Justin Collins
Justin Collins
I should point out your code does still allow determining how many columns are available in the table (sometimes useful) and possibly discovering values of columns via sorting (see http://rails-sqli.org/#order)....
Just kidding, not the value discovery. Just arbitrary column sorting (probably fine) and determining how many columns there are (probably fine for a Post table).
@Sixeight thank you for the suggestion... do you have a code example that you'd like Brakeman to warn about?
Hi @ain, I like this suggestion. I do want to note as alternative that you can limit warning levels with `--confidence-level`. But I like your suggestion because you can get...
Hi @burritoburro, Yes, so Brakeman assumes if you are using `protected_attributes` that you need to set `attr_accessible` on models (i.e., it reverts back to pre-strong parameters). However, the behavior of...
Actually I think it would be simple to just skip the `ModelAttributes` if the `protected_attributes` gem is used. Can you confirm that it's `ModelAttributes` that is generating the warnings you...
Have to be honest: this is not a priority for me. Feel free to add it.
Agree with this, but Brakeman uses a regex to match the regex... so that might take some fiddling to get right.
Hi @thijsnado - thank you for reporting. Looking at the Brakeman code, this shouldn't be happening... which scares me a little bit :laughing: I will take a deeper look.
Same as #967 Why would that be in the routes file? :thinking: