Merge pull request #1670 from pedropb/update_copy_on_unsafe_reflectio…

…n_check Update copy on unsafe reflection error message
presidentbeef · Feb 26, 2022 · 243012a · 243012a
2 parents a167c31 + 177cb44
commit 243012a
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/lib/brakeman/checks/check_unsafe_reflection.rb b/lib/brakeman/checks/check_unsafe_reflection.rb
@@ -20,7 +20,7 @@ def run_check
   def check_unsafe_reflection result
     return unless original? result
 
-    call = result[:call] 
+    call = result[:call]
     method = call.method
 
     case method
@@ -37,7 +37,12 @@ def check_unsafe_reflection result
     end
 
     if confidence
-      message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
+      case method
+      when :constantize, :safe_constantize
+        message = msg("Unsafe reflection method ", msg_code(method), " called on ", msg_input(input))
+      else
+        message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
+      end
 
       warn :result => result,
         :warning_type => "Remote Code Execution",

diff --git a/test/tests/rails2.rb b/test/tests/rails2.rb
@@ -1318,7 +1318,7 @@ def test_unsafe_reflection_constantize
     assert_warning :type => :warning,
       :warning_type => "Remote Code Execution",
       :line => 89,
-      :message => /^Unsafe\ reflection\ method\ `constantize`\ cal/,
+      :message => /^Unsafe\ reflection\ method\ `constantize`\ called\ on/,
       :confidence => 0,
       :file => /home_controller\.rb/,
       :relative_path => "app/controllers/home_controller.rb"
@@ -1328,7 +1328,7 @@ def test_unsafe_reflection_constantize
       :warning_code => 24,
       :warning_type => "Remote Code Execution",
       :line => 1,
-      :message => /^Unsafe\ reflection\ method\ `constantize`\ cal/,
+      :message => /^Unsafe\ reflection\ method\ `constantize`\ called\ on/,
       :confidence => 0,
       :relative_path => "app/views/home/test_send_target.html.erb"
   end

diff --git a/test/tests/rails31.rb b/test/tests/rails31.rb
@@ -1179,7 +1179,7 @@ def test_unsafe_reflection_constantize
     assert_warning :type => :warning,
       :warning_type => "Remote Code Execution",
       :line => 9,
-      :message => /^Unsafe\ reflection\ method\ `constantize`\ cal/,
+      :message => /^Unsafe\ reflection\ method\ `constantize`\ called\ on/,
       :confidence => 0,
       :file => /admin_controller\.rb/
   end
@@ -1189,7 +1189,7 @@ def test_unsafe_reflection_safe_constantize
     assert_warning :type => :warning,
       :warning_type => "Remote Code Execution",
       :line => 12,
-      :message => /^Unsafe\ reflection\ method\ `safe_constantiz/,
+      :message => /^Unsafe\ reflection\ method\ `safe_constantize`\ called\ on/,
       :confidence => 0,
       :file => /admin_controller\.rb/
   end
@@ -1198,7 +1198,7 @@ def test_unsafe_reflection_qualified_const_get
     assert_warning :type => :warning,
       :warning_type => "Remote Code Execution",
       :line => 14,
-      :message => /^Unsafe\ reflection\ method\ `qualified_const/,
+      :message => /^Unsafe\ reflection\ method\ `qualified_const_get`\ called\ with/,
       :confidence => 0,
       :file => /admin_controller\.rb/
   end