Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

class_eval with known safe strings showing as dangerous #1919

Open
kwerle opened this issue Feb 10, 2025 · 1 comment
Open

class_eval with known safe strings showing as dangerous #1919

kwerle opened this issue Feb 10, 2025 · 1 comment

Comments

@kwerle
Copy link

kwerle commented Feb 10, 2025

Background

Brakeman version: 7.0.0
Rails version: 7.1
Ruby version: 3.3?

Issue

  ["good", "fine"].each do |suffix|
    class_eval <<-METHODS
      def method_that_is_#{suffix}
        puts suffix
      end
    METHODS
  end

yields

Confidence: Weak
Category: Dangerous Eval
Check: Evaluation
Message: Dynamic string evaluated as code
Code: class_eval("      def method_that_is_#{:BRAKEMAN_SAFE_LITERAL}\n        puts suffix\n      end\n")
File: app/models/myfile.rb
Line: 95

It looks like that's meant to be known safe. Used to list as safe.
@davekaro
Copy link

There was some discussion on the PR that made this change #1899

presidentbeef added a commit that referenced this issue Feb 12, 2025
@presidentbeef
Avoid warning of eval of plain strings
c31f87e 
Fixes #1919
presidentbeef added a commit that referenced this issue Feb 12, 2025
@presidentbeef
Avoid warning of eval of plain strings
a7bbe80 
Fixes #1919
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davekaro @kwerle