Only accept literals as before_filter method names

whitelist, not blacklist! This fixes an issue where things like local variables were being interpreted as method names. Example: before_filter :blah, filter_options "filter_options" was being treated as if it were a method name, which was wrong.

Only accept literals as before_filter method names
whitelist, not blacklist! This fixes an issue where things like local variables were being interpreted as method names. Example: before_filter :blah, filter_options "filter_options" was being treated as if it were a method name, which was wrong.
f829a8f6 · Justin Collins · cd8890ba · f829a8f6
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

lib/brakeman/processors/controller_alias_processor.rb lib/brakeman/processors/controller_alias_processor.rb +1 -1

未找到文件。
--- a/lib/brakeman/processors/controller_alias_processor.rb
+++ b/lib/brakeman/processors/controller_alias_processor.rb
@@ -254,7 +254,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
    filter[:methods] = [args[0][1]]

    args[1..-1].each do |a|
-      filter[:methods] << a[1] unless a.node_type == :hash
+      filter[:methods] << a[1] if a.node_type == :lit
    end

    if args[-1].node_type == :hash