Avoid constantize

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: ruby-security/rails-avoid-constantize

Language: Ruby

Severity: Info

Category: Best Practices

Description

The rule “Avoid constantize” advises against the use of constantize and safe_constantize methods in Ruby. These methods are used to convert a string into a constant, but they pose a significant security risk.

The constantize method can be exploited to run arbitrary code in your application, which makes it a potential target for code injection attacks. For example, a malicious user could manipulate the string to reference a class that performs destructive actions when loaded.

Instead of using constantize or safe_constantize, explicitly reference the constant you need. If you have a limited set of constants you want to access based on a string, consider using a hash or case statement to map strings to constants. This gives you control over which constants are accessible, and prevents arbitrary constants from being referenced.

In general, it’s best to avoid methods that can execute code based on user input or other untrusted sources. Always prioritize secure coding practices to maintain the integrity and safety of your application.

Learn More

Non-Compliant Code Examples

"Module".constantize
"Class".safe_constantize
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis
PREVIEWING: rtrieu/product-analytics-ui-changes