky? Is there anything built into the framework that I am overlooking?

Thanks in advance,

Walter

[Frederick Cheung]

I would prefer constantize over eval(foo.classify) and public_send over send. I'd still be happier with a whitelist though, or translating between the class name and some string that represents it - security aside, having an implementation detail leak out like that doesn't smell too good.

Fred

[Walter Lee Davis]

Those are good ideas, thanks, Fred!

Walter

>
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/afb0c898-4781-4097-a3cc-b74b12e1405d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.