Only accept `only_path` in redirect_to's first arg

Fixes #120

Only accept `only_path` in redirect_to's first arg
Fixes #120
a4216449 · Justin Collins · a957243c · a4216449
隐藏空白更改
内联并排

Showing with 12 addition and 12 deletion

lib/brakeman/checks/check_redirect.rb lib/brakeman/checks/check_redirect.rb +12 -12

未找到文件。
--- a/lib/brakeman/checks/check_redirect.rb
+++ b/lib/brakeman/checks/check_redirect.rb
@@ -95,14 +95,14 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
  #Checks +redirect_to+ arguments for +only_path => true+ which essentially
  #nullifies the danger posed by redirecting with user input
  def only_path? call
-    call.args.each do |arg|
-      if hash? arg
-        if value = hash_access(arg, :only_path)
-          return true if true?(value)
-        end
-      elsif call? arg and arg.method == :url_for
-        return check_url_for(arg)
+    arg = call.first_arg
+
+    if hash? arg
+      if value = hash_access(arg, :only_path)
+        return true if true?(value)
      end
+    elsif call? arg and arg.method == :url_for
+      return check_url_for(arg)
    end

    false
@@ -111,11 +111,11 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
  #+url_for+ is only_path => true by default. This checks to see if it is
  #set to false for some reason.
  def check_url_for call
-    call.args.each do |arg|
-      if hash? arg
-        if value = hash_access(arg, :only_path)
-          return false if false?(value)
-        end
+    arg = call.first_arg
+
+    if hash? arg
+      if value = hash_access(arg, :only_path)
+        return false if false?(value)
      end
    end