glenux-contrib/metamaps--metamaps
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

brakeman csrf warning suppressed :|

Browse source
This commit is contained in:
Devin Howard 2017-02-11 20:00:42 -08:00
parent 4ee4aeaad2
commit 9dbbdf1150
1 changed files with 16 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
config/brakeman.ignore
View file

@ -1,24 +1,24 @@
{
"ignored_warnings": [
{
"warning_type": "Cross Site Scripting",
"warning_code": 2,
"fingerprint": "88694dca0bcc2226859746f9ed40cc682d6e5eaec1e73f2be557770a854ede0b",
"message": "Unescaped model attribute",
"file": "app/views/notifications/show.html.erb",
"line": 7,
"link": "http://brakemanscanner.org/docs/warning_types/cross_site_scripting",
"code": "current_user.mailbox.notifications.find_by(:id => params[:id]).body",
"render_path": [{"type":"controller","class":"NotificationsController","method":"show","line":24,"file":"app/controllers/notifications_controller.rb"}],
"warning_type": "Cross-Site Request Forgery",
"warning_code": 7,
"fingerprint": "59d73ce0b791aa7ed532510c780235a8b23f7cd1246dbf9da258e36f5d1e2b0a",
"message": "'protect_from_forgery' should be called in Api::V2::RestfulController",
"file": "app/controllers/api/v2/restful_controller.rb",
"line": 4,
"link": "http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery/",
"code": null,
"render_path": null,
"location": {
"type": "template",
"template": "notifications/show"
"type": "controller",
"controller": "Api::V2::RestfulController"
},
"user_input": "current_user.mailbox.notifications",
"confidence": "Weak",
"note": ""
"user_input": null,
"confidence": "High",
"note": "Cookie-based auth is disabled for the API except for the tokens endpoint. We're hoping this is sufficiently secure, because CSRF-forged links might get clicked on another site, but the generated tokens won't go back to the attacker. Also, an attacker would need a token to delete it, which means they've got access at that point anyways. - Devin, Feb 2017"
}
],
"updated": "2016-11-29 13:01:34 -0500",
"brakeman_version": "3.4.0"
"updated": "2017-02-11 20:00:09 -0800",
"brakeman_version": "3.4.1"
}