Most search requests return as expected, except the following which all produce the error below.
Search terms that break:
find
search
xml
python
exec
Expected behavior
Search results should be displayed
Actual behavior
ArgumentError in Search#index
Showing /opt/dradis-ce/app/views/kaminari/_paginator.html.erb where line #7 raised:
Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.
Steps to reproduce
Most search requests return as expected, except the following which all produce the error below.
Search terms that break:
find search xml python exec
Expected behavior
Search results should be displayed
Actual behavior
ArgumentError in Search#index
Showing /opt/dradis-ce/app/views/kaminari/_paginator.html.erb where line #7 raised:
Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.
Extracted source (around line #7):
5 6 7 8 9 10
Trace of template inclusion: app/views/search/_results.html.erb, app/views/search/index.html.erb
Rails.root: /opt/dradis-ce Application Trace | Framework Trace | Full Trace
app/views/kaminari/_paginator.html.erb:7:in
block (2 levels) in _app_views_kaminari__paginator_html_erb__864226663__663325808' app/views/kaminari/_paginator.html.erb:5:in
block in _app_views_kaminaripaginator_html_erb864226663663325808' app/views/kaminari/_paginator.html.erb:1:in `_app_views_kaminaripaginator_html_erb864226663663325808' app/views/search/_results.html.erb:15:in_app_views_search__results_html_erb__812644066__668098148' app/views/search/index.html.erb:23:in
_app_views_search_index_html_erb623506895669320428'Request
Parameters:
{"utf8"=>"✓", "q"=>"find"}
System configuration
3.6 Ruby version: ruby 2.2.2
OS version: Linux kali 4.6.0-kali1-686 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) i686 GNU/Linux