New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`Passing query parameters to render()` and `template_exists?` #1124

paranoicsan opened this Issue Nov 28, 2017 · 4 comments


None yet
2 participants

paranoicsan commented Nov 28, 2017


Brakeman version: 4.0.1
Rails version: 4.2.4
Ruby version: 2.3.3


Passing query parameters to render() is vulnerable in Rails 4.2.4 (CVE-2016-0752)

Relevant code:

def show_slug
  slug = params[:slug].to_s
  render slug if template_exists?(slug, 'pages')

Is there any possibility to handle Passing query parameters... with template_exists? method? Or should I mark show_slug method as safe?


This comment has been minimized.


presidentbeef commented Dec 6, 2017

Hi Alexander,

I suppose this could be fixed, but... Rails 4.2.4 has a bunch of known vulnerabilities. Maybe it would be a good idea to upgrade?


This comment has been minimized.

paranoicsan commented Dec 6, 2017

Hi Justin,

Thanks for respond to my issue. I've got Rails upgrade on my plan 😄
So I think I'll solve the problem using upgrade if it's difficult to fix it on the project side.


This comment has been minimized.

paranoicsan commented Dec 14, 2017

After upgrading Rails to warning message changed to Render path contains parameter value but it's still there 😞 So the only way I think is to add it to ignore list.


This comment has been minimized.

paranoicsan commented Apr 3, 2018

@presidentbeef Justin, thanks for dealing with that! 👍

Repository owner locked and limited conversation to collaborators May 9, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.