The example dynamically constructs a string which is then executed using module_eval.
This code will break if the specified name is not a valid Ruby identifier, and
-if the value is controlled by an attacker, then this could lead to code injection.
+if the value is controlled by an attacker, then this could lead to code-injection.
-A more robust implementation, that is also immune to code injection,
+A more robust implementation, that is also immune to code-injection,
can be made by using module_eval with a block and using define_method
to define the getter method.
class_variable_set and
class_variable_get along with define_method. String
interpolation is still used to construct the class variable name, but this is
-safe because class_variable_set is not susceptible to code injection.
-To construct a dynamic method call we use send, which is ulnerable
-to code injection: if an attacker can control the first argument, they can call
-any method on the receiver. However this is less powerful than being able to run
-arbitrary Ruby code, so it is an improvement in security. We also document to
-callers that they should not pass arbitrary user data to the name
-parameter.
+safe because class_variable_set is not susceptible to code-injection.
+
+
+
+send is used to dynamically call the method specified by name.
+This is a more robust alternative than the previous example, because it does not allow
+arbitrary code to be executed, but it does still allow for any method to be called
+on the target object.