brakeman vulnaribility UnsafeReflection. (#1587)

* brakeman vulnaribility UnsafeReflection. * Using ObjectSpace. * Fixed tests. * Fixed plural.
lynndylanhurley · Apr 14, 2023 · a30603f · a30603f
1 parent 7cd39f5
commit a30603f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb
@@ -132,13 +132,13 @@ def whitelisted_params
     end
 
     def resource_class(mapping = nil)
-      if omniauth_params['resource_class']
-        omniauth_params['resource_class'].constantize
-      elsif params['resource_class']
-        params['resource_class'].constantize
-      else
-        raise 'No resource_class found'
-      end
+      return @resource_class if defined?(@resource_class)
+
+      constant_name = omniauth_params['resource_class'].presence || params['resource_class'].presence
+      @resource_class = ObjectSpace.each_object(Class).detect { |cls| cls.to_s == constant_name && cls.pretty_print_inspect.starts_with?(constant_name) }
+      raise 'No resource_class found' if @resource_class.nil?
+
+      @resource_class
     end
 
     def resource_name

diff --git a/docs/usage/model_concerns.md b/docs/usage/model_concerns.md
@@ -31,7 +31,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce
   response.headers.merge!(new_auth_header)
   ~~~
 
-* **`build_auth_header`**: generates the auth header that should be sent to the client with the next request. Accepts `token` and `client` as arguments. Returns a string.
+* **`build_auth_headers`**: generates the auth header that should be sent to the client with the next request. Accepts `token` and `client` as arguments. Returns a string.
 
   **Example**:
   ~~~ruby