Configure brakeman to ignore url safe preview card urls (#25883)
This commit is contained in:
Matt Jankowski
GitHub
parent
13688539bc
commit
ab0fb81479
5 changed files with 27 additions and 40 deletions
|
|
@ -9,6 +9,10 @@ module FormattingHelper
|
||||||
TextFormatter.new(text, options).to_s
|
TextFormatter.new(text, options).to_s
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def url_for_preview_card(preview_card)
|
||||||
|
preview_card.url
|
||||||
|
end
|
||||||
|
|
||||||
def extract_status_plain_text(status)
|
def extract_status_plain_text(status)
|
||||||
PlainTextFormatter.new(status.text, status.local?).to_s
|
PlainTextFormatter.new(status.text, status.local?).to_s
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
.batch-table__row__content.pending-account
|
.batch-table__row__content.pending-account
|
||||||
.pending-account__header
|
.pending-account__header
|
||||||
= link_to preview_card.title, preview_card.url
|
= link_to preview_card.title, url_for_preview_card(preview_card)
|
||||||
|
|
||||||
%br/
|
%br/
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,39 +0,0 @@
|
||||||
{
|
|
||||||
"ignored_warnings": [
|
|
||||||
{
|
|
||||||
"warning_type": "Cross-Site Scripting",
|
|
||||||
"warning_code": 4,
|
|
||||||
"fingerprint": "cd5cfd7f40037fbfa753e494d7129df16e358bfc43ef0da3febafbf4ee1ed3ac",
|
|
||||||
"check_name": "LinkToHref",
|
|
||||||
"message": "Potentially unsafe model attribute in `link_to` href",
|
|
||||||
"file": "app/views/admin/trends/links/_preview_card.html.haml",
|
|
||||||
"line": 7,
|
|
||||||
"link": "https://brakemanscanner.org/docs/warning_types/link_to_href",
|
|
||||||
"code": "link_to((Unresolved Model).new.title, (Unresolved Model).new.url)",
|
|
||||||
"render_path": [
|
|
||||||
{
|
|
||||||
"type": "template",
|
|
||||||
"name": "admin/trends/links/index",
|
|
||||||
"line": 49,
|
|
||||||
"file": "app/views/admin/trends/links/index.html.haml",
|
|
||||||
"rendered": {
|
|
||||||
"name": "admin/trends/links/_preview_card",
|
|
||||||
"file": "app/views/admin/trends/links/_preview_card.html.haml"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"location": {
|
|
||||||
"type": "template",
|
|
||||||
"template": "admin/trends/links/_preview_card"
|
|
||||||
},
|
|
||||||
"user_input": "(Unresolved Model).new.url",
|
|
||||||
"confidence": "Weak",
|
|
||||||
"cwe_id": [
|
|
||||||
79
|
|
||||||
],
|
|
||||||
"note": ""
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"updated": "2023-07-12 11:20:51 -0400",
|
|
||||||
"brakeman_version": "6.0.0"
|
|
||||||
}
|
|
||||||
|
|
@ -1,3 +1,5 @@
|
||||||
---
|
---
|
||||||
:skip_checks:
|
:skip_checks:
|
||||||
- CheckPermitAttributes
|
- CheckPermitAttributes
|
||||||
|
:url_safe_methods:
|
||||||
|
- url_for_preview_card
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,20 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
describe 'admin/trends/links/_preview_card.html.haml' do
|
||||||
|
it 'correctly escapes user supplied url values' do
|
||||||
|
form = instance_double(ActionView::Helpers::FormHelper, check_box: nil)
|
||||||
|
trend = PreviewCardTrend.new(allowed: false)
|
||||||
|
preview_card = Fabricate.build(
|
||||||
|
:preview_card,
|
||||||
|
url: 'https://host.example/path?query=<script>',
|
||||||
|
trend: trend,
|
||||||
|
title: 'Fun'
|
||||||
|
)
|
||||||
|
|
||||||
|
render partial: 'admin/trends/links/preview_card', locals: { preview_card: preview_card, f: form }
|
||||||
|
|
||||||
|
expect(rendered).to include('<a href="https://host.example/path?query=<script>">Fun</a>')
|
||||||
|
end
|
||||||
|
end
|
||||||
Loading…
Reference in a new issue