Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passing query parameters to render() and template_exists? #1124

Closed
paranoicsan opened this issue Nov 28, 2017 · 4 comments · Fixed by #1170
Closed

Passing query parameters to render() and template_exists? #1124

paranoicsan opened this issue Nov 28, 2017 · 4 comments · Fixed by #1170
Labels
false positive

Comments

@paranoicsan
Copy link

Background

Brakeman version: 4.0.1
Rails version: 4.2.4
Ruby version: 2.3.3

Issue

Passing query parameters to render() is vulnerable in Rails 4.2.4 (CVE-2016-0752)

Relevant code:

def show_slug
  slug = params[:slug].to_s
  render slug if template_exists?(slug, 'pages')
end

Is there any possibility to handle Passing query parameters... with template_exists? method? Or should I mark show_slug method as safe?
@presidentbeef
Copy link
Owner

Hi Alexander,

I suppose this could be fixed, but... Rails 4.2.4 has a bunch of known vulnerabilities. Maybe it would be a good idea to upgrade?

@paranoicsan
Copy link
Author

Hi Justin,

Thanks for respond to my issue. I've got Rails upgrade on my plan 😄
So I think I'll solve the problem using upgrade if it's difficult to fix it on the project side.

@paranoicsan
Copy link
Author

After upgrading Rails to 4.2.7.1 warning message changed to Render path contains parameter value but it's still there 😞 So the only way I think is to add it to ignore list.

presidentbeef added a commit that referenced this issue Mar 22, 2018
@presidentbeef
Respect template_exists? in controllers
62ba5e2 
fixes #1124
@presidentbeef presidentbeef mentioned this issue Mar 22, 2018
Merged
This was referenced Mar 24, 2018
Open
Merged
@paranoicsan paranoicsan mentioned this issue Apr 2, 2018
Closed
@paranoicsan
Copy link
Author

@presidentbeef Justin, thanks for dealing with that! 👍

Repository owner locked and limited conversation to collaborators May 9, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
false positive
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Respect template_exists? in controllers presidentbeef/brakeman
2 participants
@presidentbeef @paranoicsan