brakeman

Brakeman Error - Unescaped model attribute near

无人久伴 提交于 2019-12-23 10:24:23
问题 I am getting a lot error as follows Unescaped model attribute near line 20: show_errors(Objective.new(objective_params), :name) Expanded View This is my code module ApplicationHelper # Error Helper for Form def show_errors(object, field_name) if object.errors.any? && object.errors.messages[field_name][0].present? "<label class='text-error'>" + object.errors.messages[field_name][0] + "</label>" else return "" end end end 回答1: From Brakeman Cross Site Scripting docs: By default, Brakeman will

Ruby On Rails - What do these Brakeman warnings mean?

老子叫甜甜 提交于 2019-12-11 12:52:57
问题 I am using brakeman gem for scanning my app. After scanning the app, I get the following warnings: #Security warnings Method | Warning Type | Message ------------------------------------------------------ show | Unscoped Find | Unscoped call to PatientMessage#find near line 27: Message.find(+params[:id]+) ------------------------------------------------------ #Controller warnings: Controller | Warning Type | Message ----------------------------------------------------------------------------

Rails Brakeman warning: Dynamic Render Path false alarm?

瘦欲@ 提交于 2019-12-10 02:43:28
问题 I'm just getting started with Rails, so I'm using Brakeman to learn about potential vulnerabilities in my newbie code. It's throwing a high-confidence "Dynamic Render Path" warning about the following code in my show.js.erb file: $('#media-fragment').html('<%= escape_javascript(render(params[:partial])) %>'); I actually expected this was a problem, so no surprise there. So I changed it to the following: # controller: def show if legal_partial? @allowed_partial = params[:partial] else raise

Rails brakeman warning of sql injection

久未见 提交于 2019-12-07 04:43:14
问题 I've got a scope in my model : scope :assigned_to_user, ->(user) { task_table = UserTask.table_name joins("INNER JOIN #{task_table} ON #{task_table}.user_id = #{user.id} AND (#{task_table}.type_id = #{table_name}.type_id) AND (#{task_table}.manager_id = #{table_name}.manager_id) ") } So after running brakeman report I get this warning : assigned_to_user | SQL Injection | Possible So I tried the following : scope :assigned_to_user, ->(user) { task_table = UserTask.table_name joins(ActiveRecord

Rails brakeman warning of sql injection

我们两清 提交于 2019-12-05 10:39:46
I've got a scope in my model : scope :assigned_to_user, ->(user) { task_table = UserTask.table_name joins("INNER JOIN #{task_table} ON #{task_table}.user_id = #{user.id} AND (#{task_table}.type_id = #{table_name}.type_id) AND (#{task_table}.manager_id = #{table_name}.manager_id) ") } So after running brakeman report I get this warning : assigned_to_user | SQL Injection | Possible So I tried the following : scope :assigned_to_user, ->(user) { task_table = UserTask.table_name joins(ActiveRecord::Base::sanitize("INNER JOIN #{task_table} ON #{task_table}.user_id = #{user.id} AND (#{task_table}

Rails Brakeman warning: Dynamic Render Path false alarm?

我的梦境 提交于 2019-12-05 04:02:01
I'm just getting started with Rails, so I'm using Brakeman to learn about potential vulnerabilities in my newbie code. It's throwing a high-confidence "Dynamic Render Path" warning about the following code in my show.js.erb file: $('#media-fragment').html('<%= escape_javascript(render(params[:partial])) %>'); I actually expected this was a problem, so no surprise there. So I changed it to the following: # controller: def show if legal_partial? @allowed_partial = params[:partial] else raise StandardError, "unexpected partial request: #{params[:partial]}" end end private def legal_partial? %w

rails brakeman order sql injection

会有一股神秘感。 提交于 2019-12-04 23:41:38
问题 How can I avoid a brakeman warning in Rails when constructing an order method from parameters? def index @methods = [:name, :manager, :deadline] assignments = Assignment.order(sort_column(@methods) + " " + sort_direction).received(current_user).root end def sort_column(column_names) column_names.each do |column| return column if column == params[:sort] end return 'updated_at' end def sort_direction params[:direction] == 'asc' ? 'asc' : 'desc' end I'm working hard to avoid ever putting user