1

Given this method from Mustache.rb Context#find:

def find(obj, key, default = nil)
  hash = obj.respond_to?(:has_key?)

  if hash && obj.has_key?(key)
    obj[key]
  elsif hash && obj.has_key?(key.to_s)
    obj[key.to_s]
  elsif !hash && obj.respond_to?(key)
    meth = obj.method(key) rescue proc { obj.send(key) }
    if meth.arity == 1
      meth.to_proc
    else
      meth[]
    end
  else
    default
  end
rescue Exception => e # I added this to give the debugging output below
  debugger
  # ... see debug output below
  raise
end

Can anyone explain why I'm getting SecurityError Exception: calling insecure method: foo_id given the following:

obj               #=> #<MyModel id: 1, foo_id: 3 ...> (an ActiveRecord object)
                  #   Note foo_id is a column in the DB (a method defined by AR)
key               #=> :foo_id
obj.tainted?      #=> false
obj.method(key)   #=> #<Method: MyModel#foo_id>
obj.send(key)     #=> 3
obj.method(key)[] #=> raises "SecurityError Exception: calling insecure method: foo_id"

obj.method(key).tainted? #=> true... WTF?

Is there something I should know about obj.method(key) and obj.method(key).call?

4

1 回答 1

1

我不知道这是否有帮助,但我一直在 Rails 应用程序中遇到这种情况,并设法将其追踪到一些代码Marshal.load(Marshal.dump(object))。碰巧这object是一个散列,其中包含派生自ActiveRecord::Base. 使代码不序列化这些对象解决了错误。跟踪这一点并不容易,因为错误是在此代码的调用堆栈之外报告的,在一个完全不同的请求上下文中。

于 2011-11-16T12:31:36.787 回答