I'm using Brakeman to identify security issues. It's flagging up any links which use params.merge
as a cross site scripting vulnerability. How can I sanitize something like the following?
- @archives.each do |archive|
= link_to "FTP", params.merge(:action => :ftp, :archive => archive, :recipient => "company")
You may have been realizing that the main reason for having an XSS vulnerability is the lack of data validation. So, you guessed that the primary defense against XSS attacks is distrusting user input.
We call this cross-site scripting, or XSS for short. XSS is an injection vulnerability that occurs when an attacker inserts unauthorized JavaScript, VBScript, HTML, or other active content into a web page. When subsequent users view the page, the malicious code executes or attacks the user.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
You should create a new hash based on only the elements of params
which you expect and wish to allow to be a part of the FTP
link and use that to merge your additional parameters.
What you have allows me to add whatever I want to that FTP
link by modifying the querystring, opening up the door to security vulnerabilities. By building a hash for use in place of the params
in the params.merge(...
you're effectively whitelisting expected querystring components for use in the template you're rendering.
As a GET
example, if you expect a URL like
/some/path?opt1=val1&opt2=val2
your controller action you might do
@cleaned_params = { opt1: params[:opt1], opt2: params[:opt2] }
@cleaned_params.merge! action: :ftp, archive: archive, recipient: :company
And then pass @cleaned_params to the link_to
= link_to "FTP", @cleaned_params
This way if I manually enter a URL like
/some/path?opt1=val1&opt2=val2&maliciousopt=somexss
The params[:maliciousopt]
will never make it into your FTP
link_to
in your view.
The same behaviour applies to POST
requests, only to be malicious I might add a couple fields to the form before submitting it
<input type="hidden" name="maliciousopt" value="somexss" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With