Export to GitHub

ruby-security - issue #3

Mention that all *_methods() method accept an additional argument to ignore inherited methods


Posted on Sep 21, 2012 by Helpful Rhino

White-listing method invocation by checking whether the method is listed by a *_methods() method is a common mistake. For example, public_instance_methods() includes all inherited methods; this includes eval, exit, instance_eval, send, etc. However, these *_methods() accept an additional argument which omits inherited methods.

class RPC

def hello puts "hello world" end

end

RPC.public_instance_methods(false)

=> [:hello]

Status: New

Labels:
Type-Defect Priority-Medium