Comments (11)
@presidentbeef and @oreoshake, just as a note, I am not creating patches/pull requests for this (or my previous issue) because I am not positive my report is actually correct. If you think that I'm right and that I should submit a patch I will happily do so!
from brakeman.
Yeah, I'm pretty sure this was just me being overzealous.
from brakeman.
Cool. I can remove the checks for #update_attribute
(singular ;-)) and create a pull request if you'd like.
from brakeman.
Sure...with a test? :D
from brakeman.
Sure... I guess I was kinda sloppy on my annotations branch eh? Hard to test doesn't mean it shouldn't be. 💣
from brakeman.
Haha, I wasn't implying anything - I was only thinking we should add a test so in the future it looks deliberate.
from brakeman.
If you have any questions about how to go about writing the tests for this, please let me know.
from brakeman.
I heard my name so I should say something. Yes, removing update_attribute sounds like the right thing and I'm not sure that the bypassing of validations is something brakeman should be concerned with only because I can't come up with a reasonable scenario to warn on without a crazy high FP rate or a lot of configuration. Or maybe I'm misunderstanding the concern. I just assumed you were thinking along the lines of
class Donkey < ActiveRecord::Base
validates_security_of :secure_stuffs #made up validator
end
def some_action
donkey = Donkey.find(params[:id])
donkey.update_attribute(:secure_stuffs, params[:secure_stuffs]) # DANGER, WILL ROBINSON!
end
from brakeman.
And the winner for run-on comment of the year goes to...
from brakeman.
I caused commotion without meaning to... by "biggest worry regarding #update_attribute" I meant in general, not in a security context. I recently had to make a decision between querying object.valid?
after an update_attribute
or changing the call to update_attributes
with a hash I entirely controlled (which I chose) because of the unclear semantics of the singular version not using validators... it's just weird.
from brakeman.
Closed by #83 - thanks Dave!
from brakeman.
Related Issues (20)
- Possibility to ignore/skip directories/paths HOT 4
- UnsafeReflection requires array to be defined with values strictly in the context of the execution HOT 4
- Brakeman does not follow directory symlinks HOT 7
- Brakeman hangs on some platforms HOT 5
- Brakeman unable to detect Renderables in a Gem? HOT 2
- Command Injection doesn't detect shellescape unless the code is in the same function HOT 2
- Undeliverable address [email protected] in LICENSE.md HOT 2
- Controller with "log" in pathname excluded from scan HOT 1
- Check Graphql end-point for vulnerabilities HOT 1
- with_content for ViewComponent flagged as dynamic render path HOT 4
- Parsing Error on splat operator
- Issue with adding autoload_paths for views dir HOT 1
- False negatives due to --skip-libs ignoring app/ files. HOT 2
- Support non-standard gemfile naming for dual booting Rails apps HOT 1
- brakeman still references haml 4 - which is a bit long in the tooth (Haml::Filter::Coffee class vs. module)
- Incorrect identification of User input; Unable to dynamically render fully qualified path HOT 1
- Command injection false positive HOT 2
- Does not identify Rails 8 applications
- `eval` call not being detected HOT 1
- Unvalidated `redirect_back` false negatives HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from brakeman.