I am currently viewing a Rails controller. This controller accepts user input and, based on this user, enters a new object as follows:
clazz = params[:type].classify.constantize
clazz.new(some_method_which_returns_filtered_params)
I am interested in the security of this approach. Are there classes in Ruby that the “new” method can be used with malicious intent?
For example, it may be possible to populate a program with new denial of service symbols (see http://brakemanscanner.org/docs/warning_types/denial_of_service/ ).
source
share