brakeman icon indicating copy to clipboard operation
brakeman copied to clipboard

Published 20 hours ago verified publisher icon presidentbeef

Dynamic Render Path false positive

Open grantbdev opened this issue 5 years ago • 1 comments

Background

Brakeman version: 4.7.0 Rails version: 5.2.3 Ruby version: 2.5.3

False Positive

Full warning from Brakeman:

Confidence: Weak
Category: Dynamic Render Path
Check: Render
Message: Render path contains parameter value
Code: render(action => user_path(User.find(params[:id])), { :method => "patch" })

Relevant code:

<%= render "form",
  action: user_path(User.find(params[:id])),
  method: "patch"
%>

Using action as a keyword for one of the locals in the partial to be rendered appears to be making Brakeman think that the value of action is the thing being rendered. So when the value of the action local contains a parameter value I think that triggers a false positive without realizing there the first argument is a static string for the partial name. If I rename the local from action to something else like form_action, Brakeman doesn't give a warning.

grantbdev avatar Oct 18 '19 21:10 grantbdev

Hm, yes it looks like right now if there is a hash passed in it will override any inferred information about the render call.

presidentbeef avatar Oct 22 '19 17:10 presidentbeef