- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: ruby-security/rails-manual-template
Language: Ruby
Severity: Warning
Category: Security
CWE: 79
The rule ‘Avoid manual template creation’ is aimed at preventing the direct use of ‘ERB.new’ for creating new templates in Ruby. This is because manually creating templates can increase the risk of code injection attacks. An attacker could potentially inject malicious code into your templates, leading to significant security issues.
It’s important to adhere to this rule because it promotes better security practices. By avoiding manual template creation, you reduce the potential attack surface for malicious actors. Additionally, manually creating templates can lead to messy and hard-to-maintain code, which can negatively impact the overall quality of your application.
Instead of manually creating templates, consider using Rails’ built-in mechanisms for managing views and templates. For instance, you can use the ‘render’ method in your controller to render a view. Here’s an example: render 'template_name'
. This method automatically handles the loading and processing of ERB templates, making your code safer and cleaner.
def scaffold_post_content
ERB.new(File.read(File.expand_path(scaffold_path, site_template))).result
end
|
|
For more information, please read the Code Security documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products