site_settings_controller.rb
code Critical
Dangerous Send
Discovered 3 months ago
Source: static code analysis
Category: Dangerous Send
Confidence level: High

Problem

User controlled method execution

Location

app/controllers/admin/site_settings_controller.rb:37

SiteSetting.send((params[:id] or SiteSettings::DeprecatedSettings::SETTINGS.find do
 break new_name if (old_name == params[:id])
 end))

Category description: Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.

Solution: fix the issue in app/controllers/admin/site_settings_controller.rb or mark it as false positive.

site_settings_controller.rb
code Critical
Dangerous Send
Discovered 3 months ago
Source: static code analysis
Category: Dangerous Send
Confidence level: High

Problem

User controlled method execution

Location

app/controllers/admin/site_settings_controller.rb:132

SiteSetting.send(params[:site_setting_id])

Category description: Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.

Solution: fix the issue in app/controllers/admin/site_settings_controller.rb or mark it as false positive.

users_controller.rb
code Critical
Dangerous Send
Discovered 3 months ago
Source: static code analysis
Category: Dangerous Send
Confidence level: High

Problem

User controlled method execution

Location

app/controllers/admin/users_controller.rb:260

Promotion.public_send("tl#{(params[:level].to_i + 1)}_met?", User.find_by(:id => params[:user_id]))

Category description: Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.

Solution: fix the issue in app/controllers/admin/users_controller.rb or mark it as false positive.