Insomania Insomania - 10 days ago 8
Ruby Question

What is this "Unscoped call to" Warning in Barkeman?

I am getting a warning message when I scan my code with Brakeman's Tool. It stats that there is an Unscoped call to the following query:

@applicant = Applicant.find(params[:id])


here is the actual error message:

+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+
| Confidence | Class | Method | Warning Type | Message |
+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+
| Weak | ApplicantsController | show | Unscoped Find | Unscoped call to Applicant#find near line 25: Applicant.find(+params[:id]+) | |
+------------+----------------------+---------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------+


But when I replace the above query with the following one then it's fine:

@applicant = Applicant.where("id = ?", params[:id]).first


I don't understand what's wrong with the first query?

Please let me know if anybody has any idea.

Answer

Brakeman is just warning you that you're querying the entire Applicant table, and not scoping it under another model, like current_tenant.applicants.find.... From Brakeman's docs:

Unscoped find (and related methods) are a form of Direct Object Reference. Models which belong to another model should typically be accessed via a scoped query.

For example, if an Account belongs to a User, then this may be an unsafe unscoped find:

Account.find(params[:id])

Depending on the action, this could allow an attacker to access any account they wish.

Instead, it should be scoped to the currently logged-in user:

current_user = User.find(session[:user_id])
current_user.accounts.find(params[:id])

If this is your desired behavior, you can safely ignore this warning.

Comments