Add a warning about dynamic template path

We manually validate this path https://github.com/alphagov/static/blob/67887c238ca848b61936836c1e2958b802542b9d/app/controllers/root_controller.rb#L26 to check that it doesn't contain slashes or underscores.
alphagov · Aug 3, 2018 · abdebd0 · abdebd0
1 parent 67887c2
commit abdebd0
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -0,0 +1,26 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Dynamic Render Path",
+      "warning_code": 15,
+      "fingerprint": "0a4ebe31686d3a336e8746a0562a643ef742503fdf160807cf8ee2109f539609",
+      "check_name": "Render",
+      "message": "Render path contains parameter value",
+      "file": "app/controllers/root_controller.rb",
+      "line": 20,
+      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
+      "code": "render(action => params[:template], { :layout => \"govuk_template\" })",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "RootController",
+        "method": "template"
+      },
+      "user_input": "params[:template]",
+      "confidence": "High",
+      "note": "We validate the parameter in validate_template_param to check it contains no slashes or underscores."
+    }
+  ],
+  "updated": "2018-08-02 15:21:08 +0100",
+  "brakeman_version": "4.3.1"
+}