brakeman

brakeman copied to clipboard

CheckReverseTabnabbing needs to be more strict.

1

**Is your feature request related to a problem? Please describe.** `CheckReverseTabnabbing` checks only method call now. ([here](https://github.com/presidentbeef/brakeman/blob/09b66b580d423ed146f3ef67e3cfbbaa6537cb2e/lib/brakeman/checks/check_reverse_tabnabbing.rb#L30-L36)) Reverse tabnabbing is also common when the user's input is displayed as is....

Sixeight

Poor performance processing repeated conditional reassignments

2

### Background Brakeman version: 5.0.0 Rails version: 5.2.4.4 Ruby version: 2.7.1 Link to Rails application code: N/A (closed source) #### Hanging or Slowness Below code example was added as `./app/whatever/test.rb`...

amarshall

Nonterminating processing

10

### Background Brakeman version: 4.10.1 Rails version: 6 Ruby version: 3 ### Issue Hi, Brakeman appears to be nonterminating and consuming lots of cpu and space on a project. I...

akimd

Previously, it was only on method bodies. This probably won't be a huge change, since most code is inside methods. As a result of this change, now all classes will...

presidentbeef

Namespaced classes that are not fully qualified can cause difference in false positives/negatives (WIP)

5

Hello! A coworker and I have recently been working on trying to resolve an issue reported into Brakeman a little over a year ago, related to the namespacing of classes...

ChrisNJ58

prevent rails 5.2+ without defaults being oked

13

On rails 5.2+ installations that are missing the defaults, or where upgraded to rails 5.2+ without applying all the defaults - the `default_protect_from_forgery?` method returns the wrong result. if the...

montdidier

Cross-Site Scripting - Unescaped Parameter Value false negatives

1

### Background Brakeman version: 4.9.0 Rails version: x.x.x Ruby version: x.x.x Link to Rails application code: ? In an `erb` template: ```ruby ``` There is also a case where a...

boveus

False Positive: Interpolating method with constant return value interpreted as SQL Injection

4

### Background Brakeman version: 4.6.1 Rails version: 5.2.3 Ruby version: 2.6.4 #### False Positive *Full* warning from Brakeman: ``` Confidence: Weak Category: SQL Injection Check: SQL Message: Possible SQL injection...

bannable

Warn about sanitize_sql with a string argument

2

**Is your feature request related to a problem? Please describe.** The `sanitize_sql` method signature is designed to receive an array with `["sql template", *values]` that it uses for quoting and...

avit

Brakeman fails to find strong parameters if the protected attributes gem is installed

5

### Background Brakeman version: 4.5.0 Rails version: 4.2.11.3 Ruby version: 2.5.1p57 ### Issue Running Rails 4.2 with protected attributes gem. We have recently started to transition away from attr_accessible in...

bbommarito