Hi Benedict, Brakeman checks `send` because it can allow an attacker to call arbitrary methods on an object. It checks `send_file` because that method can be used to access arbitrary files on the web server.
I don't immediately see how `send_data` could be dangerous. -Justin On 2014-04-25 21:59, Kwok, Benedict wrote: > Hi Brakeman Expert, > > Question about the send_data, is it safe? > > We have checks for send and send_file, should we include send_data as > well? > > https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_send.rb > [1] > > https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_send_file.rb > [2] > > Regards, > > Benedict Kwok > > P&I ACES, Code Analysis > > > > Links: > ------ > [1] > https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_send.rb > [2] > https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_send_file.rb
