Can someone explain to me why this is a security problem?
= link_to new_locale.to_s, params.slice(:id, :reader_id, :screen_type).merge(locale: new_locale)
I am trying to add a simple partial to my project to be able to switch between languages. I don't really want this partial to have to interact with each controller or switch the user to a different page or have to know all possible valid parameters.
I did a quick pass over the source and I suspect one of the following is triggering it:
You're calling .to_s for the first argument to link_to, resulting in an html_safe string being passed in.
User input being handed directly to link_to, which I believe would be a false positive.
You can dig in further by checking out the source for the link_to XSS tests in Brakeman yourself.
Related
I have a controller and I current have it using redirect going to another controller, I know I can pass data around using the :query...
Is there any way I can do this without the use of http as I'm finding it impossible to send a hash using http.
I cant find this information any where, what is the most common way of sharing data (slash sending) data from one controller to another?
please help been working on this for hours, btw am new to RoR
If you are redirecting the browser, you will have to use the query option as redirect actually tells the browser to make another request to a different path.
If you just want to render the other controllers action you could call:
render :template=>"path to view you want to render"
As for actually calling the other action? You could distill (refactor) the logic into a lib and call the same logic from both controllers, then use the same view for both..
I found my answer, I may have not been specific enough with the question. But you can pass a hash using the query string; which obviously (now that I think of it) converts it to a string duh. so I just use eval in the receiving hash,
eval(#params['inputData'] which gives me the hash.
I got an exception in a web app I'm developing recently from a url something like:
http://domain.com/script.js?bcsi-ac-16E7C1CCF9EF6357=1C76413C00000002kmNHGZK2deV0Qz25TXynq3fMaPTrBAAAAgAAAD5tGgCEAwAACAAAAPUiAgA=
First of all - what in the world is that? From searching it sounds like maybe it's a cookie / session variable of some kind...
Second of all, the exception was about dynamic assignment of a constant. I tried a simpler url:
http://domain.com/script.js?bcsi-ac
And that gave an exception about the variable or method 'bcsi' not being defined, as if it were trying to evaluate it... WHAT!? I sure as hell hope people can't cause my Rails app to evaluate random code just by passing it to the querystring...
To provide more detail: I'm not doing anything unusual with the querystring data in the route or the controller. I just take the params and pass them into a partial as locals (admittedly not the cleanest way to do it, but simple - and that certainly shouldn't cause it to evaluate a parameter name as code?)
OKAY! Answering my own question again. It turns out passing params in as locals to a partial DOES cause it to evaluate the parameter name as code - obviously it can't use the variable name "bcsi-ac" so it tries to evaluate it.
But the question as to whether that poses a security risk still remains... I don't seem to be able to call methods on things, or actually assign things... but maybe I just haven't tried hard enough. It would seem to me that rails should just throw an exception when passing in a locals hash that includes an invalid variable name.
as a general rule of thumb, any time you allow strings from your url to be evaluated as code you are setting up a huge security risk in your application. you might not be able to call methods on locals as your methods exist server side and the code you are evaluating is client side, but this certainly opens your site up to XSS vulnerabilities among others...
In one of my templates I want to take a closer look at the controller object using the debug() helper.
It is said to produce YAML suitable for HTML output.
Running <%= debug(controller) %> does, however, not produce anything I call readable.
It begins with:
#<ClubsController:0x104467378 #_request=#<ActionController::Request:0x104467648 #accepts=[#<Mime::Type:0x101f50f30 #synonyms=["application/xhtml+xml"],
and goes on like that...
Any ideas on how to get some info about the object?
The debug helper is primarily intended to be used with objects that provide an implementation of to_yaml (such as ActiveRecord models). If the object passed doesn't respond to to_yaml (as is the case with passing a controller object in your example) then debug gives you the result from calling inspect on that object.
I saw your comment #thenduks answer.
Actually there is a method:
controller.controller_name
that returns the name of the controller.
What's not readable about that? It's the standard ruby inspection syntax... If you really need something 'more readable' then you'll have to write a method on your controller (temporarily, most likely) that simply exposes it's instance variables in another format.
Perhaps it would help if you noted what you want to see in the controller instance.
I have a pretty simple ASP.NET MVC page and am using TinyMCE to allow users to enter comments. However, when I pass the data to a controller I receive the following error message:
A potentially dangerous Request.Form
value was detected from the client
The consensus is that ValidateInput("false") should be set on the Action method but somehow that does not sit well with me. I have tried to intercept this by ordering my action methods and sanitizing the data through my ActionExecitomgContext ActionParameters however this error keeps occurring time and again. Does anyone know of a way to allow this content through (or properly intercept it) without disabling ValidateInput
Do you have specifics on why it doesn't sit well? ValidateInput("false") on the one action that accepts HTML is the proper way to go. The input validation is an old ASP.NET feature that is on by default for security in depth, but is like a sledge hammer. It doesn't understand the nuances of allowed HTML.
For that one action method, you could write your own ValidateSafeHtmlAttribute action filter and put that on the method instead. Maybe that one internally encapsulates a ValidateInput set to false and then does its own validation specific to your scenario. That'd be my recommendation.
I'm calling a controller action to do a search with an AJAX request from 2 different pages and want to render a different rjs file based on which page requested the action. I could just make 2 actions to do this but it doesn't seem very DRY when it's the same code in the action just need different rjs as it's displaying the search results differently in the view.
Using Rails 2.3.4 and Ruby 1.8.7
If I understand your question correctly, three ways come to mind to solve this:
In your action, check the current request's http_referrer and try to figure out what page initiated the request. Depending on how you've got your routing set up, this may or may not work, but it does have the advantage of being pretty simple to do.
Have your AJAX request include an extra GET parameter to identify which page the request is from. Then, have the Rails action test for that parameter, and render RJS accordingly.
Do something clever with Routes and have page A hit the action from one distinct URL, and page B hit the action from another, and include the page identification parameter in the route configuration.
My preference would be for approach #2, as it seems way less likely to break randomly when your routing changes, and #3 strikes me as being overly complicated. There's probably a million other ways to do this, but those are the three that came to mind right off the bat. Hope that helps...
How much code is in the action? You could just factor that out into a common subroutine and call that from each action. It would keep the code simple and easy to understand, without resorting to clever tricks.
I usually do like #2 from Steven's answer, but with a twist. A filter in my ApplicationController attributes a custom mime type corresponding to the extra parameter.
That way, the names of my view files are clearer (i.e.: "show.employees-autocomplete.rjs", "show.quotation-autofill.rjs").