Justin Collins
Justin Collins
@eliotsykes https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_permit_attributes.rb is pretty minimal. The trouble is that searching for call targets via regex was kind of removed and would need to be added back to [CallIndex](https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/call_index.rb#L115-L141). If that...
Unfortunately, due to the way templating languages work, this is kind of hard.
Thank you for your investigation here. I believe the inconsistency you are seeing is based on whether or not Brakeman can identify the value as a database record or not....
Hi @p8, thank you for putting this together! I am pretty sure Brakeman doesn't even look at `config/development.rb`, though. Only `config/production.rb`. :thinking:
This looks like an issue with a particular version of Ruby? 2.5 is EOL next month.
Thank you for providing this example. It is similar to those other issues but since `quids` could be several values it has to be handled separately.
This really depends on what `@project` is and if Brakeman thinks it's a database model. To reproduce or fix this issue, I'd need to know how the template is being...
Right, so the next question is "why not?" Where is the `@project` value set?
> ah ... it works when it's directly in the controller but not when it's in the parent I'm not sure what this means? If the variable is set in...
> The most common example we found was unescaped user input being flagged in the view or controller when the point at which the problem is created (and therefore fixable)...