Possible unprotected redirect Open
redirect_to request.query_parameters.merge(action: :index)- Read upRead up
- Exclude checks
Unvalidated redirects and forwards are #10 on the OWASP Top Ten.
Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
Brakeman will raise warnings whenever redirect_to appears to be used with a user-supplied value that may allow them to change the :host option.
For example,
redirect_to params.merge(:action => :home)will create a warning like
Possible unprotected redirect near line 46: redirect_to(params)This is because params could contain :host => 'evilsite.com' which would redirect away from your site and to a malicious site.
If the first argument to redirect_to is a hash, then adding :only_path => true will limit the redirect to the current host. Another option is to specify the host explicitly.
redirect_to params.merge(:only_path => true)
redirect_to params.merge(:host => 'myhost.com')If the first argument is a string, then it is possible to parse the string and extract the path:
redirect_to URI.parse(some_url).pathIf the URL does not contain a protocol (e.g., http://), then you will probably get unexpected results, as redirect_to will prepend the current host name and a protocol.
Possible unprotected redirect Open
redirect_to request.query_parameters.merge(action: :index)- Read upRead up
- Exclude checks
Unvalidated redirects and forwards are #10 on the OWASP Top Ten.
Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
Brakeman will raise warnings whenever redirect_to appears to be used with a user-supplied value that may allow them to change the :host option.
For example,
redirect_to params.merge(:action => :home)will create a warning like
Possible unprotected redirect near line 46: redirect_to(params)This is because params could contain :host => 'evilsite.com' which would redirect away from your site and to a malicious site.
If the first argument to redirect_to is a hash, then adding :only_path => true will limit the redirect to the current host. Another option is to specify the host explicitly.
redirect_to params.merge(:only_path => true)
redirect_to params.merge(:host => 'myhost.com')If the first argument is a string, then it is possible to parse the string and extract the path:
redirect_to URI.parse(some_url).pathIf the URL does not contain a protocol (e.g., http://), then you will probably get unexpected results, as redirect_to will prepend the current host name and a protocol.
%w-literals should be delimited by [ and ]. (https://github.com/bbatsov/ruby-style-guide#percent-literal-braces) Open
has_filters %w{without_confirmed_hide all with_confirmed_hide}- Read upRead up
- Exclude checks
This cop enforces the consistent usage of %-literal delimiters.
Specify the 'default' key to set all preferred delimiters at once. You can continue to specify individual preferred delimiters to override the default.
Example:
# Style/PercentLiteralDelimiters:
# PreferredDelimiters:
# default: '[]'
# '%i': '()'
# good
%w[alpha beta] + %i(gamma delta)
# bad
%W(alpha #{beta})
# bad
%I(alpha beta)