Comments (11)
@presidentbeef and @oreoshake, just as a note, I am not creating patches/pull requests for this (or my previous issue) because I am not positive my report is actually correct. If you think that I'm right and that I should submit a patch I will happily do so!
from brakeman.
Yeah, I'm pretty sure this was just me being overzealous.
from brakeman.
Cool. I can remove the checks for #update_attribute
(singular ;-)) and create a pull request if you'd like.
from brakeman.
Sure...with a test? :D
from brakeman.
Sure... I guess I was kinda sloppy on my annotations branch eh? Hard to test doesn't mean it shouldn't be.
from brakeman.
Haha, I wasn't implying anything - I was only thinking we should add a test so in the future it looks deliberate.
from brakeman.
If you have any questions about how to go about writing the tests for this, please let me know.
from brakeman.
I heard my name so I should say something. Yes, removing update_attribute sounds like the right thing and I'm not sure that the bypassing of validations is something brakeman should be concerned with only because I can't come up with a reasonable scenario to warn on without a crazy high FP rate or a lot of configuration. Or maybe I'm misunderstanding the concern. I just assumed you were thinking along the lines of
class Donkey < ActiveRecord::Base
validates_security_of :secure_stuffs #made up validator
end
def some_action
donkey = Donkey.find(params[:id])
donkey.update_attribute(:secure_stuffs, params[:secure_stuffs]) # DANGER, WILL ROBINSON!
end
from brakeman.
And the winner for run-on comment of the year goes to...
from brakeman.
I caused commotion without meaning to... by "biggest worry regarding #update_attribute" I meant in general, not in a security context. I recently had to make a decision between querying object.valid?
after an update_attribute
or changing the call to update_attributes
with a hash I entirely controlled (which I chose) because of the unclear semantics of the singular version not using validators... it's just weird.
from brakeman.
Closed by #83 - thanks Dave!
from brakeman.
Related Issues (20)
- case statement with ternary or if then causes crash
- SVG Icon for vscode-icons HOT 2
- False Positive on Faraday delete method with interpolation string
- Segmentation Fault in ruby 3.2.0 ( EDIT: fixed in 3.2.2 ) HOT 14
- False Positive 'Unescaped model attribute' when using safe '_html' i18n key
- Broken link to Unmaintained Dependency HOT 2
- Add "obsolete" entries to comparison results HOT 1
- CircleCI - running with format `junit` can't be parsed by CircleCI HOT 3
- Parse error on Ruby 3.2 anonymous keyword spread HOT 5
- False positive for send_file HOT 1
- Is there a flag to show all warnings including the ignored ones? HOT 5
- Brakeman Is Not Catching SQL Injections in Arel.sql(raw_sql) HOT 3
- Check for signed_id/Global ID usage without specified purpose HOT 1
- False Negative: warning on CSRF in Rails 5.2+ with defaults HOT 5
- Relax Rails app structure constraints HOT 2
- content_tag no longer considered dangerous HOT 1
- False positive Send where `send` is inside conditional that prevents arbitrary user input. HOT 2
- False positive for `protect_from_forgery` when defaults for rails 7 are used HOT 1
- Unscoped find not alerted for `find_by!`
- Unscoped find does not traverse concerns HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from brakeman.