Evaluating body of response

Question

Evaluating body of response

v2ci opened this issue 10 years ago · 1 comments

I'm looking at the eval of the post response.
https://github.com/kanet77/togglv8/blob/master/togglV8.rb#L373

It appears that if the response does not have a 200 code, that we are running whatever comes back.

In the specific case where we create a task with a name that already exists, the script fails with "undefined local variable or method `taken' ", because 'taken' is the last word in the body of the response. In general, it looks to me like we're blindly running whatever script might come back from the server.

What is the intent of this eval?

In the specific case I mentioned, I would consider this a bug. In general, this seems like a serious security issue.

Answer 1 · 2015-08-22T05:15:42.000Z

Thank you for opening this issue. Apologies for not responding sooner. I finally found some time to devote back to this project.

If you are inclined, please take a look at the latest version and tell me if you think this issue is resolved. The relevant code no longer relies on eval(). I agree that was not a good practice.