Open
Description
Context
After adding brakeman for static security vulnerability analysis, I noticed the latest avo-dashboards version (3.15.7) raises a weak warning in 3 places:
== Warnings ==
Confidence: Weak
Category: Dynamic Render Path
Check: Render
Message: Render path contains parameter value
Code: render(action => Avo::TurboFrameWrapperComponent.new(params[:turbo_frame]), {})
File: ../usr/local/bundle/gems/avo-dashboards-3.15.7/app/views/avo/dashboards/cards/chartkick_missing.html.erb
Line: 1
Confidence: Weak
Category: Dynamic Render Path
Check: Render
Message: Render path contains parameter value
Code: render(action => Avo::TurboFrameWrapperComponent.new(params[:turbo_frame]), {})
File: ../usr/local/bundle/gems/avo-dashboards-3.15.7/app/views/avo/dashboards/cards/show.html.erb
Line: 1
Confidence: Weak
Category: Dynamic Render Path
Check: Render
Message: Render path contains parameter value
Code: render(action => Avo::PanelComponent.new(:name => Avo::Dashboards.dashboard_manager.get_dashboard_by_id(params[:id]).nam
e, :description => Avo::Dashboards.dashboard_manager.get_dashboard_by_id(params[:id]).description), {})
File: ../usr/local/bundle/gems/avo-dashboards-3.15.7/app/views/avo/dashboards/dashboards/show.html.erb
Line: 1I think this can be remedied by using strong parameters:
def dashboard_id
params.permit(:id)[:id]
end
# ...
render(action => Avo::PanelComponent.new(:name => Avo::Dashboards.dashboard_manager.get_dashboard_by_id(dashboard_id).nam
e, :description => Avo::Dashboards.dashboard_manager.get_dashboard_by_id(dashboard_id).description)System configuration
Avo version: 3.15.7
Rails version: 8.0.1
Ruby version: 3.3.4
License type
- Community
- Pro
- Advanced
Are you using Avo monkey patches, overriding views or view components?
- Yes. If so, please post code samples.
- No
Screenshots or screen recordings
N/A
Metadata
Assignees
Labels
No labels
Type
Projects
Status
No status
Activity