Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails Brakeman warning: Dynamic Render Path false alarm?

Tags:

ruby

ruby-on-rails

ruby-on-rails-3

brakeman

I'm just getting started with Rails, so I'm using Brakeman to learn about potential vulnerabilities in my newbie code. It's throwing a high-confidence "Dynamic Render Path" warning about the following code in my show.js.erb file:

$('#media-fragment').html('<%= escape_javascript(render(params[:partial])) %>');

I actually expected this was a problem, so no surprise there. So I changed it to the following:

  # controller:
  def show
    if legal_partial?
      @allowed_partial = params[:partial]
    else
      raise StandardError, "unexpected partial request: #{params[:partial]}"
    end
  end

  private

  def legal_partial?
    %w(screenshots video updates).include? params[:partial]
  end

  # ...
  # show.js.erb
  $('#media-fragment').html('<%= escape_javascript(render(@allowed_partial)) %>');

Although I believe the code is now safe, Brakeman is still unhappy with this. Is there a more idiomatic way to control rendering of a partial based on user input?

like image 919
George Armhold Avatar asked Jun 29 '12 14:06

George Armhold

1 Answers

Update (2/5/2016):

This has been fixed as of Brakeman 3.0.3.

If the legal_partial? method is inlined like this:

def show
  if %w(screenshots video updates).include? params[:partial]
    @allowed_partial = params[:partial]
  else
    raise StandardError, "unexpected partial request: #{params[:partial]}"
  end
end

Brakeman will be able to detect the guard condition and will no longer warn about the later render call.

Original answer:

Unfortunately, Brakeman does not know that if legal_partial? is a proper guard. All it knows is that params[:partial] is assigned to @allowed_partial, and that is then passed to render.

You may be able to tell that @allowed_partial will always be a safe value. At that point, you have to consider whether or not it makes sense to add complexity in order to make a tool happy.

Just as an example, you could do this:

def show
  render_allowed_partial params[:partial]
end

def render_allowed_partial name
  if %w(screenshots video updates).include? name
    @allowed_partial = name
  else
    raise StandardError, "unexpected partial request: #{params[:partial]}"
  end
end

It's basically the same thing, except now you are hiding the assignment of @allowed_partial from Brakeman.

(Warning: Not necessarily "best" way of doing this.)

like image 134
Justin Avatar answered Oct 16 '22 03:10

Justin
Sign in to Comment

Related questions

Factory Girl: Automatically assigning parent objects
SVG files in Raphael, can they be used?
How to allow customer subdomain sites to use their own domain
ActiveRecord: Doesnt call after_initialize when method name is passed as a symbol
Carrierwave upload with nested forms?
Connecting to Rails app Postgres DB using pgAdmin
Where to check and validate non model parameters in Rails
Using Devise for Two Different Models but the same Login Form
installing Radiant on DreamHost
Weird behaviour of ruby regex in rails with utf8 char
How to write a method trailing with a keyword
How to display controller specific javascript in rails 3.1?
What is the best database schema for an availability calendar that allows scheduling appointments(reoccurring and single))
How to use Rails date helper methods outside of Rails?
ActiveRecord validate :uniqueness on association
Cucumber claims its support files are broken?
Rails Heroku server paperclip Amazon S3 - AWS::S3::Errors::RequestTimeout
ActiveSupport::HashWithIndifferentAccess on Embedded Form Update
How do I disable add-ons in firefox when using selenium
Uninstall nginx installed by Passenger

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!