Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unprotected redirect warning on duplicated ActiveRecord object #1374

Closed
brian-kephart opened this issue Jul 3, 2019 · 1 comment

Comments

@brian-kephart
Copy link

commented Jul 3, 2019

Background

Brakeman version: 4.5.1
Rails version: 5.2.3
Ruby version: 2.6.3

Full warning from Brakeman:

Confidence: High
Category: Redirect
Check: Redirect
Message: Possible unprotected redirect
Code: redirect_to(Group.find(params[:id]).dup, :notice => ("Group promoted beginning #{(params[:promotion_date].to_date.beginning_of_week + Date::DAYS_INTO_WEEK[Group.find(params[:id]).day.downcase.to_sym]).display}."))
File: app/controllers/groups_controller.rb
Line: 67

Relevant code:

@group = Group.find params[:id]
new_group = @group.dup
new_group.save!
redirect_to new_group

Why might this be a false positive?
redirect_to @group raises no warnings, so I don't see why the duplicate is a problem.

@presidentbeef

This comment has been minimized.

Copy link
Owner

commented Jul 3, 2019

Yup...calls to #dup should essentially be treated as if the call is not there.

Thanks for reporting!

presidentbeef added a commit that referenced this issue Jul 19, 2019

Skip calls to `dup`
as if they aren't even there.

Fixes #1374

presidentbeef added a commit that referenced this issue Jul 22, 2019

Skip calls to `dup`
as if they aren't even there.

Fixes #1374
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.