On 08/15/2014 01:54 PM, Dante Avery wrote:
> Does brakeman create a warning for dangerous send if its used to
> dynamically assign attributes based off user input?
>
> For example will the scanner report send(“#{name}=“, params[:value])
It does not warn about arguments that are user input, since that's no
different from passing in the values normally.
In other words,
x.send(:blah=, params[:value])
is the same as
x.blah = params[:value]
so Brakeman wouldn't warn about that.
However, if the method name is controlled by user input, it will warn.
In your example I don't know what "name" is, but this would warn:
x.send("#{params[:name]}=", params[:value])
Hope that helps.
Please keep in mind Brakeman currently only looks at code in
models/controllers/views.
-Justin
