New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive - Render path contains parameter value with checked params through case #944

Closed
sciamp opened this Issue Oct 12, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@sciamp

sciamp commented Oct 12, 2016

Hi,
I'm running brakeman 3.4.0, here is the code raising the security warning:

case params[:switch_case_on_this]
  when "one"
    ...
    render partial: params[:switch_case_on_this], locals: { <some hash depending on params> }
  when "two"
    ...
    render partial: params[:switch_case_on_this], locals: { <some hash depending on params> }
 when ...
 else
   # doin nothing

I think this is similar to the issue discussed in [0]. So is it a bug or I'm missing something?

Thanks,
sciamp

[0] http://stackoverflow.com/questions/11263976/rails-brakeman-warning-dynamic-render-path-false-alarm?answertab=votes#tab-top

@presidentbeef

This comment has been minimized.

Show comment
Hide comment
@presidentbeef

presidentbeef Oct 15, 2016

Owner

Hi Alessandro,

Currently Brakeman does not really do much with case expressions, but it's on my roadmap to handle code like this.

Owner

presidentbeef commented Oct 15, 2016

Hi Alessandro,

Currently Brakeman does not really do much with case expressions, but it's on my roadmap to handle code like this.

Repository owner locked and limited conversation to collaborators May 18, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.