labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

False Positive: Dynamic render path is not taking into account allow-listed values

Open agrobbin opened this issue 5 years ago • 3 comments

Hi Brakeman folks! Love the library, but ran into a situation where Brakeman is reporting a warning that I think might be a false positive.

Background

Brakeman version: 5.0.0 Rails version: 6.0.3.5 Ruby version: 2.7.2

Link to Rails application code: Closed source, but reproduced below

False Positive

Full warning from Brakeman:

Confidence: Medium
Category: Dynamic Render Path
Check: Render
Message: Render path contains parameter value
Code: render(action => "admin/fields/#{(params[:field].presence_in(["foo"]) or raise(ActionController::BadRequest))}", {})
File: app/views/admin/fields/show.html.haml
Line: 1

Relevant code:

# controller
@field = params[:field].presence_in(%w[foo]) || raise(ActionController::BadRequest)

# template
= render "admin2/fields/#{@field}"

Why might this be a false positive?

Since we're allow-listing the fields coming in from query parameters via Object#presence_in, I don't believe this should trigger a warning.

agrobbin avatar Feb 16 '21 15:02 agrobbin

Whoops, I screwed up when simplifying the test case, I've updated the relevant code!

agrobbin avatar Feb 16 '21 15:02 agrobbin

Agree, and I think this is totally fixable. Thank you for reporting!

presidentbeef avatar Feb 17 '21 22:02 presidentbeef

That's great @presidentbeef! I'm afraid I might be in over my head with trying to write a PR for this, but if you have any tips, I can give it a whirl.

agrobbin avatar Feb 18 '21 00:02 agrobbin

We are also regularly seeing false positives here.

fschwahn avatar Nov 29 '22 17:11 fschwahn