Harry Maclean
Harry Maclean
Had to rebase it due to some conflicts related to the renaming of ReDoSUtil, sorry!
The new [DCA results](https://github.com/github/codeql-dca-main/blob/data/hmac/pr-10599-adb836__nightly__nightly/reports/alert-comparison.md) imply that we need to add some sanitizers to the path injection query: Sanitize via `.match?` guard ```ruby digest = params[:digest] raise if !digest.match?(/^\h{40}$/) path =...
Having investigated this a bit, I believe it may be a duplicate of #218
This might be a bit over-sensitive. We could reduce the FP rate by looking for specific routes which map to actions in controllers with no `protect_from_forgery` setting.
`protect_from_forgery` is automatically enabled in Rails >= 3.0, unless `config.default_protect_from_forgery = false` is set. We should a) check the Rails version, assuming >= 3.0 if we can't determine the version,...
DCA finally ran successfully, and the results look good to me.
@lawrencejones I believe this is fixed now?