A static analysis security vulnerability scanner for Ruby on Rails applications
presidentbeef on main
Expand the configuration docs t… Merge pull request #1575 from v… (compare)
--no-exit-on-error
config.middleware.use OliveBranch::Middleware,
inflection: "dash", dasherize: ->(string) { string.underscore },
content_type_check: ->(_content_type) { true },
exclude_params: lambda { |env|
env["PATH_INFO"].match(%r{^/api-internal}).nil?
},
exclude_response: lambda { |env|
env["PATH_INFO"].match(%r{^/api-internal}).nil?
}
== Errors ==
Error: Expected call or attrasgn or safe_call or safe_attrasgn but given s(:lambda) while processing *****/config/application.rb
Location: *****/.gem/ruby/2.6.3/gems/brakeman-4.7.0/lib/brakeman/processors/lib/rails3_config_processor.rb:37:in `process_iter'
config.middleware.use OliveBranch::Middleware,
inflection: "dash",
dasherize: lambda { |string|
string.underscore
},
content_type_check: lambda { |_content_type|
true
},
exclude_params: lambda { |env|
env["PATH_INFO"].match(%r{^/api-internal}).nil?
},
exclude_response: lambda { |env|
env["PATH_INFO"].match(%r{^/api-internal}).nil?
}
ruby_parser
to latest
--text-fields
option
i
.
ihttps
instead of https
. :)
uploaded_io
is coming from params[:file]
Code
attribute in output, that I see all the code including comments?system("ls #{options}") #foo
of code that returns Command Injection. In output, I only can see system("ls #{options}")
but I need to see the comment too. Is there a way to run brakeman to see comments in code lines, or this does not exist in Brakeman?@joelbrewer Not sure what to suggest there, really. Do you have a list of allowed extensions? You may be able to remove the Brakeman warning by putting your code behind a condition like
if [".txt", ".pdf", ".png"].include? extension
path = ...
end
It takes kind of specific code, but for something like the above, Brakeman will know that extension
must be one of those values inside the if
expression.
@victormazevedo With muse (https://github.com/marketplace/muse-dev) what you ask is the default behavior. You make PRs, Muse runs Brakeman (among others) and posts new results as line comments so you see the line in the github PR stream. If you look in the console then brakeman results link to the github source view (but the source isn't inline in the console).
For command line behavior I think you're reduced to writing your own shell wrapper that will parse the file name from brakeman results and find the line of interest to then output. If you can assume jq
is installed then this shouldn't be too heavy of a lift.