Will It Vibe logoWill It Vibe?
RAILS-007Medium severity-8 points

send/public_send invoked with a request-controlled method name

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

send and public_send invoke any method whose name they are given, including private ones. Passing params directly as the method-name argument lets a client choose which method runs on the receiver.

Why it matters

send and public_send call whatever method name they are given, including ones never meant to be reachable from a request: destroy, update_attribute with an arbitrary attribute, or a private method that changes internal state. Passing params straight in as the method name lets a client pick which method runs simply by naming it in the request.

How to fix it

Replace the dynamic dispatch with an explicit case/when or an allowlist array checked with include? before calling send, so only a small, reviewed set of method names can ever be invoked. If the set of valid actions is genuinely dynamic, map request values to method names through a lookup table you control rather than passing client input straight into send.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks