brakeman

brakeman copied to clipboard

This MR adds additional CSRF deactivation checks as detailed in presidentbeef/brakeman#1545: - [x] `config.action_controller.allow_forgery_protection = false` - [ ] `skip_before_action :verify_authenticity_token` - [ ] `protect_from_forgery except: :index` - [ ]...

jamgregory

Fix `load_rails_defaults` overwriting settings in the Rails application

1

While doing some work to implement some additional checks for #1545, I discovered that while Brakeman loads the Rails configuration as expected, if any defaults are set, these are actually...

jamgregory

When all is said and done, this was cookie cutter simple. You could get more creative in setting version numbers and stuff like that, but if all you want is...

kwerle

Expand Regex DoS check to include String#match and #match? coercion

4

Closes #1714. I added additional behavior to the existing `check_regex_dos.rb` file. I thought it seemed like the correct location because it is checking for ReDoS, though it's arguably a bit...

bensheldon

UnscopedFind check ignore certain models

1

### Background Brakeman version: 5.2.1 Rails version: 6.0.4.1 Ruby version: 2.7.1 ### Issue We noticed that some models unscoped finds are apparently not detected by Brakeman [UnscopedFind check](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unscoped_find.rb). Looking at...

Mathiou04

Ignore file not working with GH Action Security Scan

4

### Background Brakeman version: 5.2.3 Rails version: 3.0.4 Ruby version: 7.0.3 Link to Rails application code: I am unable to supply due to it being in a private repo. ###...

ds-dustenharrison

Bang variants of `last`, `first` and similar fail with false positives.

1

### Background Brakeman version: 5.2.3 Rails version: 7.0.3 Ruby version: 3.1.2 Link to Rails application code: [link](https://github.com/powersurge360/trivia_app/blob/3c1f71a01123f87686a4ae2d8b5565e7239acd8e/app/controllers/games_controller.rb#L100) #### False Positive *Full* warning from Brakeman: ``` Loading scanner... Processing application in...

powersurge360

**Is your feature request related to a problem? Please describe.** `Pathname.join` has a weird behavioral quirk where, if a string beginning with a `/` is joined to the end of...

tehryanx

**Is your feature request related to a problem? Please describe.** Ruby's `#match` and `#match?` methods will coerce string inputs to regular expressions ([docs](https://ruby-doc.org/core-3.1.0/String.html#method-i-match)): > Computes regexp by converting pattern (if...

bensheldon

Shows ignored warnings on markdown output

2

This is useful mainly to show ignore note containing reasons why they're ignored

Maysora