Last active
August 29, 2015 14:01
-
-
Save dissolved/09e9cc5e774985b33366 to your computer and use it in GitHub Desktop.
What is the most destructive thing you could assign to params?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def string_to_camelcase(string) | |
| string.gsub(/\s+/, "").camelize # camelize defined in Rails API | |
| end | |
| the_class = eval string_to_camelcase(params[:user_input]) | |
| the_object = the_class.new(params[:more_user_input],params[:even_more_user_input]) |
Agreed, no need for eval at all here... constantize gets the job done with less risk. Great comments. Thanks again!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Also, I may try to impose a whitelist approach of what I want to allow: