Avoid manual template creation

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: ruby-security/rails-manual-template

Language: Ruby

Severity: Warning

Category: Security

CWE: 79

Description

The rule ‘Avoid manual template creation’ is aimed at preventing the direct use of ‘ERB.new’ for creating new templates in Ruby. This is because manually creating templates can increase the risk of code injection attacks. An attacker could potentially inject malicious code into your templates, leading to significant security issues.

It’s important to adhere to this rule because it promotes better security practices. By avoiding manual template creation, you reduce the potential attack surface for malicious actors. Additionally, manually creating templates can lead to messy and hard-to-maintain code, which can negatively impact the overall quality of your application.

Instead of manually creating templates, consider using Rails’ built-in mechanisms for managing views and templates. For instance, you can use the ‘render’ method in your controller to render a view. Here’s an example: render 'template_name'. This method automatically handles the loading and processing of ERB templates, making your code safer and cleaner.

Non-Compliant Code Examples

def scaffold_post_content
    ERB.new(File.read(File.expand_path(scaffold_path, site_template))).result
end
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: may/unit-testing