Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Negating a parameter still triggers 'Unescaped parameter value' #1343

Closed
mikecmpbll opened this issue Apr 8, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@mikecmpbll
Copy link

commented Apr 8, 2019

Background

Brakeman version: 4.5.0
Rails version: 5.1.6.2
Ruby version: 2.6.2p47

Link to Rails application code:

False Positive

Full warning from Brakeman:

Confidence: Weak
Category: Cross-Site Scripting
Check: CrossSiteScripting
Message: Unescaped parameter value
Code: [ManualCSVImport.new(:header_row => ((not (not params[:header_row]))), :archive => ((not (not params[:archive])))).results[:invalid_info], ManualCSVImport.new(:header_row => ((not (not params[:header_row]))), :archive => ((not (not params[:archive])))).results[:ignored_info]].flatten.join("<br/>")
File: app/views/student_imports/new.html.erb
Line: 5

Relevant code:

si = ManualCSVImport.new(header_row: !!params[:header_row], archive: !!params[:archive])
@errors = [si.results[:invalid_info], si.results[:ignored_info]].flatten
<%= @errors.join("<br/>").html_safe %>

By negating it we're ensuring it must be either true or false, so shouldn't trigger unescaped parameter value check. If I change the code to params[:header_row] ? true : false it passes.

@mikecmpbll

This comment has been minimized.

Copy link
Author

commented Apr 8, 2019

(i wasn't sure if i should create this issue as i'm not sure whether this is in scope, perhaps this is just an 'ignore' situation?)

@presidentbeef

This comment has been minimized.

Copy link
Owner

commented Apr 9, 2019

Hi @mikecmpbll -

This can definitely be handled in Brakeman. Thanks for reporting!

presidentbeef added a commit that referenced this issue Apr 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.