From edc56b1e1fa2cf785c4f5e930a4d70be3006889e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Sat, 13 Nov 2021 18:23:57 +0100
Subject: [PATCH] Avoid using `eval` in postal code validation

We were getting a warning by Rubocop because we were using eval with a
string defined by administrators, which in theory could be dangerous.
---
 app/models/verification/residence.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/app/models/verification/residence.rb b/app/models/verification/residence.rb
index 935f6bfb0..39ddf8dd7 100644
--- a/app/models/verification/residence.rb
+++ b/app/models/verification/residence.rb
@@ -105,8 +105,12 @@ class Verification::Residence
     end
 
     def valid_postal_code?
-      postal_codes = Setting["postal_codes"].gsub("-", "..").split(",")
-      postal_codes = postal_codes.map { |i| eval(i) }.map { |i| i.is_a?(Range) ? i.to_a : [i] }.flatten
-      postal_code.to_i.in?(postal_codes)
+      Setting["postal_codes"].split(",").any? do |code_or_range|
+        if code_or_range.include?("-")
+          Range.new(*code_or_range.split("-").map(&:to_i)).include?(postal_code.to_i)
+        else
+          postal_code == code_or_range
+        end
+      end
     end
 end