search

presidentbeef / brakeman

A static analysis security vulnerability scanner for Ruby on Rails applications
https://brakemanscanner.org/
Other
7.01k stars 729 forks source link

Associations not considered as AR objects #1250

Open grosser opened 6 years ago

grosser commented 6 years ago

Background

Brakeman version: 4.3.1 Rails version: 5.2.0 Ruby version: 2.5.1

<%= @project.repositories.first.name.html_safe %>

Issue

should have alerted of xss

/cc @smo921

presidentbeef commented 6 years ago

This really depends on what @project is and if Brakeman thinks it's a database model.

To reproduce or fix this issue, I'd need to know how the template is being rendered and what Brakeman thinks the output is. Can you run with --debug and check the template output? See if it's being rendered and what the value is?

grosser commented 6 years ago

under projects/show I can see:

[Escaped Output] @project.repositories.first.name.html_safe

so I doubt it did anything smart 🤷‍♂️

presidentbeef commented 6 years ago

Right, so the next question is "why not?" Where is the @project value set?

grosser commented 6 years ago

ah ... it works when it's directly in the controller but not when it's in the parent

grosser commented 6 years ago

it would be interesting to say "you have to whitelist unknown instance vars or they are considered models" so I would have been notified that the class of @project is unknown

presidentbeef commented 6 years ago

ah ... it works when it's directly in the controller but not when it's in the parent

I'm not sure what this means? If the variable is set in a before_action it should be picked up. Otherwise if it's in a helper method, it won't. Or are you calling super in a controller action?

grosser commented 6 years ago

action is in the parent controller and not in the child controller

On Fri, Aug 24, 2018 at 2:31 PM Justin notifications@github.com wrote:

ah ... it works when it's directly in the controller but not when it's in the parent

I'm not sure what this means? If the variable is set in a before_action it should be picked up. Otherwise if it's in a helper method, it won't. Or are you calling super in a controller action?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/presidentbeef/brakeman/issues/1250#issuecomment-415887925, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZ_yBUZPxrsNEBg8rJiBMd0NhyJ0Fks5uUHC-gaJpZM4V49gQ .