Class | Brakeman::CheckRedirect |
In: |
lib/brakeman/checks/check_redirect.rb
|
Parent: | Brakeman::BaseCheck |
Reports any calls to redirect_to which include parameters in the arguments.
For example:
redirect_to params.merge(:action => :elsewhere)
DANGEROUS_KEYS | = | [:host, :subdomain, :domain, :port] |
Custom check for user input. First looks to see if the user input is being output directly. This is necessary because of tracker.options[:check_arguments] which can be used to enable/disable reporting output of method calls which use user input as arguments.
Checks redirect_to arguments for +only_path => true+ which essentially nullifies the danger posed by redirecting with user input