labml
labml copied to clipboard
labmlai
Associations not considered as AR objects
Background
Brakeman version: 4.3.1 Rails version: 5.2.0 Ruby version: 2.5.1
<%= @project.repositories.first.name.html_safe %>
Issue
should have alerted of xss
/cc @smo921
This really depends on what @project is and if Brakeman thinks it's a database model.
To reproduce or fix this issue, I'd need to know how the template is being rendered and what Brakeman thinks the output is. Can you run with --debug and check the template output? See if it's being rendered and what the value is?
under projects/show I can see:
[Escaped Output] @project.repositories.first.name.html_safe
so I doubt it did anything smart 🤷♂️
Right, so the next question is "why not?" Where is the @project value set?
ah ... it works when it's directly in the controller but not when it's in the parent
it would be interesting to say "you have to whitelist unknown instance vars or they are considered models" so I would have been notified that the class of @project is unknown
ah ... it works when it's directly in the controller but not when it's in the parent
I'm not sure what this means? If the variable is set in a before_action it should be picked up. Otherwise if it's in a helper method, it won't. Or are you calling super in a controller action?
action is in the parent controller and not in the child controller
On Fri, Aug 24, 2018 at 2:31 PM Justin [email protected] wrote:
ah ... it works when it's directly in the controller but not when it's in the parent
I'm not sure what this means? If the variable is set in a before_action it should be picked up. Otherwise if it's in a helper method, it won't. Or are you calling super in a controller action?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/presidentbeef/brakeman/issues/1250#issuecomment-415887925, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZ_yBUZPxrsNEBg8rJiBMd0NhyJ0Fks5uUHC-gaJpZM4V49gQ .