Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

redirect_to warning on polymorphic routes #143

Closed
oreoshake opened this Issue Sep 7, 2012 · 3 comments

Comments

Projects
None yet
2 participants
@oreoshake
Copy link
Contributor

oreoshake commented Sep 7, 2012

redirect_to [@parent, @child]

in turn uses a polymorphic route, which only contains a path. This should be considered to be safe.

@oreoshake

This comment has been minimized.

@presidentbeef

This comment has been minimized.

Copy link
Owner

presidentbeef commented Sep 7, 2012

So the change is to treat arrays as safe values?

@oreoshake

This comment has been minimized.

Copy link
Contributor Author

oreoshake commented Sep 7, 2012

Arrays of Models, definitely. It looks like trying to build an array with "invalid values" will throw an exception because it would be an unrecognized route, even with default routes:

polymorphic_url calls (proxy || self).send(named_route, *args)

$ url_for([:saywhat, 'donkey'])
# undefined method `saywhat_donkey_path' for #<#<Class:0x10a8d8fc8>:0x10a7b8d28>

So I think it's safe to say that it is safe if the first arg is an Array, even with user-supplied input.

http://apidock.com/rails/ActionDispatch/Routing/PolymorphicRoutes/polymorphic_url

oreoshake added a commit to oreoshake/brakeman that referenced this issue Sep 21, 2012

presidentbeef#143 Treat models and arrays of models as safe input to …
…redirect_to

This is an enhancement and and a bug fix.  Models use polymorphic routes and should be considered safe as do arrays.  Treat arrays containing things other than models as unsafe as well.

Repository owner locked and limited conversation to collaborators Feb 16, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.