params.merge 和跨站脚本 [英] params.merge and cross site scripting
问题描述
我正在使用 Brakeman 来识别安全问题.它标记了任何使用 params.merge
作为跨站点脚本漏洞的链接.我怎样才能对以下内容进行消毒?
I'm using Brakeman to identify security issues. It's flagging up any links which use params.merge
as a cross site scripting vulnerability. How can I sanitize something like the following?
- @archives.each do |archive|
= link_to "FTP", params.merge(:action => :ftp, :archive => archive, :recipient => "company")
推荐答案
你应该只基于 params
的元素创建一个新的哈希FTP
链接并使用那个来合并您的附加参数.
You should create a new hash based on only the elements of params
which you expect and wish to allow to be a part of the FTP
link and use that to merge your additional parameters.
您拥有的内容允许我通过修改查询字符串向 FTP
链接添加我想要的任何内容,从而打开了安全漏洞的大门.通过构建用于代替 params.merge(...
中的 params
的哈希,您可以有效地将预期的查询字符串组件列入白名单,以便在您使用的模板中使用渲染.
What you have allows me to add whatever I want to that FTP
link by modifying the querystring, opening up the door to security vulnerabilities. By building a hash for use in place of the params
in the params.merge(...
you're effectively whitelisting expected querystring components for use in the template you're rendering.
以 GET
为例,如果您期望像
As a GET
example, if you expect a URL like
/some/path?opt1=val1&opt2=val2
您可能会执行的控制器操作
your controller action you might do
@cleaned_params = { opt1: params[:opt1], opt2: params[:opt2] }
@cleaned_params.merge! action: :ftp, archive: archive, recipient: :company
然后将@cleaned_params 传递给 link_to
And then pass @cleaned_params to the link_to
= link_to "FTP", @cleaned_params
这种方式,如果我手动输入一个网址
This way if I manually enter a URL like
/some/path?opt1=val1&opt2=val2&maliciousopt=somexss
params[:maliciousopt]
永远不会出现在您的 FTP
link_to
中.
The params[:maliciousopt]
will never make it into your FTP
link_to
in your view.
同样的行为适用于 POST
请求,只是为了恶意,我可能会在提交之前向表单添加几个字段
The same behaviour applies to POST
requests, only to be malicious I might add a couple fields to the form before submitting it
<input type="hidden" name="maliciousopt" value="somexss" />
这篇关于params.merge 和跨站脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!