[英]I don't understand why this is an XSS warning Rails 4. Unsafe model attribute in link_to href
I have a show view with this code: 我有一个使用此代码的显示视图:
%ul.pager
%li.pull-left{ class: ('disabled' if collection_of_all_topics.index(@topic).zero?) }
= link_to t('.previous_topic_html'), previous_topic(collection_of_all_topics, @topic)
%li.pull-right{ class: ('disabled' if collection_of_all_topics.index(@topic).zero?) }
= link_to t('.next_topic_html'), next_topic(collection_of_all_topics, @topic)
When I try to execute a brakeman -q
command I receive these two warnings: 当我尝试执行brakeman -q
命令时,收到以下两个警告:
Medium | topics/show (TopicsController#show) | Cross Site Scripting | Unsafe model attribute in link_to href near line 29: link_to(t(".previous_topic_html"), previous_topi>>
| Medium | topics/show (TopicsController#show) | Cross Site Scripting | Unsafe model attribute in link_to href near line 31: link_to(t(".next_topic_html"), next_topic(+Topic>>
For the path parameter of the link_to method I have a set of logic that calculates the next and previous topic located in my topic_helper.rb file: 对于link_to方法的path参数,我有一组逻辑来计算位于topic_helper.rb文件中的下一个和上一个主题:
module TopicsHelper
def next_topic?(collection_of_all_topics, topic)
!(topic == collection_of_all_topics.last)
end
def next_topic(collection_of_all_topics, topic)
return '' unless next_topic?(collection_of_all_topics, topic)
topic_path(collection_of_all_topics[(collection_of_all_topics.index(topic) + 1)])
end
def previous_topic(collection_of_all_topics, topic)
topic_path(collection_of_all_topics[(collection_of_all_topics.index(topic) - 1)])
end
end
I've done some reading on the Rails guides with XSS under the security section but I still don't understand what the problem is here, or more importantly how to fix it. 我已经在安全性部分的XSS的Rails指南中做了一些阅读,但是我仍然不明白这里是什么问题,或更重要的是如何解决它。 I've tried these methods to fix the error: 我尝试了以下方法来修复错误:
= h(link_to t('.previous_topic_html'), previous_topic(collection_of_all_topics, @topic))
= sanitize(link_to t('.previous_topic_html'), previous_topic(collection_of_all_topics, @topic))
= link_to t('.previous_topic_html'), sanitize(previous_topic(collection_of_all_topics, @topic))
= link_to t('.previous_topic_html'), h(previous_topic(collection_of_all_topics, @topic))
These implementations still result in the warning. 这些实现仍会导致警告。 Why is this a warning and how do I fix this? 为什么这是警告,我该如何解决?
Brakeman is complaining because you are accessing attributes of @topic
in the view. Brakeman抱怨是因为您正在视图中访问@topic
属性。 The TopicsHelper might be triggering it? TopicsHelper可能会触发它吗? Check out their explanation here . 在这里查看他们的解释。 IMO, Brakeman is a bit too sensitive on this issue. IMO,Brakeman在这个问题上有点太敏感了。 If you're really concerned, sanitize should do the trick. 如果您真的很担心,那么消毒就可以解决问题。 The danger here is that an end user could manipulate the @topic id in the link and access other Topics. 这里的危险是最终用户可能会操纵链接中的@topic id并访问其他主题。 Is that an issue for you? 这对您来说是一个问题吗?
See this issue on Brakeman's github issues . 请参阅Brakeman的github问题上的此问题 。
See also this issue . 另请参见此问题 。
TLDR; TLDR; this is PROBABLY a false positive and should be ignored. 这很可能是误报,应该忽略。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.