Dynamic link_to path with params[:controller]: Brakeman Dangerous Send

Question

I have the following partial _filters.html.haml which has been used many times in my code:

- resource ||= params[:controller]
= link_to send("delete_#{resource}_path"), method: :delete, data: { confirm: delete_confirmation } do
   = fa_icon delete_icon, class: 'm-r-quarter', text: delete_text

It has a dynamic delete path constructed from params[:controller]. Brakeman gives the following error message for the above code:

Confidence: High
Category: Dangerous Send
Check: Send
Message: User controlled method execution
Code: send("delete_#{params[:controller]}_path")

Is this a valid error shown by Brakeman? I know that whitelisting the params is one solution to avoid dangerous send. Is there any better way of resolving this?

Answer 1

This doesn't actually allow user controlled method execution since params[:controller] and params[:action] are set by the Rails router and will override any user provided values.

It is very stinky though. A slight improvement would be to use the controller_name helper method:

= link_to send("delete_#{controller_name}_path"), ...

But it really begs the question why on earth you inflicted this monstrosity on yourself to begin with. What is this even supposed to do since its missing an id - destroy everything?

If you want to destroy a resource in Rails you send a DELETE request to the member path:

DELETE /things/1

Since there is no silly prefix in the URL you can just generate it with:

= link_to(model_instance, method: :destroy) do
  = fa_icon delete_icon, class: 'm-r-quarter', text: delete_text

If you really do need to generate a path dynamically use the polymorphic route helpers instead of send:

= link_to [:delete, controller_name], method: :delete, data: { confirm: delete_confirmation } do
  = fa_icon delete_icon, class: 'm-r-quarter', text: delete_text