Brakeman-Ruby on Rails-'RatyRate'gem控制器上的遠程代碼執行(安全警告)
[英]Brakeman - Ruby on Rails - Remote Code Execution (Security Warning) on 'RatyRate' gem controller
問題描述
在我的RoR應用程序中,我安裝了“ RatyRate” gem,以便用戶使用5星級系統對彼此進行評分。
但是,在應用程序的根目錄中安裝並運行“ Brakeman”安全掃描程序gem時,我收到以下警告消息:
+SECURITY WARNINGS+
+------------+-----------------+--------+-----------------------+------------->>
| Confidence | Class | Method | Warning Type | Message >>
+------------+-----------------+--------+-----------------------+------------->>
| High | RaterController | create | Remote Code Execution | Unsafe reflection method constantize called with parameter value near line 5: +params[:klass].classify+.constantize.find(params:[id])>>
+------------+-----------------+--------+-----------------------+------------->>
與報告的這些“中”錯誤一起:查看警告:
+------------+-----------------------------------------+-->>
| Confidence | Template | Warning Type | Message >>
+------------+-----------------------------------------+-->>
| Medium | listings/edit (ListingsController#edit) | Cross Site Scripting | Unsafe parameter value in link_to href near line 31: link_to("Delete", current_user.listings.fin>>
| Medium | listings/show (ListingsController#show) | Cross Site Scripting | Unsafe parameter value in link_to href near line 11: link_to(current_user.listings.find_by(:id =>>
+------------+-----------------------------------------+-->>
這些錯誤是我應該關注的並以某種方式解決,還是最有可能被忽略的誤報?
-我的列表/編輯視圖如下所示:
<% provide(:title, 'Edit listing') %>
<h1>Editing Listing</h1>
<div class="row">
<div class="col-md-6 col-md-offset-3">
<div class="center">
<div class="panel panel-white">
<div class="panel-heading">
<div class="panel-title">
</div>
</div>
<div class="panel-body">
<h4>
<%= form_for(@listing) do |f| %>
<%= render 'shared/listing_error_messages' %>
<%= f.label :name %>
<%= f.text_field :name, class: "form-control" %>
<%= f.label :description %>
<%= f.text_area :description, class: "form-control" %>
<%= f.label :price %>
<%= f.text_field :price, class: "form-control" %>
<%= f.submit "Edit listing", class: "btn btn-warning" %>
<% end %>
<%= link_to "Back", listings_path, class: "btn btn-link" %>
</h4>
<h4>
<%= link_to "Delete", @listing, method: :delete, class: "btn btn-danger",
data: { confirm: "You sure?" } %>
</h4>
</div>
</div>
</div>
</div>
</div>
-這是列表/顯示視圖:
<div class="col-md-8">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><%= @listing.name %></h3>
</div>
<div class="panel-body">
<p>
<strong>Category:</strong>
<% if @listing.category %>
<%= link_to @listing.category.name, @listing.category %>
<% else %>
none
<% end %>
</p>
<p>
<strong>Description:</strong>
<%= @listing.description %>
</p>
<p>
<strong>Price:</strong>
<%= number_to_currency(@listing.price) %>
</p>
<p>
<strong>Image:</strong>
<%= image_tag @listing.image_url if @listing.image? %>
</p>
</div>
<div class="panel-footer"><%= link_to 'Edit', edit_listing_path(@listing) %> |
<%= link_to 'Back', listings_path %></div>
</div>
</div>
-評分者控制器:
class RaterController < ApplicationController
def create
if user_signed_in?
obj = params[:klass].classify.constantize.find(params[:id])
obj.rate params[:score].to_f, current_user, params[:dimension]
render :json => true
else
render :json => false
end
end
end
-列表控制器:
class ListingsController < ApplicationController
before_action :logged_in_user, only: [:create, :destroy]
before_action :correct_user, except: [:create, :index, :new]
def index
@listings = Listing.all
end
def show
end
def new
@listing = Listing.new
end
def edit
end
def create
@listing = Listing.new(listing_params)
@listing.user = current_user
@listing.username = current_user.username
if @listing.save
redirect_to @listing
flash[:success] = "Listing was successfully created."
else
render 'new'
end
end
def update
if @listing.update(listing_params)
flash[:success] = "Listing was successfully updated."
redirect_to @listing
else
render 'edit'
end
end
def destroy
@listing.destroy
flash[:success] = "Listing deleted."
redirect_to request.referrer || root_url
end
private
def listing_params
params.require(:listing).permit(:name, :description, :price, :image, :category_id)
end
def correct_user
@listing = current_user.listings.find_by(id: params[:id])
redirect_to root_url if @listing.nil?
end
end
1 個解決方案
解決方案1
2 已采納 2015-04-04 23:29:27
是! 不要這樣做:
obj = params[:klass].classify.constantize.find(params[:id])
這樣一來,任何用戶都可以發送url參數,並在具有該名稱的類上執行.find(id) ! 這意味着他們可以從任何模型中獲取數據!
其他兩個錯誤可能是誤報。 有關更多信息,請參見此github問題: https : //github.com/presidentbeef/brakeman/issues/311
如何解決剎車員產生的危險中發出危險的安全警告?
[英]How to fix Dangerous send security warning in rails generated by brakeman?
如何修復剎車員生成的導軌中的跨站點腳本安全警告?
[英]How to fix Cross Site Scripting security warning in rails generated by brakeman?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.