users_controller.rb
code Critical
Dangerous Send
Discovered almost 5 years ago
Source: static code analysis
Category: Dangerous Send
Confidence level: High

Problem

User controlled method execution

Location

app/controllers/admin/users_controller.rb:157

Promotion.send("tl#{(params[:level].to_i + 1)}_met?", User.find_by(:id => params[:user_id]))

Category description: Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.

Solution: fix the issue in app/controllers/admin/users_controller.rb or mark it as false positive.