ruby-on-rails - Brakeman:文件名警告中使用的模型属性

Question

我将文件名设置为“abc_1.pdf”，其中“1”是模型属性的值。但是 brakeman 扫描仪将此视为安全问题。我需要通过引用具有模型属性的文件名来跟踪文件。能否请您告诉我，解决此安全问题的正确方法是什么？

谢谢。

Answer 1

查看答案 here由 gem 所有者

Brakeman assumes any information in the database is potentially dangerous. This may not be true - perhaps in your application the value used in the file name cannot be set by the user. Also, it may be that your application makes sure to sanitize or restrict the value, which Brakeman cannot know about. Brakeman can only produce warnings about potentially dangerous code, which means there will always be some false positives.

As far as I know, there is no standard way to safely access files from Rails when using untrusted input. Dangerous values include "." and "/" which can be used for directory traversal attacks.

I am afraid I cannot tell you how to fix this issue because it depends on your application and you will have to determine if it is actually an exploitable vulnerability or not. Sorry!

我想这意味着如果您对自己的代码有把握，请将此警告添加到忽略文件