Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unsafe parameter value in link_to href

Tags:

ruby

ruby-on-rails

ruby-on-rails-3

xss

erb

I have added the following line to a template file

link_to("CSV", params.merge(:action => "list", :format => :csv, :filename => filename)

A security assessment tool showed the warning that there is a cross scripting vulnerability asscociated with this.I need to know

1)Why such a vulnerability occur? 2)What is the solution to this problem?

like image 586
Arun Mathew Kurian Avatar asked Feb 13 '26 21:02

Arun Mathew Kurian

1 Answers

I dont think there's a need to merge :format and :filename into params. This will lead two major complications.

  1. Someone can modify the querystring, leaving doors to security vulnarability.
  2. Having userdefined symbols at runtime and merging them with params, also leaves a door for DoS(Denial of Service) attack.

(you may google about these issues for detailed explanation)

Focusing on what you can do to solve this issue is

link_to("CSV", :action => "list", :format => :csv, :filename => filename)

or if it is in other controller

link_to("CSV", :controller => "controller_name", :action => "list", :format => :csv, :filename => filename)

This might help you resolve the issue.

Good luck.

like image 70
Karan Purohit Avatar answered Feb 15 '26 19:02

Karan Purohit
Sign in to Comment

Related questions

therubyracer gem error on install - mac 10.9
how to call helper method in collection_select tag
Devise Confirmable behavior when user clicks "confirmation" link more than once
wrong number of arguments (0 for 1) with ActiveRecord::Save
Nginx rendering 502 error page

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!