Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

150 resolved dynamic-render-path-vulnerability #181

Merged
merged 3 commits into from
Sep 19, 2023
Merged

150 resolved dynamic-render-path-vulnerability #181

merged 3 commits into from
Sep 19, 2023

Conversation

Janell-Huyck
Copy link
Contributor

Fixes #150

Fix Dynamic Render Path Vulnerability in PagesController

This PR addresses a security concern raised by Brakeman concerning dynamic render paths in the PagesController. Specifically, Brakeman flagged the use of params[:page] directly in a render call as a potential risk.

Changes:
Refactored PagesController to use a whitelist approach for page rendering.
Added a type check to ensure that params[:page] is a string.
Added test for the whitelist to ensure that future developers do not add a page without adding it to the whitelist.

@Janell-Huyck Janell-Huyck changed the title 1500resolved dynamic-render-path-vulnerability 150 resolved dynamic-render-path-vulnerability Sep 8, 2023
@hortongn hortongn closed this Sep 8, 2023
@hortongn hortongn reopened this Sep 8, 2023
@Janell-Huyck Janell-Huyck force-pushed the 150-dynamic-render-path-vulnerability branch from 887cd32 to ed56f98 Compare September 12, 2023 14:30
@crowesn crowesn self-assigned this Sep 12, 2023
crowesn
crowesn approved these changes Sep 13, 2023
View reviewed changes
Copy link
Contributor

@crowesn crowesn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See inline comment and let me know what you think. It's fine to merge as is but maybe could be a little cleaner in the render call.

app/controllers/pages_controller.rb Show resolved Hide resolved
@Janell-Huyck Janell-Huyck force-pushed the 150-dynamic-render-path-vulnerability branch from ea237d0 to 4e16c6f Compare September 14, 2023 17:49
@hortongn
Copy link
Member

Is this PR ready for @crowesn's re-review?

@crowesn
Copy link
Contributor

crowesn commented Sep 15, 2023 via email
edited
Loading

@Janell-Huyck
Copy link
Contributor Author

After Thomas's webpacker PR is merged, I will rebase if necessary and then this should be ready for re-review and merging.

crowesn
crowesn approved these changes Sep 19, 2023
View reviewed changes
Copy link
Contributor

@crowesn crowesn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, merging.

@crowesn crowesn merged commit 1931b38 into qa Sep 19, 2023
@crowesn crowesn deleted the 150-dynamic-render-path-vulnerability branch September 19, 2023 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crowesn crowesn crowesn approved these changes

Assignees

@crowesn crowesn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Brakeman: Dynamic Render Path vulnerability
3 participants
@Janell-Huyck @hortongn @crowesn