什么是Brakeman的"无范围召唤"警告？

Question

当我用Brakeman工具扫描我的代码时,我收到一条警告信息.它声明存在对以下查询的Unscoped调用:

@applicant = Applicant.find(params[:id])

这是实际的错误消息:

+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+
| Confidence | Class                | Method  | Warning Type  | Message                                                                                                                                 |
+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+
| Weak       | ApplicantsController | show    | Unscoped Find | Unscoped call to Applicant#find near line 25: Applicant.find(+params[:id]+)                                                             |                                                       |
+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+

但是当我用下面的查询替换上面的查询时,它没关系:

@applicant = Applicant.where("id = ?", params[:id]).first

我不明白第一个查询有什么问题.

Answer 1

Brakeman只是警告你,你在查询整个申请人表,而不是在另一个模型下查询,比如current_tenant.applicants.find....来自Brakeman的文档:

无范围查找(和相关方法)是直接对象引用的一种形式.通常应通过范围查询来访问属于另一个模型的模型.

例如,如果一个帐户属于一个用户,那么这可能是一个不安全的无范围查找:

Account.find(params[:id])

根据操作,这可能允许攻击者访问他们希望的任何帐户.

相反,它应限定为当前登录的用户:

current_user = User.find(session[:user_id])
current_user.accounts.find(params[:id])

如果这是您想要的行为,您可以将Brakeman配置为忽略此警告为误报.为此,请brakeman使用-I标志(或--interactive-ignore)运行.按照忽略误报的说明逐步执行所有警告,并将此特定警告添加到您的忽略文件中.

简而言之:

$ brakeman -I
Input file: |config/brakeman.ignore| 
# press Enter to accept the default ignore file
No such file. Continue with empty config? 
# press Enter to create the file
> 
1. Inspect all warnings
2. Hide previously ignored warnings
3. Skip - use current ignore configuration
# press 2 to step through all warnings, skipping previously ignored 
# Brakeman will now step through each warning, prompting you to for each one. 
# Press i to add this warning to the ignore list. 
# When finished, Brakeman will ask you what to do. 
# Press 1 to save changes to the ignore file. 

下次运行Brakeman时,不应出现此警告.