警告跨脚本错误不安全参数值时 Brakeman 退出
Brakeman exit on warn cross-scripting error unsafe parameter value
我正在使用 CircleCI 检查安全问题,这是一个错误,但我不确定它是不是。
这是导致脚本错误之一的代码行:
= link_to t(:delete), main_app.board_comment_path(@board, comment), method: :delete
这是一个有效的安全问题吗?我有什么办法让 Brakeman 接受这些参数是安全的吗?我阅读了 --url-safe-methods 但我想不出一种方法来让它工作。
使用此 link 作为指南 https://github.com/presidentbeef/brakeman/pull/45
运行bundle exec brakeman -A -q --exit-on-warn,这是报错:
+BRAKEMAN REPORT+
Application path: ****
Rails version: 4.2.2
Brakeman version: 3.0.4
Started at 2015-06-26 14:10:14 -0700
Duration: 1.8311 seconds
Checks run: BasicAuth, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NumberToCurrency, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoS, SymbolDoSCVE, TranslateBug, UnsafeReflection, UnscopedFind, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing
+SUMMARY+
+-------------------+-------+
| Scanned/Reported | Total |
+-------------------+-------+
| Controllers | 23 |
| Models | 9 |
| Templates | 53 |
| Errors | 0 |
| Security Warnings | 2 (0) |
+-------------------+-------+
+----------------------+-------+
| Warning Type | Total |
+----------------------+-------+
| Cross Site Scripting | 2 |
+----------------------+-------+
View Warnings:
+------------+------------------------------------------------------------------+----------------------+-------------------->>
| Confidence | Template | Warning Type | Message >>
+------------+------------------------------------------------------------------+----------------------+-------------------->>
| Medium | boards/show (BoardsController#show) | Cross Site Scripting | Unsafe parameter va>>
| Medium | boards/show (BoardsController#show) | Cross Site Scripting | Unsafe parameter va>>
+------------+------------------------------------------------------------------+----------------------+-------------------->>
假设 board_comment_path returns 一条路径,这(几乎可以肯定)是误报。
Brakeman 警告 link_to 中的 URL 的原因是因为可以设置像 javascript:dangerous_stuff_here() 这样的 URL。一个常见的例子是链接到用户网站的用户个人资料。
--url-safe-methods 仅适用于将输入包装到 link_to 的方法。例如,link_to 'stuff', safe_url(some_input).
但是,在 https://github.com/presidentbeef/brakeman/pull/674 之后,Brakeman 将停止对 URL 中的路径助手发出警告,并扩展 --safe-methods/--url-safe-methods 以匹配所有类型的方法。
我正在使用 CircleCI 检查安全问题,这是一个错误,但我不确定它是不是。
这是导致脚本错误之一的代码行:
= link_to t(:delete), main_app.board_comment_path(@board, comment), method: :delete
这是一个有效的安全问题吗?我有什么办法让 Brakeman 接受这些参数是安全的吗?我阅读了 --url-safe-methods 但我想不出一种方法来让它工作。
使用此 link 作为指南 https://github.com/presidentbeef/brakeman/pull/45
运行bundle exec brakeman -A -q --exit-on-warn,这是报错:
+BRAKEMAN REPORT+
Application path: ****
Rails version: 4.2.2
Brakeman version: 3.0.4
Started at 2015-06-26 14:10:14 -0700
Duration: 1.8311 seconds
Checks run: BasicAuth, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NumberToCurrency, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoS, SymbolDoSCVE, TranslateBug, UnsafeReflection, UnscopedFind, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing
+SUMMARY+
+-------------------+-------+
| Scanned/Reported | Total |
+-------------------+-------+
| Controllers | 23 |
| Models | 9 |
| Templates | 53 |
| Errors | 0 |
| Security Warnings | 2 (0) |
+-------------------+-------+
+----------------------+-------+
| Warning Type | Total |
+----------------------+-------+
| Cross Site Scripting | 2 |
+----------------------+-------+
View Warnings:
+------------+------------------------------------------------------------------+----------------------+-------------------->>
| Confidence | Template | Warning Type | Message >>
+------------+------------------------------------------------------------------+----------------------+-------------------->>
| Medium | boards/show (BoardsController#show) | Cross Site Scripting | Unsafe parameter va>>
| Medium | boards/show (BoardsController#show) | Cross Site Scripting | Unsafe parameter va>>
+------------+------------------------------------------------------------------+----------------------+-------------------->>
假设 board_comment_path returns 一条路径,这(几乎可以肯定)是误报。
Brakeman 警告 link_to 中的 URL 的原因是因为可以设置像 javascript:dangerous_stuff_here() 这样的 URL。一个常见的例子是链接到用户网站的用户个人资料。
--url-safe-methods 仅适用于将输入包装到 link_to 的方法。例如,link_to 'stuff', safe_url(some_input).
但是,在 https://github.com/presidentbeef/brakeman/pull/674 之后,Brakeman 将停止对 URL 中的路径助手发出警告,并扩展 --safe-methods/--url-safe-methods 以匹配所有类型的方法。