check_cross_site_scripting flags Environment Variables as unsafe #939

Closed
JPrevost opened this Issue Sep 28, 2016 · 4 comments

Projects

None yet

2 participants

@JPrevost

I've got code like:

<%= link_to("Thing", "#{ENV['SOME_URL']}") %>

Brakeman flags that as unsafe. That's not coming from a user, but a server admin.

Thoughts on whether this could be detected by brakeman as safe? Thanks!

@presidentbeef
Owner

Hi Jeremy,

I cannot reproduce this issue. I am fairly certain Brakeman does not warn about ENV. Can you share more about the warning?

@JPrevost

Also, I don't mind doing the legwork on this but wanted to ask for guidance before digging in :)

Thanks!

@presidentbeef
Owner

Ah, yes it's warning about params[:q]. This will be fixed in #940

@presidentbeef presidentbeef locked and limited conversation to collaborators Feb 10, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.