Safe redirect to nested resource in Rails
https://stackoverflow.com/questions/12306835
-
30-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I recently added the Brakeman gem to my Gemfile and had to see, that I should use
:only_path => true
to make it more secure. But i'm using a nested resource and don't know exactly how, here is the part from my Controller.
if @comment.update_attributes(params[:comment])
redirect_to [@message, @comment], notice: 'Comment was successfully updated.'
How can i do this, i only saw the only_path attribute with the url_for helper. Thanks for your Help!
Solução
The short answer is that brakeman will complain in this case no matter what. A fix is in the mix(https://github.com/presidentbeef/brakeman/issues/143).
As is, your code is safe. The first argument is passed to url_for, which in this case build a polymorphic route based on your models.
Note that by default :only_path is true so you’ll get the relative “/controller/action” instead of the fully qualified URL like “example.com/controller/action”
But to answer your question, it will warn on any form where the first argument resolves to a string, albeit a weak confidence warning. This will be fixed.
TANGENT alert. Let's say you want to redirect_to @message.some_url. This will generate a high confidence warning, which you can fix with something like:
redirect_to URI.parse(url_for(@message.some_url)).path, notice: 'Comment was successfully updated'
