Ruby On Rails-这些Brakeman警告是什么意思? [英] Ruby On Rails - What do these Brakeman warnings mean?

问题描述

我正在使用brakeman gem来扫描我的应用程序.

I am using brakeman gem for scanning my app.

扫描应用程序后，我收到以下警告:

After scanning the app, I get the following warnings:

#Security warnings

Method                  | Warning Type    | Message                    
------------------------------------------------------
show                    | Unscoped Find   | Unscoped call to PatientMessage#find near line 27: Message.find(+params[:id]+)
------------------------------------------------------

#Controller warnings:

Controller            | Warning Type               | Message
----------------------------------------------------------------------------
ApplicationController | Cross-Site Request Forgery | 'protect_from_forgery' should be called in ApplicationController

有人可以帮忙弄清楚这些警告的含义吗?

Can someone help figure out what these warnings mean?

推荐答案

protect_from_forgery错误几乎是不言而喻的，(它告诉您在应用程序控制器中包括有助于保护站点免受跨站点脚本攻击的方法) )，但此处的无范围查找文档位于: http://brakemanscanner.org/docs/warning_types/unscoped_find/

The protect_from_forgery error is pretty much self-explanatory, (it's telling you to include the method that helps to protect your site from cross-site scripting in your application controller) but the docs for the Unscoped Find are here: http://brakemanscanner.org/docs/warning_types/unscoped_find/

基本上，它告诉您应该执行以下操作:

Basically, it's telling you that you should do something like:

current_user.messages.find(params[:id]) 

而不是Message.find，因此用户不能仅仅通过将id传递给params来查找任何消息.上面的示例假定您具有current_user帮助器，并且消息属于用户，这在您的应用中可能不是这种情况，但这就是警告的意思.

instead of Message.find so users can't just find any message by passing an id into params. The example above assumes that you have a current_user helper, and that a message belongs to a user, which may not be the case in your app, but that's what the warning means.

这篇关于Ruby On Rails-这些Brakeman警告是什么意思?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！