Method#call 导致“SecurityError 异常:调用不安全的方法”在 Mustache.rb 中...为什么?
给出 Mustache.rb Context#find:
def find(obj, key, default = nil)
hash = obj.respond_to?(:has_key?)
if hash && obj.has_key?(key)
obj[key]
elsif hash && obj.has_key?(key.to_s)
obj[key.to_s]
elsif !hash && obj.respond_to?(key)
meth = obj.method(key) rescue proc { obj.send(key) }
if meth.arity == 1
meth.to_proc
else
meth[]
end
else
default
end
rescue Exception => e # I added this to give the debugging output below
debugger
# ... see debug output below
raise
end
任何人都可以解释为什么我收到 SecurityError 异常:调用不安全的方法:foo_id 给出以下信息:
obj #=> #<MyModel id: 1, foo_id: 3 ...> (an ActiveRecord object)
# Note foo_id is a column in the DB (a method defined by AR)
key #=> :foo_id
obj.tainted? #=> false
obj.method(key) #=> #<Method: MyModel#foo_id>
obj.send(key) #=> 3
obj.method(key)[] #=> raises "SecurityError Exception: calling insecure method: foo_id"
obj.method(key).tainted? #=> true... WTF?
关于 obj.method(key) 有什么我应该知道的吗和 obj.method(key).call ?
Given this method from Mustache.rb Context#find:
def find(obj, key, default = nil)
hash = obj.respond_to?(:has_key?)
if hash && obj.has_key?(key)
obj[key]
elsif hash && obj.has_key?(key.to_s)
obj[key.to_s]
elsif !hash && obj.respond_to?(key)
meth = obj.method(key) rescue proc { obj.send(key) }
if meth.arity == 1
meth.to_proc
else
meth[]
end
else
default
end
rescue Exception => e # I added this to give the debugging output below
debugger
# ... see debug output below
raise
end
Can anyone explain why I'm getting SecurityError Exception: calling insecure method: foo_id given the following:
obj #=> #<MyModel id: 1, foo_id: 3 ...> (an ActiveRecord object)
# Note foo_id is a column in the DB (a method defined by AR)
key #=> :foo_id
obj.tainted? #=> false
obj.method(key) #=> #<Method: MyModel#foo_id>
obj.send(key) #=> 3
obj.method(key)[] #=> raises "SecurityError Exception: calling insecure method: foo_id"
obj.method(key).tainted? #=> true... WTF?
Is there something I should know about obj.method(key) and obj.method(key).call?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我不知道这是否有帮助,但我在 Rails 应用程序中遇到过这种情况,并设法将其跟踪到执行
Marshal.load(Marshal.dump(object))的一些代码。碰巧object是一个哈希,其中包含派生自ActiveRecord::Base的类的实例。使代码不序列化这些对象解决了错误。追踪这个问题并不容易,因为错误是在代码的调用堆栈之外、在完全不同的请求上下文中报告的。I don't know if this helps but I've been experiencing this in a Rails application and managed to trace it to a bit of code that did
Marshal.load(Marshal.dump(object)). It happened thatobjectwas a hash that contained instances of classes that derived fromActiveRecord::Base. Making the code not serialise those objects solved the error. Tracking this down was not easy because the errors were reported outside of the callstack of this code, in a completely different request context.