Hi Vasanth,
There is no preferred way to resolve this such that Brakeman won't warn
about it. If you are satisfied that your code does not allow access to
files it shouldn't, then adding to brakeman.ignore is an acceptable
approach.
Thanks,
Justin
On 11/19/2014 10:35 AM, Vasanth Pappu wrote:
> I have come across this warning:
>
> "Parameter value used in file name"
>
> I read the documentation here:
> http://brakemanscanner.org/docs/warning_types/file_access/
>
> But I'm not sure how to go about making this more secure.
>
> Code looks like this:
>
>5 before_filter :load_thing, only: [:show, :edit, :update, :destroy]
>6
>7 def show
>8 send_file @thing.file.path,
>9 disposition: :inline,
> 10 filename: @thing.file_name
> 11 end
> ...
> 23 private
> 24
> 25 def load_thing
> 26 @thing = @widget.stuffs.find params[:id]
> 27 end
>
> My thoughts are that since a private method is where @thing is
> determined from the params, that it would not be possible to access a
> file maliciously.
>
> I am thinking to add an object in brakeman.ignore for this, but if there
> is a preferred way to resolve this warning, any feedback would be
> appreciated.
>
> Thanks,
> Vasanth
>
