警告跨脚本错误不安全参数值的Brakeman出口

Question

我正在使用CircleCI检查安全性问题，这是一个错误，尽管我不确定它是否错误。

这是导致脚本错误之一的代码行：

= link_to t(:delete), main_app.board_comment_path(@board, comment), method: :delete

这是有效的安全问题吗？我有没有办法让制动器人接受这些参数是安全的？我在--url-safe-methods上读过书，但我想不出有什么办法能让它运转起来。

使用此链接作为指南https://github.com/presidentbeef/brakeman/pull/45

运行bundle exec brakeman -A -q --exit-on-warn，这是错误报告：

+BRAKEMAN REPORT+

Application path: ****
Rails version: 4.2.2
Brakeman version: 3.0.4
Started at 2015-06-26 14:10:14 -0700
Duration: 1.8311 seconds
Checks run: BasicAuth, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NumberToCurrency, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoS, SymbolDoSCVE, TranslateBug, UnsafeReflection, UnscopedFind, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing


+SUMMARY+

+-------------------+-------+
| Scanned/Reported  | Total |
+-------------------+-------+
| Controllers       | 23    |
| Models            | 9     |
| Templates         | 53    |
| Errors            | 0     |
| Security Warnings | 2 (0) |
+-------------------+-------+

+----------------------+-------+
| Warning Type         | Total |
+----------------------+-------+
| Cross Site Scripting | 2     |
+----------------------+-------+


View Warnings:

+------------+------------------------------------------------------------------+----------------------+-------------------->>
| Confidence | Template                                                         | Warning Type         | Message            >>
+------------+------------------------------------------------------------------+----------------------+-------------------->>
| Medium     | boards/show (BoardsController#show) | Cross Site Scripting | Unsafe parameter va>>
| Medium     | boards/show (BoardsController#show) | Cross Site Scripting | Unsafe parameter va>>
+------------+------------------------------------------------------------------+----------------------+-------------------->>

Answer 1

假设board_comment_path返回路径，这(几乎可以肯定)是假阳性。

Brakeman警告link_to中URL的原因是因为可以设置像javascript:dangerous_stuff_here()这样的URL。一个常见的例子是链接到用户网站的用户配置文件。

--url-safe-methods只适用于将输入包装到link_to的方法。例如，link_to 'stuff', safe_url(some_input)。

但是，在https://github.com/presidentbeef/brakeman/pull/674之后，Brakeman将停止警告URL中的路径帮助程序，并展开--safe-methods/--url-safe-methods以匹配所有类型的方法。