eliminate eval from Builder#initialize

which was raised by Rubocop's security filter related to #1915
sparklemotion · Aug 10, 2019 · 6777008 · 6777008
1 parent 47a7bc7
commit 6777008
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/lib/nokogiri/xml/builder.rb b/lib/nokogiri/xml/builder.rb
@@ -268,10 +268,13 @@ def initialize(options = {}, root = nil, &block)
           @doc = root.document
           @parent = root
         else
-          namespace = self.class.name.split("::")
-          namespace[-1] = "Document"
-          @doc = eval(namespace.join("::")).new
-          @parent = @doc
+          klassname = "::" + (self.class.name.split("::")[0..-2] + ["Document"]).join("::")
+          klass = begin
+                    Object.const_get(klassname)
+                  rescue NameError
+                    Nokogiri::XML::Document
+                  end
+          @parent = @doc = klass.new
         end
 
         @context = nil

diff --git a/test/xml/test_builder.rb b/test/xml/test_builder.rb
@@ -342,6 +342,17 @@ def test_builder_reuses_namespaces
         assert_equal envelope.namespace.object_id, package.namespace.object_id
       end
 
+      def test_builder_uses_proper_document_class
+        xml_builder = Nokogiri::XML::Builder.new
+        assert_instance_of Nokogiri::XML::Document, xml_builder.doc
+
+        html_builder = Nokogiri::HTML::Builder.new
+        assert_instance_of Nokogiri::HTML::Document, html_builder.doc
+
+        foo_builder = ThisIsATestBuilder.new
+        assert_instance_of Nokogiri::XML::Document, foo_builder.doc
+      end
+
       private
 
       def namespaces_defined_on(node)
@@ -350,3 +361,7 @@ def namespaces_defined_on(node)
     end
   end
 end
+
+class ThisIsATestBuilder < Nokogiri::XML::Builder
+  # this exists for the test_builder_uses_proper_document_class and should be empty
+end