Brakeman - Ruby on Rails - 关于' RatyRate的远程代码执行(安全警告)'宝石控制器

时间:2015-04-04 23:07:16

标签: ruby-on-rails ruby security controller

在我的RoR应用程序中,我已经安装了' RatyRate'宝石,以便用户使用5星系统相互评价。

然而,在安装和运行' Brakeman'安全扫描器gem在我的应用程序的根目录中,我收到了这个有点惊人的消息:

+SECURITY WARNINGS+
+------------+-----------------+--------+-----------------------+------------->>
| Confidence | Class           | Method | Warning Type          | Message     >>
+------------+-----------------+--------+-----------------------+------------->>
| High       | RaterController | create | Remote Code Execution | Unsafe reflection method constantize called with parameter value near line 5: +params[:klass].classify+.constantize.find(params:[id])>>
+------------+-----------------+--------+-----------------------+------------->>

与这些" Medium"报告的错误: 查看警告:

+------------+-----------------------------------------+-->>
| Confidence | Template    | Warning Type     | Message   >>
+------------+-----------------------------------------+-->>
| Medium     | listings/edit (ListingsController#edit) | Cross Site Scripting | Unsafe parameter value in link_to href near line 31: link_to("Delete", current_user.listings.fin>>
| Medium     | listings/show (ListingsController#show) | Cross Site Scripting | Unsafe parameter value in link_to href near line 11: link_to(current_user.listings.find_by(:id =>>
+------------+-----------------------------------------+-->>

这些错误是我应该关注并以某种方式修复的,或者它们很可能是可以忽略的误报...?

- 我的列表/编辑视图如下所示:

<% provide(:title, 'Edit listing') %>
<h1>Editing Listing</h1>

<div class="row">
  <div class="col-md-6 col-md-offset-3">
    <div class="center">
    <div class="panel panel-white">
      <div class="panel-heading">
        <div class="panel-title">
        </div>
      </div>
      <div class="panel-body">
        <h4>
          <%= form_for(@listing) do |f| %>
            <%= render 'shared/listing_error_messages' %>

            <%= f.label :name %>
            <%= f.text_field :name, class: "form-control" %>

            <%= f.label :description %>
            <%= f.text_area :description, class: "form-control" %>

            <%= f.label :price %>
            <%= f.text_field :price, class: "form-control" %>

            <%= f.submit "Edit listing", class: "btn btn-warning" %>
          <% end %>
          <%= link_to "Back", listings_path, class: "btn btn-link" %>
        </h4>
        <h4>
          <%= link_to "Delete", @listing, method: :delete, class: "btn btn-danger",
                                     data: { confirm: "You sure?" } %>
        </h4>
      </div>
    </div>
    </div>
  </div>
</div>

- 这里是列表/展示视图:

<div class="col-md-8">
  <div class="panel panel-default">
    <div class="panel-heading">
      <h3 class="panel-title"><%= @listing.name %></h3>
    </div>
    <div class="panel-body">

      <p>
        <strong>Category:</strong>
        <% if @listing.category %>
          <%= link_to @listing.category.name, @listing.category %>
        <% else %>
          none
        <% end %>
      </p>

      <p>
        <strong>Description:</strong>
        <%= @listing.description %>
      </p>

      <p>
        <strong>Price:</strong>
        <%= number_to_currency(@listing.price) %>
      </p>

      <p>
        <strong>Image:</strong>
        <%= image_tag @listing.image_url if @listing.image? %>
      </p>

    </div>
    <div class="panel-footer"><%= link_to 'Edit', edit_listing_path(@listing) %> |
      <%= link_to 'Back', listings_path %></div>
  </div>
</div>

- Rater Controller:

class RaterController < ApplicationController

  def create
    if user_signed_in?
      obj = params[:klass].classify.constantize.find(params[:id])
      obj.rate params[:score].to_f, current_user, params[:dimension]

      render :json => true
    else
      render :json => false
    end
  end
end

- 上市控制人:

class ListingsController < ApplicationController
  before_action :logged_in_user, only: [:create, :destroy]
  before_action :correct_user,   except: [:create, :index, :new]

  def index
    @listings = Listing.all
  end

  def show
  end

  def new
    @listing = Listing.new
  end

  def edit
  end

  def create
    @listing = Listing.new(listing_params)
    @listing.user = current_user
    @listing.username = current_user.username
    if @listing.save
      redirect_to @listing
      flash[:success] = "Listing was successfully created."
    else
      render 'new'
    end
  end

  def update
    if @listing.update(listing_params)
      flash[:success] = "Listing was successfully updated."
      redirect_to @listing
    else
      render 'edit'
    end
  end

  def destroy
    @listing.destroy
    flash[:success] = "Listing deleted."
    redirect_to request.referrer || root_url
  end

  private

    def listing_params
      params.require(:listing).permit(:name, :description, :price, :image, :category_id)
    end

    def correct_user
      @listing = current_user.listings.find_by(id: params[:id])
      redirect_to root_url if @listing.nil?
    end
end

1 个答案:

答案 0 :(得分:2)

是的!不要这样做:

obj = params[:klass].classify.constantize.find(params[:id])

这将允许任何用户发送url参数并在具有该名称的类上执行.find(id)!这意味着他们可以从任何模型中获取数据!

其他两个错误可能是误报。有关这些问题的详细信息,请参阅此github问题:https://github.com/presidentbeef/brakeman/issues/311

相关问题
最新问题