Class: RuboCop::Cop::GitlabSecurity::RedirectToParamsUpdate

Inherits:
Cop
  • Object
show all
Defined in:
lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb

Overview

Check for use of redirect_to(params.update())

Passing user params to the redirect_to method provides an open redirect

Examples:


# bad
redirect_to(params.update(action:'main'))

# good
redirect_to(whitelist(params))

Constant Summary collapse

MSG = 
'Avoid using redirect_to(params.update()). Only pass whitelisted arguments into redirect_to() (e.g. not including `host`)'.freeze

Instance Method Summary collapse

Instance Method Details

#on_send(node) ⇒ Object 



23
24
25
26
27
 
# File 'lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb', line 23

def on_send(node)
  return unless redirect_to_params_update_node(node)

  add_offense(node, location: :selector)
end