Class Brakeman::CheckRedirect
In: lib/brakeman/checks/check_redirect.rb
Parent: Brakeman::BaseCheck

Reports any calls to redirect_to which include parameters in the arguments.

For example:

 redirect_to params.merge(:action => :elsewhere)

Methods

Constants

DANGEROUS_KEYS = [:host, :subdomain, :domain, :port]

Public Instance methods

Check if method is actually an association in a Model

url_for is only_path => true by default. This checks to see if it is set to false for some reason.

Returns true if exp is (probably) a decorated model instance using the Draper gem

Returns true if exp is (probably) a friendly model instance using the FriendlyId gem

Custom check for user input. First looks to see if the user input is being output directly. This is necessary because of tracker.options[:check_arguments] which can be used to enable/disable reporting output of method calls which use user input as arguments.

Returns true if exp is (probably) a model instance

Checks redirect_to arguments for +only_path => true+ which essentially nullifies the danger posed by redirecting with user input

[Validate]