Possible unprotected redirect Open
format.html { redirect_to @pinboard_item, notice: 'Pinboard items was successfully updated.' }
- Read upRead up
- Exclude checks
Unvalidated redirects and forwards are #10 on the OWASP Top Ten.
Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
Brakeman will raise warnings whenever redirect_to
appears to be used with a user-supplied value that may allow them to change the :host
option.
For example,
redirect_to params.merge(:action => :home)
will create a warning like
Possible unprotected redirect near line 46: redirect_to(params)
This is because params
could contain :host => 'evilsite.com'
which would redirect away from your site and to a malicious site.
If the first argument to redirect_to
is a hash, then adding :only_path => true
will limit the redirect to the current host. Another option is to specify the host explicitly.
redirect_to params.merge(:only_path => true)
redirect_to params.merge(:host => 'myhost.com')
If the first argument is a string, then it is possible to parse the string and extract the path:
redirect_to URI.parse(some_url).path
If the URL does not contain a protocol (e.g., http://
), then you will probably get unexpected results, as redirect_to
will prepend the current host name and a protocol.
Use destroy!
instead of destroy
if the return value is not checked. Open
@pinboard_item.destroy
- Read upRead up
- Exclude checks
This cop identifies possible cases where Active Record save! or related should be used instead of save because the model might have failed to save and an exception is better than unhandled failure.
This will allow:
- update or save calls, assigned to a variable,
or used as a condition in an if/unless/case statement.
- create calls, assigned to a variable that then has a
call to persisted?
.
- calls if the result is explicitly returned from methods and blocks,
or provided as arguments.
- calls whose signature doesn't look like an ActiveRecord
persistence method.
By default it will also allow implicit returns from methods and blocks.
that behavior can be turned off with AllowImplicitReturn: false
.
You can permit receivers that are giving false positives with
AllowedReceivers: []
Example:
# bad
user.save
user.update(name: 'Joe')
user.find_or_create_by(name: 'Joe')
user.destroy
# good
unless user.save
# ...
end
user.save!
user.update!(name: 'Joe')
user.find_or_create_by!(name: 'Joe')
user.destroy!
user = User.find_or_create_by(name: 'Joe')
unless user.persisted?
# ...
end
def save_user
return user.save
end
Example: AllowImplicitReturn: true (default)
# good
users.each { |u| u.save }
def save_user
user.save
end
Example: AllowImplicitReturn: false
# bad
users.each { |u| u.save }
def save_user
user.save
end
# good
users.each { |u| u.save! }
def save_user
user.save!
end
def save_user
return user.save
end
Example: AllowedReceivers: ['merchant.customers', 'Service::Mailer']
# bad
merchant.create
customers.builder.save
Mailer.create
module Service::Mailer
self.create
end
# good
merchant.customers.create
MerchantService.merchant.customers.destroy
Service::Mailer.update(message: 'Message')
::Service::Mailer.update
Services::Service::Mailer.update(message: 'Message')
Service::Mailer::update