Fix false negative when a safe accessor is used
What does this MR do and why?
Describe in detail what your merge request does and why.
On gitlab-org/gitlab!109279 (comment 1265327585), I noticed that the GitlabSecurity/PublicSend
wasn't catching a public_send
usage. As it turns out, using a safe accessor produces a different AST:
irb(main):002:0> Parser::CurrentRuby.parse("thing&.public_send(:thing)")
=>
s(:csend,
s(:send, nil, :thing), :public_send,
s(:sym, :thing))
irb(main):003:0> Parser::CurrentRuby.parse("thing.public_send(:thing)")
=>
s(:send,
s(:send, nil, :thing), :public_send,
s(:sym, :thing))
This MR updates GitlabSecurity/PublicSend
to flag when a safe accessor is used.
Fixes #54 (closed)
Edited by Peter Leitzen