params.merge 和跨站脚本 [英] params.merge and cross site scripting
问题描述
我正在使用 Brakeman 来识别安全问题.它标记了任何使用 params.merge 作为跨站点脚本漏洞的链接.我怎样才能对以下内容进行消毒?
I'm using Brakeman to identify security issues. It's flagging up any links which use params.merge as a cross site scripting vulnerability. How can I sanitize something like the following?
- @archives.each do |archive|
= link_to "FTP", params.merge(:action => :ftp, :archive => archive, :recipient => "company")
推荐答案
你应该只基于 params 的元素创建一个新的哈希FTP 链接并使用那个来合并您的附加参数.
You should create a new hash based on only the elements of params which you expect and wish to allow to be a part of the FTP link and use that to merge your additional parameters.
您拥有的内容允许我通过修改查询字符串向 FTP 链接添加我想要的任何内容,从而打开了安全漏洞的大门.通过构建用于代替 params.merge(... 中的 params 的哈希,您可以有效地将预期的查询字符串组件列入白名单,以便在您使用的模板中使用渲染.
What you have allows me to add whatever I want to that FTP link by modifying the querystring, opening up the door to security vulnerabilities. By building a hash for use in place of the params in the params.merge(... you're effectively whitelisting expected querystring components for use in the template you're rendering.
以 GET 为例,如果您期望像
As a GET example, if you expect a URL like
/some/path?opt1=val1&opt2=val2
您可能会执行的控制器操作
your controller action you might do
@cleaned_params = { opt1: params[:opt1], opt2: params[:opt2] }
@cleaned_params.merge! action: :ftp, archive: archive, recipient: :company
然后将@cleaned_params 传递给 link_to
And then pass @cleaned_params to the link_to
= link_to "FTP", @cleaned_params
这种方式,如果我手动输入一个网址
This way if I manually enter a URL like
/some/path?opt1=val1&opt2=val2&maliciousopt=somexss
params[:maliciousopt] 永远不会出现在您的 FTP link_to 中.
The params[:maliciousopt] will never make it into your FTP link_to in your view.
同样的行为适用于 POST 请求,只是为了恶意,我可能会在提交之前向表单添加几个字段
The same behaviour applies to POST requests, only to be malicious I might add a couple fields to the form before submitting it
<input type="hidden" name="maliciousopt" value="somexss" />
这篇关于params.merge 和跨站脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
