Product SiteDocumentation Site

2.6. Object.send

Object.send is a method with serious security impact, since it invokes any method on object, including private methods. Some methods in Ruby like eval or exit! are private methods of Object and can be invoked using send:
>> Object.private_methods.include?(:eval)
=> true
>> Object.private_methods.include?(:exit)
=> true
>> Object.send('eval', "system 'uname'")
Linux
=> true
Alternative is Object.public_send, which by definition only invokes public methods on object. However, this does not prevent attacker from executing only private methods, since Object.send itself is (and has to be) public:
>> Object.public_send("send","eval","system 'uname'")
Linux
=> true
>> Object.public_send("send","exit!")     # exits
Developers should be careful when invoking send and public_send with user controlled arguments.