Class: RuboCop::Cop::GitlabSecurity::RedirectToParamsUpdate
- Inherits:
-
Base
- Object
- Base
- RuboCop::Cop::GitlabSecurity::RedirectToParamsUpdate
- Defined in:
- lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb
Overview
Check for use of redirect_to(params.update())
Passing user params to the redirect_to method provides an open redirect
Constant Summary collapse
- MSG =
'Avoid using `redirect_to(params.%<name>s(...))`. ' \ 'Only pass allowed arguments into redirect_to() (e.g. not including `host`)'
Instance Method Summary collapse
Instance Method Details
#on_send(node) ⇒ Object
27 28 29 30 31 32 33 34 |
# File 'lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb', line 27 def on_send(node) selected, name = redirect_to_params_update_node(node) return unless name = format(MSG, name: name) add_offense(selected, message: ) end |
#redirect_to_params_update_node(node) ⇒ Object
23 24 25 |
# File 'lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb', line 23 def_node_matcher :redirect_to_params_update_node, <<-PATTERN (send nil? :redirect_to $(send (send nil? :params) ${:update :merge} ...)) PATTERN |