False Positive: Dynamic render path is not taking into account allow-listed values

[agrobbin]

Hi Brakeman folks! Love the library, but ran into a situation where Brakeman is reporting a warning that I think might be a false positive.

Background

Brakeman version: 5.0.0
Rails version: 6.0.3.5
Ruby version: 2.7.2

Link to Rails application code: Closed source, but reproduced below

False Positive

Full warning from Brakeman:

Confidence: Medium
Category: Dynamic Render Path
Check: Render
Message: Render path contains parameter value
Code: render(action => "admin/fields/#{(params[:field].presence_in(["foo"]) or raise(ActionController::BadRequest))}", {})
File: app/views/admin/fields/show.html.haml
Line: 1

Relevant code:

# controller
@field = params[:field].presence_in(%w[foo]) || raise(ActionController::BadRequest)

# template
= render "admin2/fields/#{@field}"

Why might this be a false positive?

Since we're allow-listing the fields coming in from query parameters via Object#presence_in, I don't believe this should trigger a warning.

[agrobbin]

Whoops, I screwed up when simplifying the test case, I've updated the relevant code!

[presidentbeef]

Agree, and I think this is totally fixable. Thank you for reporting!

[agrobbin]

That's great @presidentbeef! I'm afraid I might be in over my head with trying to write a PR for this, but if you have any tips, I can give it a whirl.

[fschwahn]

We are also regularly seeing false positives here.