Justin Collins

icon indicating a website link https://presidentbeef.com

icon location "The Bay" icon location I work on Brakeman and do web security stuff.

Results 157 comments of Justin Collins

Truncate Session Secret in HTML Report

Whoops, hey Mike. Do you mean in the code snippet? I'm not sure about truncating it, but maybe we just shouldn't provide the code for that warning?

Truncate Session Secret in HTML Report

Actually not sure how that could be done without removing line and file information as well :(

False Positive: Dynamic render path is not taking into account allow-listed values

Agree, and I think this is totally fixable. Thank you for reporting!

JSONP and reflected flash file (new flaw to possibly check for)

This is kind of fixed on the client-side at this point, although I guess that presumes people update flash/browsers.

JSONP and reflected flash file (new flaw to possibly check for)

RFD requires the attacker to be able to set the downloaded file extension, right? I'm not sure how Brakeman would be able to detect that.

Command injection false positive with File.join()

FWIW, I cannot reproduce the lack of a warning on the second example. There are two issues happening here - one is that Brakeman doesn't have any special handling for...

Detect open linking - url_for(params) without only_path or host

Hi Jason, Sounds like a good idea to me, but isn't it more common to use `link_to`?

Warn about sanitize_sql with a string argument

Warn on `sanitize_sql("some #{interpolated} string")` or just don't treat `sanitize_sql` as safe when passed a string?

Use yard `@return` to resolve "Unresolved Model" errors

Usually `UnresolvedModel` means it looks like the code is doing something with a model, but Brakeman doesn't know which model. Are you saying Brakeman is reporting a false positive where...

Use yard `@return` to resolve "Unresolved Model" errors

Actually this makes me wonder if Brakeman _can_ benefit from Sorbet. Maybe by consuming .rbi files...?