Ruby On Rails - What do these Brakeman warnings mean?

老子叫甜甜 提交于 2019-12-11 12:52:57

问题


I am using brakeman gem for scanning my app.

After scanning the app, I get the following warnings:

#Security warnings

Method                  | Warning Type    | Message                    
------------------------------------------------------
show                    | Unscoped Find   | Unscoped call to PatientMessage#find near line 27: Message.find(+params[:id]+)
------------------------------------------------------

#Controller warnings:

Controller            | Warning Type               | Message
----------------------------------------------------------------------------
ApplicationController | Cross-Site Request Forgery | 'protect_from_forgery' should be called in ApplicationController

Can someone help figure out what these warnings mean?


回答1:


The protect_from_forgery error is pretty much self-explanatory, (it's telling you to include the method that helps to protect your site from cross-site scripting in your application controller) but the docs for the Unscoped Find are here: http://brakemanscanner.org/docs/warning_types/unscoped_find/

Basically, it's telling you that you should do something like:

current_user.messages.find(params[:id]) 

instead of Message.find so users can't just find any message by passing an id into params. The example above assumes that you have a current_user helper, and that a message belongs to a user, which may not be the case in your app, but that's what the warning means.



来源:https://stackoverflow.com/questions/32102172/ruby-on-rails-what-do-these-brakeman-warnings-mean

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!