Export to GitHub
data:image/s3,"s3://crabby-images/163d6/163d696fda029419d268d4f730dc5a64cf136060" alt=""
ruby-security - issue #3
Mention that all *_methods() method accept an additional argument to ignore inherited methods
Posted on Sep 21, 2012 by
Helpful Rhino
White-listing method invocation by checking whether the method is listed by a *_methods() method is a common mistake. For example, public_instance_methods() includes all inherited methods; this includes eval, exit, instance_eval, send, etc. However, these *_methods() accept an additional argument which omits inherited methods.
class RPC
def hello puts "hello world" end
end
RPC.public_instance_methods(false)
=> [:hello]
Status: New
Labels:
Type-Defect
Priority-Medium