consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove eval from remote_census_api

Browse Source 
The use of eval is a serious security risk, so we change by JSON.parse method
This commit is contained in:
taitus
2019-10-21 16:52:20 +02:00
parent bb627a7117
commit 7e779bf68b
4 changed files with 52 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/remote_census_api.rb
View File

@@ -84,7 +84,7 @@ class RemoteCensusApi
end
def request(document_type, document_number, date_of_birth, postal_code)
structure = eval(Setting["remote_census.request.structure"])
structure = JSON.parse(Setting["remote_census.request.structure"])
fill_in(structure, Setting["remote_census.request.document_type"], document_type)
fill_in(structure, Setting["remote_census.request.document_number"], document_number)
@@ -100,12 +100,11 @@ class RemoteCensusApi
def fill_in(structure, path_value, value)
path = parse_path(path_value)
update_value(structure, path, value) if path.present?
end
def parse_path(path_value)
path_value.split(".").map { |section| section.to_sym } if path_value.present?
path_value.split(".") if path_value.present?
end
def update_value(structure, path, value)