def test
some_user.other_model.active.find_by_token(token)
end
def token
params[:token]
end
This raises an offense, even though we're operating in a trusted context (off of some_user). Interestingly, using find_by(token:) and find(token) do not raise offenses, despite fundamentally being the same level of risk. The way we look for dynamic method names may be to blame.
METHOD_PATTERN = /^find_by_(.+?)(!)?$/
...
# yoinked from Rails/DynamicFindBy
def static_method_name(method_name)
match = METHOD_PATTERN.match(method_name)
return nil unless match
match[2] ? 'find_by!' : 'find_by'
end
This raises an offense, even though we're operating in a trusted context (off of
some_user). Interestingly, usingfind_by(token:)andfind(token)do not raise offenses, despite fundamentally being the same level of risk. The way we look for dynamic method names may be to blame.