Justin Collins

I believe this is exactly the same as #1262 and is the issue that #1323 is trying to address. More specifically, the `code_block_doc_params` function assumes default values are literals (?)...

Hi! Can you add a test?

You can rebase to fix the currently failing tests.

This is really unusual code. There are two bits to this: 1. Brakeman looks for `connection` calls on several potential targets, including `ActiveRecord::Base`. 2. Brakeman can pick the first item...

Hi Moncef, Yes, this is pretty easy to detect. In fact, I'm pretty sure Brakeman used to warn about this but in the context of XSS, which this is not....

Hi @ds-dustenharrison - can you run with `-f json` and check the fingerprints match the ignore file? The fingerprint is actually the only value Brakeman uses to ignore warnings. Or...

Hi @ds-dustenharrison my suggestion is to run Brakeman locally and compare the fingerprints in the ignore file to the ones Brakeman outputs. If the fingerprints match or other reports filter...

Hm, yes it looks like right now if there is a hash passed in it will override any inferred information about the `render` call.

Since `expiring_url` is from Paperclip (I assume) and isn't likely to be confused with an attacker-controllable value, I think it's fine to have Brakeman ignore `expiring_url`.

Hi Devin, sorry for the delay. I think what you have may be the best you can do with ActiveRecord, but I'll take a look.