我正在使用 CircleCI 来检查安全问题,这是一个错误,但我不确定是不是。
这是导致脚本错误之一的代码行:
= link_to t(:delete), main_app.board_comment_path(@board, comment), method: :delete
这是一个有效的安全问题吗?有什么方法可以让 Brakeman 安全地接受这些参数吗?我继续阅读,--url-safe-methods
但我无法找到使其工作的方法。
将此链接用作指南https://github.com/presidentbeef/brakeman/pull/45
运行bundle exec brakeman -A -q --exit-on-warn
,这是错误报告:
+BRAKEMAN REPORT+
Application path: ****
Rails version: 4.2.2
Brakeman version: 3.0.4
Started at 2015-06-26 14:10:14 -0700
Duration: 1.8311 seconds
Checks run: BasicAuth, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NumberToCurrency, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoS, SymbolDoSCVE, TranslateBug, UnsafeReflection, UnscopedFind, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing
+SUMMARY+
+-------------------+-------+
| Scanned/Reported | Total |
+-------------------+-------+
| Controllers | 23 |
| Models | 9 |
| Templates | 53 |
| Errors | 0 |
| Security Warnings | 2 (0) |
+-------------------+-------+
+----------------------+-------+
| Warning Type | Total |
+----------------------+-------+
| Cross Site Scripting | 2 |
+----------------------+-------+
View Warnings:
+------------+------------------------------------------------------------------+----------------------+-------------------->>
| Confidence | Template | Warning Type | Message >>
+------------+------------------------------------------------------------------+----------------------+-------------------->>
| Medium | boards/show (BoardsController#show) | Cross Site Scripting | Unsafe parameter va>>
| Medium | boards/show (BoardsController#show) | Cross Site Scripting | Unsafe parameter va>>
+------------+------------------------------------------------------------------+----------------------+-------------------->>