Avoid using eval in postal code validation

We were getting a warning by Rubocop because we were using eval with a string defined by administrators, which in theory could be dangerous.
2021-11-13 18:23:57 +01:00
parent 006269a94b
commit edc56b1e1f
1 changed files with 7 additions and 3 deletions
--- a/app/models/verification/residence.rb
+++ b/app/models/verification/residence.rb
@@ -105,8 +105,12 @@ class Verification::Residence
    end

    def valid_postal_code?
-      postal_codes = Setting["postal_codes"].gsub("-", "..").split(",")
-      postal_codes = postal_codes.map { |i| eval(i) }.map { |i| i.is_a?(Range) ? i.to_a : [i] }.flatten
-      postal_code.to_i.in?(postal_codes)
+      Setting["postal_codes"].split(",").any? do |code_or_range|
+        if code_or_range.include?("-")
+          Range.new(*code_or_range.split("-").map(&:to_i)).include?(postal_code.to_i)
+        else
+          postal_code == code_or_range
+        end
+      end
    end
 end