0

我正在使用 CircleCI 来检查安全问题,这是一个错误,但我不确定是不是。

这是导致脚本错误之一的代码行:

= link_to t(:delete), main_app.board_comment_path(@board, comment), method: :delete

这是一个有效的安全问题吗?有什么方法可以让 Brakeman 安全地接受这些参数吗?我继续阅读,--url-safe-methods但我无法找到使其工作的方法。

将此链接用作指南https://github.com/presidentbeef/brakeman/pull/45

运行bundle exec brakeman -A -q --exit-on-warn,这是错误报告:

+BRAKEMAN REPORT+

Application path: ****
Rails version: 4.2.2
Brakeman version: 3.0.4
Started at 2015-06-26 14:10:14 -0700
Duration: 1.8311 seconds
Checks run: BasicAuth, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NumberToCurrency, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoS, SymbolDoSCVE, TranslateBug, UnsafeReflection, UnscopedFind, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing


+SUMMARY+

+-------------------+-------+
| Scanned/Reported  | Total |
+-------------------+-------+
| Controllers       | 23    |
| Models            | 9     |
| Templates         | 53    |
| Errors            | 0     |
| Security Warnings | 2 (0) |
+-------------------+-------+

+----------------------+-------+
| Warning Type         | Total |
+----------------------+-------+
| Cross Site Scripting | 2     |
+----------------------+-------+


View Warnings:

+------------+------------------------------------------------------------------+----------------------+-------------------->>
| Confidence | Template                                                         | Warning Type         | Message            >>
+------------+------------------------------------------------------------------+----------------------+-------------------->>
| Medium     | boards/show (BoardsController#show) | Cross Site Scripting | Unsafe parameter va>>
| Medium     | boards/show (BoardsController#show) | Cross Site Scripting | Unsafe parameter va>>
+------------+------------------------------------------------------------------+----------------------+-------------------->>
4

1 回答 1

1

board_comment_path假设返回路径,这(几乎可以肯定)是误报。

Brakeman 警告有关 URL 的原因link_to是因为可以将 URL 设置为javascript:dangerous_stuff_here(). 一个常见的例子是链接到用户网站的用户配置文件。

--url-safe-methods仅适用于将输入包装到link_to. 例如,link_to 'stuff', safe_url(some_input)

但是,在https://github.com/presidentbeef/brakeman/pull/674之后, Brakeman 将停止警告 URL 中的路径帮助程序,并扩展--safe-methods/--url-safe-methods以匹配所有类型的方法。

于 2015-06-28T22:28:30.603 回答