Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
False positive for "Possible unprotected redirect" #1117
Our rails app initializes sessions via backend and stores the session token in the database. This session token is then used by the client to initiate the frontend by calling
We are using something like this to lookup whether we have a session with this token:
brakeman reports this:
This seems to be a false positive. The parameter is checked by querying the database for finding an object with that session token. The tokens are randomly generated strings with high entropy. I would not expect brakeman to report this as the indirect lookup via DB is performed.
I believe I am getting a false positive too. Here is the warning I'm getting:
If this isn't a false positive and there is something I am doing wrong, please let me know.