I have come across this warning: "Parameter value used in file name"
I read the documentation here: http://brakemanscanner.org/docs/warning_types/file_access/ But I'm not sure how to go about making this more secure. Code looks like this: 5 before_filter :load_thing, only: [:show, :edit, :update, :destroy] 6 7 def show 8 send_file @thing.file.path, 9 disposition: :inline, 10 filename: @thing.file_name 11 end ... 23 private 24 25 def load_thing 26 @thing = @widget.stuffs.find params[:id] 27 end My thoughts are that since a private method is where @thing is determined from the params, that it would not be possible to access a file maliciously. I am thinking to add an object in brakeman.ignore for this, but if there is a preferred way to resolve this warning, any feedback would be appreciated. Thanks, Vasanth
