New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`Passing query parameters to render()` and `template_exists?` #1124

Closed
paranoicsan opened this Issue Nov 28, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@paranoicsan

paranoicsan commented Nov 28, 2017

Background

Brakeman version: 4.0.1
Rails version: 4.2.4
Ruby version: 2.3.3

Issue

Passing query parameters to render() is vulnerable in Rails 4.2.4 (CVE-2016-0752)

Relevant code:

def show_slug
  slug = params[:slug].to_s
  render slug if template_exists?(slug, 'pages')
end

Is there any possibility to handle Passing query parameters... with template_exists? method? Or should I mark show_slug method as safe?

@presidentbeef

This comment has been minimized.

Owner

presidentbeef commented Dec 6, 2017

Hi Alexander,

I suppose this could be fixed, but... Rails 4.2.4 has a bunch of known vulnerabilities. Maybe it would be a good idea to upgrade?

@paranoicsan

This comment has been minimized.

paranoicsan commented Dec 6, 2017

Hi Justin,

Thanks for respond to my issue. I've got Rails upgrade on my plan 😄
So I think I'll solve the problem using upgrade if it's difficult to fix it on the project side.

@paranoicsan

This comment has been minimized.

paranoicsan commented Dec 14, 2017

After upgrading Rails to 4.2.7.1 warning message changed to Render path contains parameter value but it's still there 😞 So the only way I think is to add it to ignore list.

@paranoicsan

This comment has been minimized.

paranoicsan commented Apr 3, 2018

@presidentbeef Justin, thanks for dealing with that! 👍

Repository owner locked and limited conversation to collaborators May 9, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.