I’ve just started using the brakeman gem to explore my rails app for security vulnerabilities.
I’ve managed to get everything tidy except for several cross site scripting warnings.
These all share the following in common:
- They’re all link_to tags
- They all have instance variables in the class, alt or title
attributes - The instance variables all represent an active record query that
includes associated models - The instance variables are all “commentable”. This describes a polymorphic association for user generated comments, similar in approach to the revised version of this Railscast.
e.g
<%= link_to "Click" , :class=> @model.association.attribute, :alt=> @model.association.attribute, :title=> @model.association.attribute, @model.association %>
where
@model = @commentable = Model.includes(:association1, association2: {:nested-association1, :nested-association2}).find(params[:id])
Is this something I need to be concerned about/ take action for? I thought Rails 3.2 escapes these by default.
I’d welcome advice to help me understand this issue better, and identify what steps I should take, if any.
I was unable to reproduce any warnings from the code you provided. What version of Brakeman are you using? What was the actual warning (redacted as necessary)?
I suspect you are getting warnings because user input is being detected in the href value of the link. See this pull request for more information about why this can be dangerous.
Unfortunately, without more information, I cannot tell if this is a false positive that needs to be fixed or a legitimate warning.
Edit:
Okay, now I am seeing the warning when testing with
@model = @commentable = ...This is a problem with how Brakeman is handling the assignment.If you are linking to an instance of a model, there should be no warning. If you are linking to a model attribute then this is counted as user input.
Yes, Rails will escape HTML, but it does not deal with links beginning with
javascript:ordata:which can be used for XSS.