Half question, half suggestion. I see eval used throughout the enforcer, I'm guessing to interpolate JSON (and not pure Ruby) hashes.
Whether or not these values are input directly by users or could be manipulated, eval seems like the least desirable choice for both clarity/readability and the risk of executing code unintentionally.
If these values are JSON, can we instead use something like JSON.parse to evaluate them, or, if they're plain Ruby hashes, is it worth serializing them to JSON (or something) instead?
ori-gold-px
commented
2 years ago
Half question, half suggestion. I see
evalused throughout the enforcer, I'm guessing to interpolate JSON (and not pure Ruby) hashes.Whether or not these values are input directly by users or could be manipulated,
evalseems like the least desirable choice for both clarity/readability and the risk of executing code unintentionally.If these values are JSON, can we instead use something like
JSON.parseto evaluate them, or, if they're plain Ruby hashes, is it worth serializing them to JSON (or something) instead?Examples: https://github.com/PerimeterX/perimeterx-ruby-sdk/blob/master/lib/perimeterx/internal/validators/perimeter_x_s2s_validator.rb#L87 https://github.com/PerimeterX/perimeterx-ruby-sdk/search?q=eval&unscoped_q=eval