Rails Brakeman警告:动态渲染路径错误警报? [英] Rails Brakeman warning: Dynamic Render Path false alarm?

问题描述

我刚开始使用Rails，所以我在使用 Brakeman 来了解潜在的漏洞在我的新手代码中.它对我的show.js.erb文件中的以下代码抛出了高度可信的动态渲染路径"警告:

I'm just getting started with Rails, so I'm using Brakeman to learn about potential vulnerabilities in my newbie code. It's throwing a high-confidence "Dynamic Render Path" warning about the following code in my show.js.erb file:

$('#media-fragment').html('<%= escape_javascript(render(params[:partial])) %>');

我实际上期望这是一个问题，所以就不奇怪了.所以我将其更改为以下内容:

I actually expected this was a problem, so no surprise there. So I changed it to the following:

  # controller:
  def show
    if legal_partial?
      @allowed_partial = params[:partial]
    else
      raise StandardError, "unexpected partial request: #{params[:partial]}"
    end
  end

  private

  def legal_partial?
    %w(screenshots video updates).include? params[:partial]
  end

  # ...
  # show.js.erb
  $('#media-fragment').html('<%= escape_javascript(render(@allowed_partial)) %>');

尽管我认为代码现在是安全的，但Brakeman对此仍然不满意.有没有一种更惯用的方式可以根据用户输入来控制局部的渲染?

Although I believe the code is now safe, Brakeman is still unhappy with this. Is there a more idiomatic way to control rendering of a partial based on user input?

推荐答案

更新(2/5/2016):

此问题已在《 Brakeman 3.0.3》中修复.

This has been fixed as of Brakeman 3.0.3.

如果legal_partial?方法是这样内联的:

If the legal_partial? method is inlined like this:

def show
  if %w(screenshots video updates).include? params[:partial]
    @allowed_partial = params[:partial]
  else
    raise StandardError, "unexpected partial request: #{params[:partial]}"
  end
end

Brakeman将能够检测到警戒条件，并且不再警告以后的render呼叫.

Brakeman will be able to detect the guard condition and will no longer warn about the later render call.

原始答案:

不幸的是，Brakeman不知道if legal_partial?是适当的后卫.它只知道将params[:partial]分配给@allowed_partial，然后将其传递给render.

Unfortunately, Brakeman does not know that if legal_partial? is a proper guard. All it knows is that params[:partial] is assigned to @allowed_partial, and that is then passed to render.

您也许可以说@allowed_partial始终是一个安全值.在这一点上，您必须考虑为使工具满意而增加复杂性是否有意义.

You may be able to tell that @allowed_partial will always be a safe value. At that point, you have to consider whether or not it makes sense to add complexity in order to make a tool happy.

仅作为示例，您可以执行以下操作:

Just as an example, you could do this:

def show
  render_allowed_partial params[:partial]
end

def render_allowed_partial name
  if %w(screenshots video updates).include? name
    @allowed_partial = name
  else
    raise StandardError, "unexpected partial request: #{params[:partial]}"
  end
end

基本上是同一回事，除了现在您要向Brakeman隐藏@allowed_partial的任务.

It's basically the same thing, except now you are hiding the assignment of @allowed_partial from Brakeman.

(警告:不一定是最佳"方式.)

(Warning: Not necessarily "best" way of doing this.)

这篇关于Rails Brakeman警告:动态渲染路径错误警报?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！