Brakeman 中的 "Unscoped call to" 警告是什么?
What is this "Unscoped call to" warning in Brakeman?
当我使用 Brakeman 工具扫描我的代码时,我收到一条警告消息。它指出有一个 未限定范围的调用 以下查询:
@applicant = Applicant.find(params[:id])
这是实际的错误信息:
+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+
| Confidence | Class | Method | Warning Type | Message |
+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+
| Weak | ApplicantsController | show | Unscoped Find | Unscoped call to Applicant#find near line 25: Applicant.find(+params[:id]+) | |
+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+
但是当我用下面的查询替换上面的查询时就没问题了:
@applicant = Applicant.where("id = ?", params[:id]).first
我不明白第一个查询有什么问题。
Brakeman 只是警告您,您正在查询整个申请人 table,而不是将其范围限定在另一个模型下,例如 current_tenant.applicants.find...。来自 Brakeman's docs:
Unscoped find (and related methods) are a form of Direct Object Reference. Models which belong to another model should typically be accessed via a scoped query.
For example, if an Account belongs to a User, then this may be an unsafe unscoped find:
Account.find(params[:id])
Depending on the action, this could allow an attacker to access any account they wish.
Instead, it should be scoped to the currently logged-in user:
current_user = User.find(session[:user_id])
current_user.accounts.find(params[:id])
如果这是您想要的行为,您可以将 Brakeman 配置为忽略此警告作为误报。为此,运行 brakeman 带有 -I 标志(或 --interactive-ignore)。按照 Ignoring False Positives 上的说明逐步完成所有警告,并将这个特定的警告添加到您的忽略文件中。
简而言之:
$ brakeman -I
Input file: |config/brakeman.ignore|
# press Enter to accept the default ignore file
No such file. Continue with empty config?
# press Enter to create the file
>
1. Inspect all warnings
2. Hide previously ignored warnings
3. Skip - use current ignore configuration
# press 2 to step through all warnings, skipping previously ignored
# Brakeman will now step through each warning, prompting you to for each one.
# Press i to add this warning to the ignore list.
# When finished, Brakeman will ask you what to do.
# Press 1 to save changes to the ignore file.
下次你运行 Brakeman,这个警告应该不会出现。
当我使用 Brakeman 工具扫描我的代码时,我收到一条警告消息。它指出有一个 未限定范围的调用 以下查询:
@applicant = Applicant.find(params[:id])
这是实际的错误信息:
+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+
| Confidence | Class | Method | Warning Type | Message |
+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+
| Weak | ApplicantsController | show | Unscoped Find | Unscoped call to Applicant#find near line 25: Applicant.find(+params[:id]+) | |
+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+
但是当我用下面的查询替换上面的查询时就没问题了:
@applicant = Applicant.where("id = ?", params[:id]).first
我不明白第一个查询有什么问题。
Brakeman 只是警告您,您正在查询整个申请人 table,而不是将其范围限定在另一个模型下,例如 current_tenant.applicants.find...。来自 Brakeman's docs:
Unscoped find (and related methods) are a form of Direct Object Reference. Models which belong to another model should typically be accessed via a scoped query.
For example, if an Account belongs to a User, then this may be an unsafe unscoped find:
Account.find(params[:id])Depending on the action, this could allow an attacker to access any account they wish.
Instead, it should be scoped to the currently logged-in user:
current_user = User.find(session[:user_id]) current_user.accounts.find(params[:id])
如果这是您想要的行为,您可以将 Brakeman 配置为忽略此警告作为误报。为此,运行 brakeman 带有 -I 标志(或 --interactive-ignore)。按照 Ignoring False Positives 上的说明逐步完成所有警告,并将这个特定的警告添加到您的忽略文件中。
简而言之:
$ brakeman -I
Input file: |config/brakeman.ignore|
# press Enter to accept the default ignore file
No such file. Continue with empty config?
# press Enter to create the file
>
1. Inspect all warnings
2. Hide previously ignored warnings
3. Skip - use current ignore configuration
# press 2 to step through all warnings, skipping previously ignored
# Brakeman will now step through each warning, prompting you to for each one.
# Press i to add this warning to the ignore list.
# When finished, Brakeman will ask you what to do.
# Press 1 to save changes to the ignore file.
下次你运行 Brakeman,这个警告应该不会出现。