Metadata

ID: ruby-security/rails-manual-template

Language: Ruby

Severity: Warning

Category: Security

CWE: 79

Description

The rule ‘Avoid manual template creation’ is aimed at preventing the direct use of ‘ERB.new’ for creating new templates in Ruby. This is because manually creating templates can increase the risk of code injection attacks. An attacker could potentially inject malicious code into your templates, leading to significant security issues.

It’s important to adhere to this rule because it promotes better security practices. By avoiding manual template creation, you reduce the potential attack surface for malicious actors. Additionally, manually creating templates can lead to messy and hard-to-maintain code, which can negatively impact the overall quality of your application.

Instead of manually creating templates, consider using Rails’ built-in mechanisms for managing views and templates. For instance, you can use the ‘render’ method in your controller to render a view. Here’s an example: render 'template_name'. This method automatically handles the loading and processing of ERB templates, making your code safer and cleaner.

Non-Compliant Code Examples

def scaffold_post_content
    ERB.new(File.read(File.expand_path(scaffold_path, site_template))).result
end