- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: ruby-security/rails-avoid-constantize
Language: Ruby
Severity: Info
Category: Best Practices
The rule “Avoid constantize” advises against the use of constantize
and safe_constantize
methods in Ruby. These methods are used to convert a string into a constant, but they pose a significant security risk.
The constantize
method can be exploited to run arbitrary code in your application, which makes it a potential target for code injection attacks. For example, a malicious user could manipulate the string to reference a class that performs destructive actions when loaded.
Instead of using constantize
or safe_constantize
, explicitly reference the constant you need. If you have a limited set of constants you want to access based on a string, consider using a hash or case statement to map strings to constants. This gives you control over which constants are accessible, and prevents arbitrary constants from being referenced.
In general, it’s best to avoid methods that can execute code based on user input or other untrusted sources. Always prioritize secure coding practices to maintain the integrity and safety of your application.
"Module".constantize
"Class".safe_constantize
|
|
For more information, please read the Code Analysis documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products