Justin Collins
Justin Collins
This suggestion applies if you are using validators (e.g. `validates_format_of`) on the model attributes.
Hm. Passing strings marked as safe to any method which automatically escapes them will cause them to not be escaped. I suppose Brakeman could look for any use of `html_safe`...
@ytrezq please keep comments related to the issue or at least this project.
Hi Jason, I agree in this case it is a false positive. (Although, there are a number of seemingly benign commands which take options that allow for arbitrary code execution,...
Yeah...maybe after I centralize some of the code around models.
Hi @Mathiou04 You can review the reasoning here: #1139 There is no winning with this rule. It will either over-report or under-report no matter what. That's why it's not on...
Hi! Can you add a test?
Hi @amarshall - thank you for reporting this and for the great repro test case! This is definitely a known difficult case for Brakeman, but it should be limited in...
Hi @jdehaan, > brakeman ideally should be able to identify database calls (automatically identify activerecord calls ideally What do these calls look like? Are they calls on classes? Are the...
Same as #876 The tricky part here is that it requires parsing the string, finding `LIKE ?`s, and matching them up with the parameters. Then checking if the parameter is...