Rails - Sep 2010 - Is it a security risk using eval in the model?

Hi,

If I want to ensure that someone has filled out the email section of a
form I can write this in my model:

validates_presence_of :email

I can also achieve (more or less) the same thing by writing:

validate do |applicant|
  applicant.validate_presence("email")
end

def validate_presence(arg)
  string = "errors.add(:#{arg}, \"can''t be blank\") if
#{arg} == \"\""
  eval(string)
end

My question: does the method using eval pose any kind of security
threat?

I know the above example is silly (redefining an existing validation
method), but it serves well as a simplified version of what I am trying
to do, without going into unnecessary detail.

Thanks in advance
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

You are ok if you are eval''ing on something which is not user provided.
The
risk is if you are eval''ing something which is user input, which then
would
subject you to risk. Below I am assuming your arg is a field name which is
something passed by your own code.

David

On Sat, Sep 25, 2010 at 8:38 AM, Jim Burgess
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:
> Hi,
>
> If I want to ensure that someone has filled out the email section of a
> form I can write this in my model:
>
> validates_presence_of :email
>
> I can also achieve (more or less) the same thing by writing:
>
> validate do |applicant|
>  applicant.validate_presence("email")
> end
>
> def validate_presence(arg)
>  string = "errors.add(:#{arg}, \"can''t be blank\")
if #{arg} == \"\""
>  eval(string)
> end
>
> My question: does the method using eval pose any kind of security
> threat?
>
> I know the above example is silly (redefining an existing validation
> method), but it serves well as a simplified version of what I am trying
> to do, without going into unnecessary detail.
>
> Thanks in advance
> --
> Posted via http://www.ruby-forum.com/.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> .
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Thanks for the reply.
> Below I am assuming your arg is a field name which is
> something passed by your own code.
Exactly. arg is simply the name of a field whose value I want to check. 
This field is hard-coded into my program.

I don''t want to execute any user generated input, rather just check to 
see if the user has entered anything.

I am assuming that in this case I am on the safe side using eval.
Is that correct?
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

David Kahn wrote:
> You are ok if you are eval''ing on something which is not user
provided.
> The
> risk is if you are eval''ing something which is user input, which
then
> would
> subject you to risk. Below I am assuming your arg is a field name which 
> is
> something passed by your own code.
However, eval is virtually never necessary in Ruby.  99% of the time (as 
in the OP''s case), you actually wanted send.  I''ll post an
example later
if it would be helpful.
> 
> David
Best,
-- 
Marnen Laibow-Koser
http://www.marnen.org
marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 25 September 2010 14:38, Jim Burgess
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
wrote:
> def validate_presence(arg)
>  string = "errors.add(:#{arg}, \"can''t be blank\")
if #{arg} == \"\""
>  eval(string)
> end
>
> My question: does the method using eval pose any kind of security
> threat?
I''d say it''s not a particular security threat (especially if
you make
the ''validate_presence'' method private). But it does pose a
code-legibility and slight smell threat. If you feel you need to use
eval, you''re probably missing some other way of achieving the result
you''re after.

Obviously, you''ve deliberately contrived your example to illustrate,
but by the same token that there''s no need to do the eval in the
example (because you could just execute the line in the string), in
your real use-case I''d be suspicious of what other ways you could
arrange the code to avoid the eval.

NOI HTH

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 25 September 2010 17:04, Marnen Laibow-Koser
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
wrote:
> However, eval is virtually never necessary in Ruby.  99% of the time (as
> in the OP''s case), you actually wanted send.  I''ll post
an example later
> if it would be helpful.
There''s a good case for the other 1% using "yield" ... :-)

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Jim Burgess wrote:
> Hi,
> 
> If I want to ensure that someone has filled out the email section of a
> form I can write this in my model:
> 
> validates_presence_of :email
> 
> I can also achieve (more or less) the same thing by writing:
> 
> validate do |applicant|
>   applicant.validate_presence("email")
> end
> 
> def validate_presence(arg)
>   string = "errors.add(:#{arg}, \"can''t be blank\")
if #{arg} == \"\""
>   eval(string)
> end
Here''s the eval-less version:

def validate_presence(arg)
  errors.add arg.to_sym, "can''t be blank" if
self.send(arg).blank?
end

Of course, since this is ActiveRecord, you could use self[arg] instead 
of self.send(arg) in most cases, but it''s not quite equivalent. (I also
took the liberty of using blank? .)

Best,
-- 
Marnen Laibow-Koser
http://www.marnen.org
marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Thanks for all of the answers, you have really helped me a lot.
I was also unaware of the existence of the method ''.to_sym''
which will
in itself solve several of my problems. (Thanks Marnen!)
I will try out your suggested code to replace ''eval'' and post
back here
if I have any further questions.
Thanks again!
Jim
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.