I am using brakeman gem for scanning my app.
After scanning the app, I get the following warnings:
#Security warnings
Method | Warning Type | Message
------------------------------------------------------
show | Unscoped Find | Unscoped call to PatientMessage#find near line 27: Message.find(+params[:id]+)
------------------------------------------------------
#Controller warnings:
Controller | Warning Type | Message
----------------------------------------------------------------------------
ApplicationController | Cross-Site Request Forgery | 'protect_from_forgery' should be called in ApplicationController
Can someone help figure out what these warnings mean?
The protect_from_forgery error is pretty much self-explanatory, (it's telling you to include the method that helps to protect your site from cross-site scripting in your application controller) but the docs for the Unscoped Find are here: http://brakemanscanner.org/docs/warning_types/unscoped_find/
Basically, it's telling you that you should do something like:
current_user.messages.find(params[:id])
instead of Message.find so users can't just find any message by passing an id into params. The example above assumes that you have a current_user helper, and that a message belongs to a user, which may not be the case in your app, but that's what the warning means.