Configure brakeman to ignore url safe preview card urls (#25883)

2023-10-20 09:32:16 -04:00
parent 13688539bc
commit ab0fb81479
5 changed files with 27 additions and 40 deletions
--- a/app/helpers/formatting_helper.rb
+++ b/app/helpers/formatting_helper.rb
@@ -9,6 +9,10 @@ module FormattingHelper
    TextFormatter.new(text, options).to_s
  end
  def url_for_preview_card(preview_card)
    preview_card.url
  end
  def extract_status_plain_text(status)
    PlainTextFormatter.new(status.text, status.local?).to_s
  end
--- a/app/views/admin/trends/links/_preview_card.html.haml
+++ b/app/views/admin/trends/links/_preview_card.html.haml
@@ -4,7 +4,7 @@
  .batch-table__row__content.pending-account
    .pending-account__header
-      = link_to preview_card.title, preview_card.url
+      = link_to preview_card.title, url_for_preview_card(preview_card)
      %br/
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@@ -1,39 +0,0 @@
 {
  "ignored_warnings": [
    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 4,
      "fingerprint": "cd5cfd7f40037fbfa753e494d7129df16e358bfc43ef0da3febafbf4ee1ed3ac",
      "check_name": "LinkToHref",
      "message": "Potentially unsafe model attribute in `link_to` href",
      "file": "app/views/admin/trends/links/_preview_card.html.haml",
      "line": 7,
      "link": "https://brakemanscanner.org/docs/warning_types/link_to_href",
      "code": "link_to((Unresolved Model).new.title, (Unresolved Model).new.url)",
      "render_path": [
        {
          "type": "template",
          "name": "admin/trends/links/index",
          "line": 49,
          "file": "app/views/admin/trends/links/index.html.haml",
          "rendered": {
            "name": "admin/trends/links/_preview_card",
            "file": "app/views/admin/trends/links/_preview_card.html.haml"
          }
        }
      ],
      "location": {
        "type": "template",
        "template": "admin/trends/links/_preview_card"
      },
      "user_input": "(Unresolved Model).new.url",
      "confidence": "Weak",
      "cwe_id": [
        79
      ],
      "note": ""
    }
  ],
  "updated": "2023-07-12 11:20:51 -0400",
  "brakeman_version": "6.0.0"
 }
--- a/config/brakeman.yml
+++ b/config/brakeman.yml
@@ -1,3 +1,5 @@
 ---
 :skip_checks:
  - CheckPermitAttributes
 :url_safe_methods:
  - url_for_preview_card
--- a/spec/views/admin/trends/links/_preview_card.html.haml_spec.rb
+++ b/spec/views/admin/trends/links/_preview_card.html.haml_spec.rb
@@ -0,0 +1,20 @@
 # frozen_string_literal: true
 require 'rails_helper'
 describe 'admin/trends/links/_preview_card.html.haml' do
  it 'correctly escapes user supplied url values' do
    form = instance_double(ActionView::Helpers::FormHelper, check_box: nil)
    trend = PreviewCardTrend.new(allowed: false)
    preview_card = Fabricate.build(
      :preview_card,
      url: 'https://host.example/path?query=<script>',
      trend: trend,
      title: 'Fun'
    )
    render partial: 'admin/trends/links/preview_card', locals: { preview_card: preview_card, f: form }
    expect(rendered).to include('<a href="https://host.example/path?query=&lt;script&gt;">Fun</a>')
  end
 end