Showing preview only (2,945K chars total). Download the full file or copy to clipboard to get everything.
Repository: presidentbeef/brakeman
Branch: main
Commit: 2e55d45a9770
Files: 1364
Total size: 2.5 MB
Directory structure:
gitextract_9gn_whxm/
├── .circleci/
│ └── config.yml
├── .dockerignore
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug-report.md
│ │ ├── feature-request.md
│ │ ├── hanging-or-slow-scans.md
│ │ ├── parsing-error.md
│ │ ├── report-a-false-positive.md
│ │ └── something-else.md
│ └── workflows/
│ └── docker-hub-push.yml
├── .gitignore
├── CHANGES.md
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── COPYING.md
├── Dockerfile
├── Dockerfile.codeclimate
├── FEATURES
├── Gemfile
├── LICENSE.md
├── MIT-LICENSE
├── OPTIONS.md
├── README.md
├── Rakefile
├── SECURITY.md
├── bin/
│ ├── brakeman
│ └── codeclimate-brakeman
├── brakeman-lib.gemspec
├── brakeman-min.gemspec
├── brakeman-public_cert.pem
├── brakeman.gemspec
├── build.rb
├── docs/
│ └── warning_types/
│ ├── CVE-2010-3933/
│ │ └── index.markdown
│ ├── CVE-2011-0446/
│ │ └── index.markdown
│ ├── CVE-2011-3186/
│ │ └── index.markdown
│ ├── attribute_restriction/
│ │ └── index.markdown
│ ├── authentication/
│ │ └── index.markdown
│ ├── authentication_whitelist/
│ │ └── index.markdown
│ ├── basic_auth/
│ │ └── index.markdown
│ ├── command_injection/
│ │ └── index.markdown
│ ├── content_tag/
│ │ └── index.markdown
│ ├── cross-site_request_forgery/
│ │ └── index.markdown
│ ├── cross_site_scripting/
│ │ └── index.markdown
│ ├── cross_site_scripting_to_json/
│ │ └── index.markdown
│ ├── dangerous_eval/
│ │ └── index.markdown
│ ├── dangerous_send/
│ │ └── index.markdown
│ ├── default_routes/
│ │ └── index.markdown
│ ├── denial_of_service/
│ │ └── index.markdown
│ ├── dynamic_render_path/
│ │ └── index.markdown
│ ├── file_access/
│ │ └── index.markdown
│ ├── format_validation/
│ │ └── index.markdown
│ ├── information_disclosure/
│ │ └── index.markdown
│ ├── link_to/
│ │ └── index.markdown
│ ├── link_to_href/
│ │ └── index.markdown
│ ├── mass_assignment/
│ │ └── index.markdown
│ ├── redirect/
│ │ └── index.markdown
│ ├── remote_code_execution/
│ │ └── index.markdown
│ ├── remote_code_execution_yaml_load/
│ │ └── index.markdown
│ ├── session_manipulation/
│ │ └── index.markdown
│ ├── session_setting/
│ │ └── index.markdown
│ ├── sql_injection/
│ │ └── index.markdown
│ ├── ssl_verification_bypass/
│ │ └── index.markdown
│ ├── template_injection/
│ │ └── index.markdown
│ ├── unsafe_deserialization/
│ │ └── index.markdown
│ └── unscoped_find/
│ └── index.markdown
├── gem_common.rb
├── lib/
│ ├── brakeman/
│ │ ├── app_tree.rb
│ │ ├── call_index.rb
│ │ ├── checks/
│ │ │ ├── base_check.rb
│ │ │ ├── check_basic_auth.rb
│ │ │ ├── check_basic_auth_timing_attack.rb
│ │ │ ├── check_content_tag.rb
│ │ │ ├── check_cookie_serialization.rb
│ │ │ ├── check_create_with.rb
│ │ │ ├── check_cross_site_scripting.rb
│ │ │ ├── check_csrf_token_forgery_cve.rb
│ │ │ ├── check_default_routes.rb
│ │ │ ├── check_deserialize.rb
│ │ │ ├── check_detailed_exceptions.rb
│ │ │ ├── check_digest_dos.rb
│ │ │ ├── check_divide_by_zero.rb
│ │ │ ├── check_dynamic_finders.rb
│ │ │ ├── check_eol_rails.rb
│ │ │ ├── check_eol_ruby.rb
│ │ │ ├── check_escape_function.rb
│ │ │ ├── check_evaluation.rb
│ │ │ ├── check_execute.rb
│ │ │ ├── check_file_access.rb
│ │ │ ├── check_file_disclosure.rb
│ │ │ ├── check_filter_skipping.rb
│ │ │ ├── check_force_ssl.rb
│ │ │ ├── check_forgery_setting.rb
│ │ │ ├── check_header_dos.rb
│ │ │ ├── check_i18n_xss.rb
│ │ │ ├── check_jruby_xml.rb
│ │ │ ├── check_json_encoding.rb
│ │ │ ├── check_json_entity_escape.rb
│ │ │ ├── check_json_parsing.rb
│ │ │ ├── check_link_to.rb
│ │ │ ├── check_link_to_href.rb
│ │ │ ├── check_mail_to.rb
│ │ │ ├── check_mass_assignment.rb
│ │ │ ├── check_mime_type_dos.rb
│ │ │ ├── check_model_attr_accessible.rb
│ │ │ ├── check_model_attributes.rb
│ │ │ ├── check_model_serialize.rb
│ │ │ ├── check_nested_attributes.rb
│ │ │ ├── check_nested_attributes_bypass.rb
│ │ │ ├── check_number_to_currency.rb
│ │ │ ├── check_page_caching_cve.rb
│ │ │ ├── check_pathname.rb
│ │ │ ├── check_permit_attributes.rb
│ │ │ ├── check_quote_table_name.rb
│ │ │ ├── check_ransack.rb
│ │ │ ├── check_redirect.rb
│ │ │ ├── check_regex_dos.rb
│ │ │ ├── check_render.rb
│ │ │ ├── check_render_dos.rb
│ │ │ ├── check_render_inline.rb
│ │ │ ├── check_render_rce.rb
│ │ │ ├── check_response_splitting.rb
│ │ │ ├── check_reverse_tabnabbing.rb
│ │ │ ├── check_route_dos.rb
│ │ │ ├── check_safe_buffer_manipulation.rb
│ │ │ ├── check_sanitize_config_cve.rb
│ │ │ ├── check_sanitize_methods.rb
│ │ │ ├── check_secrets.rb
│ │ │ ├── check_select_tag.rb
│ │ │ ├── check_select_vulnerability.rb
│ │ │ ├── check_send.rb
│ │ │ ├── check_send_file.rb
│ │ │ ├── check_session_manipulation.rb
│ │ │ ├── check_session_settings.rb
│ │ │ ├── check_simple_format.rb
│ │ │ ├── check_single_quotes.rb
│ │ │ ├── check_skip_before_filter.rb
│ │ │ ├── check_sprockets_path_traversal.rb
│ │ │ ├── check_sql.rb
│ │ │ ├── check_sql_cves.rb
│ │ │ ├── check_ssl_verify.rb
│ │ │ ├── check_strip_tags.rb
│ │ │ ├── check_symbol_dos.rb
│ │ │ ├── check_symbol_dos_cve.rb
│ │ │ ├── check_template_injection.rb
│ │ │ ├── check_translate_bug.rb
│ │ │ ├── check_unsafe_reflection.rb
│ │ │ ├── check_unsafe_reflection_methods.rb
│ │ │ ├── check_unscoped_find.rb
│ │ │ ├── check_validation_regex.rb
│ │ │ ├── check_verb_confusion.rb
│ │ │ ├── check_weak_hash.rb
│ │ │ ├── check_weak_rsa_key.rb
│ │ │ ├── check_without_protection.rb
│ │ │ ├── check_xml_dos.rb
│ │ │ ├── check_yaml_parsing.rb
│ │ │ └── eol_check.rb
│ │ ├── checks.rb
│ │ ├── codeclimate/
│ │ │ └── engine_configuration.rb
│ │ ├── commandline.rb
│ │ ├── differ.rb
│ │ ├── file_parser.rb
│ │ ├── file_path.rb
│ │ ├── format/
│ │ │ └── style.css
│ │ ├── logger.rb
│ │ ├── messages.rb
│ │ ├── options.rb
│ │ ├── parsers/
│ │ │ ├── haml6_embedded.rb
│ │ │ ├── haml_embedded.rb
│ │ │ ├── rails_erubi.rb
│ │ │ ├── slim_embedded.rb
│ │ │ └── template_parser.rb
│ │ ├── processor.rb
│ │ ├── processors/
│ │ │ ├── alias_processor.rb
│ │ │ ├── base_processor.rb
│ │ │ ├── config_processor.rb
│ │ │ ├── controller_alias_processor.rb
│ │ │ ├── controller_processor.rb
│ │ │ ├── erb_template_processor.rb
│ │ │ ├── erubi_template_procesor.rb
│ │ │ ├── gem_processor.rb
│ │ │ ├── haml6_template_processor.rb
│ │ │ ├── haml_template_processor.rb
│ │ │ ├── lib/
│ │ │ │ ├── basic_processor.rb
│ │ │ │ ├── call_conversion_helper.rb
│ │ │ │ ├── file_type_detector.rb
│ │ │ │ ├── find_all_calls.rb
│ │ │ │ ├── find_call.rb
│ │ │ │ ├── find_return_value.rb
│ │ │ │ ├── module_helper.rb
│ │ │ │ ├── processor_helper.rb
│ │ │ │ ├── rails2_config_processor.rb
│ │ │ │ ├── rails2_route_processor.rb
│ │ │ │ ├── rails3_config_processor.rb
│ │ │ │ ├── rails3_route_processor.rb
│ │ │ │ ├── rails4_config_processor.rb
│ │ │ │ ├── render_helper.rb
│ │ │ │ ├── render_path.rb
│ │ │ │ ├── route_helper.rb
│ │ │ │ └── safe_call_helper.rb
│ │ │ ├── library_processor.rb
│ │ │ ├── model_processor.rb
│ │ │ ├── output_processor.rb
│ │ │ ├── route_processor.rb
│ │ │ ├── slim_template_processor.rb
│ │ │ ├── template_alias_processor.rb
│ │ │ └── template_processor.rb
│ │ ├── report/
│ │ │ ├── config/
│ │ │ │ └── remediation.yml
│ │ │ ├── ignore/
│ │ │ │ ├── config.rb
│ │ │ │ └── interactive.rb
│ │ │ ├── pager.rb
│ │ │ ├── renderer.rb
│ │ │ ├── report_base.rb
│ │ │ ├── report_codeclimate.rb
│ │ │ ├── report_csv.rb
│ │ │ ├── report_github.rb
│ │ │ ├── report_hash.rb
│ │ │ ├── report_html.rb
│ │ │ ├── report_json.rb
│ │ │ ├── report_junit.rb
│ │ │ ├── report_markdown.rb
│ │ │ ├── report_sarif.rb
│ │ │ ├── report_sonar.rb
│ │ │ ├── report_table.rb
│ │ │ ├── report_tabs.rb
│ │ │ ├── report_text.rb
│ │ │ └── templates/
│ │ │ ├── controller_overview.html.erb
│ │ │ ├── controller_warnings.html.erb
│ │ │ ├── error_overview.html.erb
│ │ │ ├── header.html.erb
│ │ │ ├── ignored_warnings.html.erb
│ │ │ ├── model_warnings.html.erb
│ │ │ ├── overview.html.erb
│ │ │ ├── security_warnings.html.erb
│ │ │ ├── template_overview.html.erb
│ │ │ ├── view_warnings.html.erb
│ │ │ └── warning_overview.html.erb
│ │ ├── report.rb
│ │ ├── rescanner.rb
│ │ ├── scanner.rb
│ │ ├── tracker/
│ │ │ ├── collection.rb
│ │ │ ├── config.rb
│ │ │ ├── constants.rb
│ │ │ ├── controller.rb
│ │ │ ├── file_cache.rb
│ │ │ ├── library.rb
│ │ │ ├── method_info.rb
│ │ │ ├── model.rb
│ │ │ └── template.rb
│ │ ├── tracker.rb
│ │ ├── util.rb
│ │ ├── version.rb
│ │ ├── warning.rb
│ │ └── warning_codes.rb
│ ├── brakeman.rb
│ └── ruby_parser/
│ ├── bm_sexp.rb
│ └── bm_sexp_processor.rb
└── test/
├── README.md
├── apps/
│ ├── active_record_only/
│ │ ├── Gemfile
│ │ ├── app/
│ │ │ └── models/
│ │ │ └── book.rb
│ │ └── script/
│ │ └── .gitkeep
│ ├── rails2/
│ │ ├── README
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── emails_controller.rb
│ │ │ │ ├── home_controller.rb
│ │ │ │ └── other_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ ├── home_helper.rb
│ │ │ │ └── other_helper.rb
│ │ │ ├── models/
│ │ │ │ ├── account.rb
│ │ │ │ ├── email.rb
│ │ │ │ ├── protected.rb
│ │ │ │ ├── unprotected.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── home/
│ │ │ │ ├── _models.html.erb
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── test_command.html.erb
│ │ │ │ ├── test_content_tag.html.erb
│ │ │ │ ├── test_cookie.html.erb
│ │ │ │ ├── test_dynamic_render.html.erb
│ │ │ │ ├── test_eval.html.erb
│ │ │ │ ├── test_filter.html.erb
│ │ │ │ ├── test_link_to.html.erb
│ │ │ │ ├── test_mass_assignment.html.erb
│ │ │ │ ├── test_model.html.erb
│ │ │ │ ├── test_params.html.erb
│ │ │ │ ├── test_redirect.html.erb
│ │ │ │ ├── test_render.html.erb
│ │ │ │ ├── test_render_template.html.haml
│ │ │ │ ├── test_sanitized_param.html.erb
│ │ │ │ ├── test_send_target.html.erb
│ │ │ │ ├── test_sql.html.erb
│ │ │ │ ├── test_strip_tags.html.erb
│ │ │ │ ├── test_to_json.html.erb
│ │ │ │ └── test_xss_with_or.html.erb
│ │ │ ├── layouts/
│ │ │ │ └── thing.html.erb
│ │ │ └── other/
│ │ │ ├── _account.html.haml
│ │ │ ├── _user.html.erb
│ │ │ ├── ignore_me.html.erb
│ │ │ ├── not_used.html.erb
│ │ │ ├── test_collection.html.erb
│ │ │ ├── test_env.html.erb
│ │ │ ├── test_haml_stuff.html.haml
│ │ │ ├── test_iteration.html.erb
│ │ │ ├── test_locals.html.erb
│ │ │ ├── test_object.html.erb
│ │ │ ├── test_to_i.html.erb
│ │ │ ├── test_trim_mode.html.erb
│ │ │ └── xss_dupes.html.erb
│ │ ├── config/
│ │ │ ├── boot.rb
│ │ │ ├── brakeman.ignore
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── cookie_verification_secret.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── new_rails_defaults.rb
│ │ │ │ ├── security_defaults.rb
│ │ │ │ └── session_store.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ └── routes.rb
│ │ ├── db/
│ │ │ ├── migrate/
│ │ │ │ ├── 20110520193611_create_users.rb
│ │ │ │ └── 20110523184125_create_accounts.rb
│ │ │ └── seeds.rb
│ │ ├── doc/
│ │ │ └── README_FOR_APP
│ │ ├── lib/
│ │ │ └── generators/
│ │ │ └── test_generator/
│ │ │ └── templates/
│ │ │ └── model.rb
│ │ ├── log/
│ │ │ ├── development.log
│ │ │ ├── production.log
│ │ │ ├── server.log
│ │ │ └── test.log
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ ├── index.html
│ │ │ ├── javascripts/
│ │ │ │ ├── application.js
│ │ │ │ ├── controls.js
│ │ │ │ ├── dragdrop.js
│ │ │ │ ├── effects.js
│ │ │ │ └── prototype.js
│ │ │ └── robots.txt
│ │ ├── script/
│ │ │ ├── about
│ │ │ ├── console
│ │ │ ├── dbconsole
│ │ │ ├── destroy
│ │ │ ├── generate
│ │ │ ├── performance/
│ │ │ │ ├── benchmarker
│ │ │ │ └── profiler
│ │ │ ├── plugin
│ │ │ ├── runner
│ │ │ └── server
│ │ └── test/
│ │ ├── fixtures/
│ │ │ ├── accounts.yml
│ │ │ └── users.yml
│ │ ├── functional/
│ │ │ ├── home_controller_test.rb
│ │ │ └── other_controller_test.rb
│ │ ├── performance/
│ │ │ └── browsing_test.rb
│ │ ├── test_helper.rb
│ │ └── unit/
│ │ ├── account_test.rb
│ │ ├── helpers/
│ │ │ ├── home_helper_test.rb
│ │ │ └── other_helper_test.rb
│ │ └── user_test.rb
│ ├── rails3/
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ ├── README
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── base_thing.rb
│ │ │ │ ├── before_controller.rb
│ │ │ │ ├── child_controller.rb
│ │ │ │ ├── home_controller.rb
│ │ │ │ ├── nested_controller.rb
│ │ │ │ ├── other_controller.rb
│ │ │ │ └── products_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ ├── home_helper.rb
│ │ │ │ ├── other_helper.rb
│ │ │ │ └── products_helper.rb
│ │ │ ├── models/
│ │ │ │ ├── account.rb
│ │ │ │ ├── bill.rb
│ │ │ │ ├── noticia.rb
│ │ │ │ ├── notifier.rb
│ │ │ │ ├── product.rb
│ │ │ │ ├── purchase.rb
│ │ │ │ ├── underline_model.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── before/
│ │ │ │ ├── use_filter12345.html.erb
│ │ │ │ └── use_filters12.html.erb
│ │ │ ├── child/
│ │ │ │ └── action_in_child.html.erb
│ │ │ ├── home/
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── test_command.html.erb
│ │ │ │ ├── test_content_tag.html.erb
│ │ │ │ ├── test_cookie.html.erb
│ │ │ │ ├── test_dynamic_render.html.erb
│ │ │ │ ├── test_eval.html.erb
│ │ │ │ ├── test_file_access.html.erb
│ │ │ │ ├── test_filter.html.erb
│ │ │ │ ├── test_mass_assignment.html.erb
│ │ │ │ ├── test_model.html.erb
│ │ │ │ ├── test_newlines.html.erb
│ │ │ │ ├── test_params.html.erb
│ │ │ │ ├── test_redirect.html.erb
│ │ │ │ ├── test_render.html.erb
│ │ │ │ └── test_sql.html.erb
│ │ │ ├── layouts/
│ │ │ │ └── application.html.erb
│ │ │ ├── other/
│ │ │ │ ├── _account.html.haml
│ │ │ │ ├── _user.html.erb
│ │ │ │ ├── test_collection.html.erb
│ │ │ │ ├── test_iteration.html.erb
│ │ │ │ ├── test_locals.html.erb
│ │ │ │ ├── test_mail_to.html.erb
│ │ │ │ ├── test_object.html.erb
│ │ │ │ ├── test_select_tag.html.erb
│ │ │ │ ├── test_send_file.html.erb
│ │ │ │ └── test_strip_tags.html.erb
│ │ │ ├── products/
│ │ │ │ ├── _form.html.erb
│ │ │ │ ├── edit.html.erb
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── new.html.erb
│ │ │ │ └── show.html.erb
│ │ │ └── whatever/
│ │ │ └── wherever/
│ │ │ └── nested/
│ │ │ └── so_nested.html.erb
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── brakeman.yml
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── disable_xml_parsing.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ └── session_store.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ └── routes.rb
│ │ ├── config.ru
│ │ ├── db/
│ │ │ └── seeds.rb
│ │ ├── doc/
│ │ │ └── README_FOR_APP
│ │ ├── lib/
│ │ │ ├── controller_filter.rb
│ │ │ └── tasks/
│ │ │ └── .gitkeep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ ├── index.html
│ │ │ ├── javascripts/
│ │ │ │ ├── application.js
│ │ │ │ ├── controls.js
│ │ │ │ ├── dragdrop.js
│ │ │ │ ├── effects.js
│ │ │ │ ├── prototype.js
│ │ │ │ └── rails.js
│ │ │ ├── robots.txt
│ │ │ └── stylesheets/
│ │ │ └── .gitkeep
│ │ ├── script/
│ │ │ └── rails
│ │ ├── test/
│ │ │ ├── functional/
│ │ │ │ ├── home_controller_test.rb
│ │ │ │ └── other_controller_test.rb
│ │ │ ├── performance/
│ │ │ │ └── browsing_test.rb
│ │ │ ├── test_helper.rb
│ │ │ └── unit/
│ │ │ └── helpers/
│ │ │ ├── home_helper_test.rb
│ │ │ └── other_helper_test.rb
│ │ └── vendor/
│ │ └── plugins/
│ │ └── .gitkeep
│ ├── rails3.1/
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ ├── README
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── javascripts/
│ │ │ │ │ ├── application.js
│ │ │ │ │ └── users.js.coffee
│ │ │ │ └── stylesheets/
│ │ │ │ ├── application.css
│ │ │ │ ├── scaffolds.css.scss
│ │ │ │ └── users.css.scss
│ │ │ ├── controllers/
│ │ │ │ ├── admin_controller.rb
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── mixins/
│ │ │ │ │ └── user_mixin.rb
│ │ │ │ ├── other_controller.rb
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── mailers/
│ │ │ │ └── .gitkeep
│ │ │ ├── models/
│ │ │ │ ├── .gitkeep
│ │ │ │ ├── account.rb
│ │ │ │ ├── product.rb
│ │ │ │ ├── some_model.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── layouts/
│ │ │ │ └── application.html.erb
│ │ │ ├── other/
│ │ │ │ ├── _partial.html.erb
│ │ │ │ ├── a.html.erb
│ │ │ │ ├── b.html.erb
│ │ │ │ ├── c.html.erb
│ │ │ │ ├── d.html.erb
│ │ │ │ ├── e.html.erb
│ │ │ │ ├── f.html.erb
│ │ │ │ ├── g.html.erb
│ │ │ │ ├── test_model_in_haml.html.haml
│ │ │ │ ├── test_partial.html.erb
│ │ │ │ ├── test_select_tag.html.erb
│ │ │ │ ├── test_string_interp.html.erb
│ │ │ │ └── test_strip_tags.html.erb
│ │ │ └── users/
│ │ │ ├── _bio.html.erb
│ │ │ ├── _circular.html.erb
│ │ │ ├── _circular_too.html.erb
│ │ │ ├── _form.html.erb
│ │ │ ├── _test_layout.html.erb
│ │ │ ├── _user.html.erb
│ │ │ ├── circular_render.html.erb
│ │ │ ├── drape.html.erb
│ │ │ ├── edit.html.erb
│ │ │ ├── index.html.erb
│ │ │ ├── interpolated_value.html.haml
│ │ │ ├── json_test.html.erb
│ │ │ ├── mixin_default.html.erb
│ │ │ ├── mixin_template.html.erb
│ │ │ ├── new.html.erb
│ │ │ ├── show.html.erb
│ │ │ ├── test_assign_if.html.erb
│ │ │ ├── test_assign_twice.html.erb
│ │ │ ├── test_less_simple_helpers.html.erb
│ │ │ └── test_simple_helper.html.erb
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_type_fix.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── secret_token.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ ├── set_escape_json.rb
│ │ │ │ ├── unset_escape_json.rb
│ │ │ │ ├── wrap_parameters.rb
│ │ │ │ ├── xml_parsing.rb
│ │ │ │ └── yaml_parsing.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ └── routes.rb
│ │ ├── config.ru
│ │ ├── db/
│ │ │ ├── migrate/
│ │ │ │ └── 20110908172338_create_users.rb
│ │ │ └── seeds.rb
│ │ ├── doc/
│ │ │ └── README_FOR_APP
│ │ ├── lib/
│ │ │ ├── alib.rb
│ │ │ ├── assets/
│ │ │ │ └── .gitkeep
│ │ │ ├── somelib.rb
│ │ │ └── tasks/
│ │ │ └── .gitkeep
│ │ ├── log/
│ │ │ └── .gitkeep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ ├── index.html
│ │ │ └── robots.txt
│ │ ├── script/
│ │ │ └── rails
│ │ ├── test/
│ │ │ ├── fixtures/
│ │ │ │ ├── .gitkeep
│ │ │ │ └── users.yml
│ │ │ ├── functional/
│ │ │ │ ├── .gitkeep
│ │ │ │ └── users_controller_test.rb
│ │ │ ├── integration/
│ │ │ │ └── .gitkeep
│ │ │ ├── performance/
│ │ │ │ └── browsing_test.rb
│ │ │ ├── test_helper.rb
│ │ │ └── unit/
│ │ │ ├── .gitkeep
│ │ │ ├── helpers/
│ │ │ │ └── users_helper_test.rb
│ │ │ └── user_test.rb
│ │ └── vendor/
│ │ ├── assets/
│ │ │ └── stylesheets/
│ │ │ └── .gitkeep
│ │ └── plugins/
│ │ └── .gitkeep
│ ├── rails3.2/
│ │ ├── Gemfile
│ │ ├── README.rdoc
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── javascripts/
│ │ │ │ │ ├── application.js
│ │ │ │ │ └── users.js.coffee
│ │ │ │ └── stylesheets/
│ │ │ │ ├── application.css
│ │ │ │ ├── scaffolds.css.scss
│ │ │ │ └── users.css.scss
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── exec_controller/
│ │ │ │ │ └── command_dependency.rb
│ │ │ │ ├── exec_controller.rb
│ │ │ │ ├── removal_controller.rb
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── models/
│ │ │ │ ├── .gitkeep
│ │ │ │ ├── account.rb
│ │ │ │ ├── multi_model.rb
│ │ │ │ ├── no_protection.rb
│ │ │ │ ├── user/
│ │ │ │ │ └── command_dependency.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── layouts/
│ │ │ │ └── application.html.erb
│ │ │ ├── removal/
│ │ │ │ ├── _partial.html.erb
│ │ │ │ ├── controller_removed.html.erb
│ │ │ │ └── implicit_render.html.erb
│ │ │ └── users/
│ │ │ ├── _form.html.erb
│ │ │ ├── _slimmer.html.slim
│ │ │ ├── edit.html.erb
│ │ │ ├── index.html.erb
│ │ │ ├── mixed_in.html.erb
│ │ │ ├── new.html.erb
│ │ │ ├── sanitized.html.erb
│ │ │ ├── show.html.erb
│ │ │ └── slimming.html.slim
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── header_dos_protection.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── secret_token.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ └── routes.rb
│ │ ├── config.ru
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .gitkeep
│ │ │ ├── tasks/
│ │ │ │ └── .gitkeep
│ │ │ └── user_controller_mixin.rb
│ │ └── script/
│ │ └── rails
│ ├── rails4/
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ ├── README.rdoc
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── api/
│ │ │ │ └── api.rb
│ │ │ ├── assets/
│ │ │ │ ├── javascripts/
│ │ │ │ │ └── application.js
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── controllers/
│ │ │ │ ├── another_controller.rb
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── friendly_controller.rb
│ │ │ │ ├── mixed_controller.rb
│ │ │ │ ├── mixed_in_proxy.rb
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ └── application_helper.rb
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ ├── .keep
│ │ │ │ ├── account.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── email.rb
│ │ │ │ ├── phone.rb
│ │ │ │ ├── recursive/
│ │ │ │ │ └── stack_level.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── _global_partial.html.erb
│ │ │ ├── another/
│ │ │ │ ├── html_safe_is_not.html.erb
│ │ │ │ ├── overflow.html.erb
│ │ │ │ ├── use_params_in_regex.html.erb
│ │ │ │ └── various_xss.html.erb
│ │ │ ├── layouts/
│ │ │ │ └── application.html.erb
│ │ │ └── users/
│ │ │ ├── eval_it.html.erb
│ │ │ ├── haml_test.html.haml
│ │ │ ├── index.html.erb
│ │ │ ├── more_haml.html.haml
│ │ │ └── test_parse.html.erb
│ │ ├── bin/
│ │ │ ├── rails
│ │ │ └── rake
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── brakeman.ignore
│ │ │ ├── brakeman.yml
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── i18n.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── secret_token.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── routes.rb
│ │ │ └── secrets.yml
│ │ ├── config.ru
│ │ ├── db/
│ │ │ └── seeds.rb
│ │ ├── external_checks/
│ │ │ └── check_external_check_test.rb
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ ├── sweet_lib.rb
│ │ │ └── tasks/
│ │ │ ├── .keep
│ │ │ └── some_task.rb
│ │ ├── log/
│ │ │ └── .keep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ └── robots.txt
│ │ ├── test/
│ │ │ ├── controllers/
│ │ │ │ └── .keep
│ │ │ ├── fixtures/
│ │ │ │ └── .keep
│ │ │ ├── helpers/
│ │ │ │ └── .keep
│ │ │ ├── integration/
│ │ │ │ └── .keep
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ └── .keep
│ │ │ └── test_helper.rb
│ │ └── vendor/
│ │ └── assets/
│ │ ├── javascripts/
│ │ │ └── .keep
│ │ └── stylesheets/
│ │ └── .keep
│ ├── rails4_non_standard_structure/
│ │ ├── .gitignore
│ │ ├── README.rdoc
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── images/
│ │ │ │ │ └── .keep
│ │ │ │ ├── javascripts/
│ │ │ │ │ └── application.js
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ └── concerns/
│ │ │ │ └── .keep
│ │ │ ├── foo_team/
│ │ │ │ ├── controllers/
│ │ │ │ │ └── api/
│ │ │ │ │ └── foo_controller.rb
│ │ │ │ ├── models/
│ │ │ │ │ └── foo.rb
│ │ │ │ └── views/
│ │ │ │ └── foo.html.erb
│ │ │ ├── helpers/
│ │ │ │ └── application_helper.rb
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ ├── .keep
│ │ │ │ └── concerns/
│ │ │ │ └── .keep
│ │ │ └── views/
│ │ │ └── layouts/
│ │ │ └── application.html.erb
│ │ ├── bin/
│ │ │ ├── rails
│ │ │ ├── rake
│ │ │ └── spring
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── assets.rb
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── cookies_serializer.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── routes.rb
│ │ │ └── secrets.yml
│ │ ├── config.ru
│ │ ├── db/
│ │ │ └── seeds.rb
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ └── tasks/
│ │ │ └── .keep
│ │ ├── log/
│ │ │ └── .keep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ └── robots.txt
│ │ ├── rails4test.gemspec
│ │ ├── test/
│ │ │ ├── controllers/
│ │ │ │ └── .keep
│ │ │ ├── fixtures/
│ │ │ │ └── .keep
│ │ │ ├── helpers/
│ │ │ │ └── .keep
│ │ │ ├── integration/
│ │ │ │ └── .keep
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ └── .keep
│ │ │ └── test_helper.rb
│ │ └── vendor/
│ │ └── assets/
│ │ ├── javascripts/
│ │ │ └── .keep
│ │ └── stylesheets/
│ │ └── .keep
│ ├── rails4_with_engines/
│ │ ├── README.rdoc
│ │ ├── Rakefile
│ │ ├── alt_engines/
│ │ │ └── admin_stuff/
│ │ │ └── app/
│ │ │ ├── controllers/
│ │ │ │ └── admin_controller.rb
│ │ │ ├── helpers/
│ │ │ │ └── application_helper.rb
│ │ │ └── views/
│ │ │ └── admin/
│ │ │ └── debug.html.erb
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── javascripts/
│ │ │ │ │ └── application.js
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ └── concerns/
│ │ │ │ └── .keep
│ │ │ ├── helpers/
│ │ │ │ └── application_helper.rb
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ ├── .keep
│ │ │ │ └── concerns/
│ │ │ │ └── .keep
│ │ │ └── views/
│ │ │ └── layouts/
│ │ │ └── application.html.erb
│ │ ├── bin/
│ │ │ ├── rails
│ │ │ └── rake
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── brakeman.yml
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── nested_attributes_bypass_fix.rb
│ │ │ │ ├── secret_token.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ └── routes.rb
│ │ ├── config.ru
│ │ ├── db/
│ │ │ └── seeds.rb
│ │ ├── engines/
│ │ │ └── user_removal/
│ │ │ ├── app/
│ │ │ │ ├── assets/
│ │ │ │ │ ├── javascripts/
│ │ │ │ │ │ └── users.js.coffee
│ │ │ │ │ └── stylesheets/
│ │ │ │ │ └── users.css.scss
│ │ │ │ ├── controllers/
│ │ │ │ │ ├── base_controller.rb
│ │ │ │ │ ├── removal_controller.rb
│ │ │ │ │ └── users_controller.rb
│ │ │ │ ├── helpers/
│ │ │ │ │ ├── application_helper.rb
│ │ │ │ │ └── users_helper.rb
│ │ │ │ ├── models/
│ │ │ │ │ ├── .gitkeep
│ │ │ │ │ ├── account.rb
│ │ │ │ │ ├── no_protection.rb
│ │ │ │ │ └── user.rb
│ │ │ │ └── views/
│ │ │ │ ├── removal/
│ │ │ │ │ ├── _partial.html.erb
│ │ │ │ │ ├── controller_removed.html.erb
│ │ │ │ │ └── implicit_render.html.erb
│ │ │ │ └── users/
│ │ │ │ ├── _form.html.erb
│ │ │ │ ├── _slimmer.html.slim
│ │ │ │ ├── edit.html.erb
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── mixed_in.html.erb
│ │ │ │ ├── new.html.erb
│ │ │ │ ├── sanitized.html.erb
│ │ │ │ ├── show.html.erb
│ │ │ │ └── slimming.html.slim
│ │ │ ├── config/
│ │ │ │ └── routes.rb
│ │ │ └── lib/
│ │ │ └── user_removal.rb
│ │ ├── gems.rb
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ └── tasks/
│ │ │ └── .keep
│ │ ├── log/
│ │ │ └── .keep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ └── robots.txt
│ │ ├── script/
│ │ │ └── .keep
│ │ ├── test/
│ │ │ ├── controllers/
│ │ │ │ └── .keep
│ │ │ ├── fixtures/
│ │ │ │ └── .keep
│ │ │ ├── helpers/
│ │ │ │ └── .keep
│ │ │ ├── integration/
│ │ │ │ └── .keep
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ └── .keep
│ │ │ └── test_helper.rb
│ │ └── vendor/
│ │ └── assets/
│ │ ├── javascripts/
│ │ │ └── .keep
│ │ └── stylesheets/
│ │ └── .keep
│ ├── rails5/
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ ├── README.md
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── config/
│ │ │ │ │ └── manifest.js
│ │ │ │ ├── images/
│ │ │ │ │ └── .keep
│ │ │ │ ├── javascripts/
│ │ │ │ │ ├── application.js
│ │ │ │ │ ├── cable.coffee
│ │ │ │ │ ├── channels/
│ │ │ │ │ │ └── .keep
│ │ │ │ │ └── users.coffee
│ │ │ │ └── stylesheets/
│ │ │ │ ├── application.css
│ │ │ │ ├── scaffold.css
│ │ │ │ └── users.css
│ │ │ ├── channels/
│ │ │ │ └── application_cable/
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ ├── .keep
│ │ │ │ │ ├── concerning.rb
│ │ │ │ │ └── forgery_protection.rb
│ │ │ │ ├── file_controller.rb
│ │ │ │ ├── mixed_controller.rb
│ │ │ │ ├── users_controller.rb
│ │ │ │ └── widget_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── jobs/
│ │ │ │ └── application_job.rb
│ │ │ ├── mailers/
│ │ │ │ └── application_mailer.rb
│ │ │ ├── models/
│ │ │ │ ├── application_record.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── thing.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── layouts/
│ │ │ │ ├── application.html.erb
│ │ │ │ ├── mailer.html.erb
│ │ │ │ ├── mailer.text.erb
│ │ │ │ └── users.html.erb
│ │ │ ├── users/
│ │ │ │ ├── _form.html.erb
│ │ │ │ ├── edit.html.erb
│ │ │ │ ├── find_and_preserve.html.haml
│ │ │ │ ├── if_thing.html.haml
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── index.json.jbuilder
│ │ │ │ ├── new.html.erb
│ │ │ │ ├── safe_call_params.html.haml
│ │ │ │ ├── sanitizing.html.erb
│ │ │ │ ├── show.html.erb
│ │ │ │ └── show.json.jbuilder
│ │ │ └── widget/
│ │ │ ├── attributes.html.haml
│ │ │ ├── content_tag.html.erb
│ │ │ ├── graphql.html.erb
│ │ │ ├── haml_test.html.haml
│ │ │ ├── no_html.haml
│ │ │ └── show.html.erb
│ │ ├── bin/
│ │ │ ├── rails
│ │ │ ├── rake
│ │ │ ├── setup
│ │ │ ├── spring
│ │ │ └── update
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── brakeman.yml
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── active_record_belongs_to_required_by_default.rb
│ │ │ │ ├── application_controller_renderer.rb
│ │ │ │ ├── assets.rb
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── callback_terminator.rb
│ │ │ │ ├── cookies_serializer.rb
│ │ │ │ ├── cors.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── request_forgery_protection.rb
│ │ │ │ ├── secrets.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── redis/
│ │ │ │ └── cable.yml
│ │ │ ├── routes.rb
│ │ │ └── secrets.yml
│ │ ├── config.ru
│ │ ├── db/
│ │ │ ├── migrate/
│ │ │ │ └── 20160127223106_create_users.rb
│ │ │ └── seeds.rb
│ │ ├── external_checks/
│ │ │ └── check_external_check_test.rb
│ │ ├── lib/
│ │ │ ├── a_lib.rb
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ ├── lib.rb
│ │ │ └── tasks/
│ │ │ └── .keep
│ │ ├── log/
│ │ │ └── .keep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ └── robots.txt
│ │ ├── test/
│ │ │ ├── controllers/
│ │ │ │ ├── .keep
│ │ │ │ └── users_controller_test.rb
│ │ │ ├── fixtures/
│ │ │ │ ├── .keep
│ │ │ │ ├── files/
│ │ │ │ │ └── .keep
│ │ │ │ └── users.yml
│ │ │ ├── helpers/
│ │ │ │ └── .keep
│ │ │ ├── integration/
│ │ │ │ └── .keep
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ ├── .keep
│ │ │ │ └── user_test.rb
│ │ │ └── test_helper.rb
│ │ ├── tmp/
│ │ │ └── .keep
│ │ └── vendor/
│ │ └── assets/
│ │ ├── javascripts/
│ │ │ └── .keep
│ │ └── stylesheets/
│ │ └── .keep
│ ├── rails5.2/
│ │ ├── .ruby-version
│ │ ├── Gemfile
│ │ ├── README.md
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── config/
│ │ │ │ │ └── manifest.js
│ │ │ │ ├── images/
│ │ │ │ │ └── .keep
│ │ │ │ ├── javascripts/
│ │ │ │ │ ├── application.js
│ │ │ │ │ ├── cable.js
│ │ │ │ │ └── channels/
│ │ │ │ │ └── .keep
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── channels/
│ │ │ │ └── application_cable/
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── jobs/
│ │ │ │ ├── application_job.rb
│ │ │ │ └── delete_stuff_job.rb
│ │ │ ├── mailers/
│ │ │ │ └── application_mailer.rb
│ │ │ ├── models/
│ │ │ │ ├── application_record.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── home/
│ │ │ │ └── index.html.erb
│ │ │ ├── layouts/
│ │ │ │ ├── application.html.erb
│ │ │ │ ├── mailer.html.erb
│ │ │ │ └── mailer.text.erb
│ │ │ └── users/
│ │ │ ├── _empty_partial_name.html.erb
│ │ │ ├── _foo.html.haml
│ │ │ ├── _foo2.html.haml
│ │ │ ├── kwsplat.html.haml
│ │ │ ├── link.html.erb
│ │ │ ├── not_not.html.erb
│ │ │ ├── one.html.haml
│ │ │ ├── smart.html.slim
│ │ │ ├── test_empty_partial_name.html.erb
│ │ │ └── two.html.slim
│ │ ├── bin/
│ │ │ ├── rails
│ │ │ ├── rake
│ │ │ ├── setup
│ │ │ ├── spring
│ │ │ ├── update
│ │ │ └── yarn
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── cable.yml
│ │ │ ├── credentials.yml.enc
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── application_controller_renderer.rb
│ │ │ │ ├── assets.rb
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── content_security_policy.rb
│ │ │ │ ├── cookies_serializer.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── oj.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── puma.rb
│ │ │ ├── routes.rb
│ │ │ ├── secrets.yml
│ │ │ ├── spring.rb
│ │ │ └── storage.yml
│ │ ├── config.ru
│ │ ├── db/
│ │ │ ├── migrate/
│ │ │ │ └── 20171208205700_create_active_storage_tables.active_storage.rb
│ │ │ └── seeds.rb
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ ├── factory_bot.rb
│ │ │ ├── initthing.rb
│ │ │ ├── shell.rb
│ │ │ └── tasks/
│ │ │ └── .keep
│ │ ├── log/
│ │ │ └── .keep
│ │ ├── package.json
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ └── robots.txt
│ │ └── vendor/
│ │ ├── .keep
│ │ └── vendored_thing.rb
│ ├── rails6/
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ ├── Rakefile
│ │ ├── another_lib_dir/
│ │ │ └── some_lib.rb
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── config/
│ │ │ │ │ └── manifest.js
│ │ │ │ ├── images/
│ │ │ │ │ └── .keep
│ │ │ │ └── stylesheets/
│ │ │ │ ├── application.css
│ │ │ │ ├── scaffolds.scss
│ │ │ │ └── users.scss
│ │ │ ├── channels/
│ │ │ │ └── application_cable/
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ │ ├── components/
│ │ │ │ ├── base_component.rb
│ │ │ │ ├── test_component.rb
│ │ │ │ ├── test_view_component.rb
│ │ │ │ ├── test_view_component_contrib.rb
│ │ │ │ ├── test_view_component_fully_qualified_ancestor.rb
│ │ │ │ └── text_phlex_component.rb
│ │ │ ├── controllers/
│ │ │ │ ├── accounts_controller.rb
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── groups_controller.rb
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── javascript/
│ │ │ │ ├── channels/
│ │ │ │ │ ├── consumer.js
│ │ │ │ │ └── index.js
│ │ │ │ └── packs/
│ │ │ │ └── application.js
│ │ │ ├── jobs/
│ │ │ │ └── application_job.rb
│ │ │ ├── mailers/
│ │ │ │ └── application_mailer.rb
│ │ │ ├── models/
│ │ │ │ ├── application_record.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── group.rb
│ │ │ │ └── user.rb
│ │ │ ├── views/
│ │ │ │ ├── layouts/
│ │ │ │ │ ├── application.html.erb
│ │ │ │ │ ├── mailer.html.erb
│ │ │ │ │ └── mailer.text.erb
│ │ │ │ └── users/
│ │ │ │ ├── _form.html.erb
│ │ │ │ ├── _user.json.jbuilder
│ │ │ │ ├── edit.html.erb
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── index.json.jbuilder
│ │ │ │ ├── new.html.erb
│ │ │ │ ├── show.html.erb
│ │ │ │ └── show.json.jbuilder
│ │ │ └── widgets/
│ │ │ └── widget.rb
│ │ ├── babel.config.js
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── cable.yml
│ │ │ ├── credentials.yml.enc
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── allow_all_parameters.rb
│ │ │ │ ├── application_controller_renderer.rb
│ │ │ │ ├── assets.rb
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── content_security_policy.rb
│ │ │ │ ├── cookies_serializer.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── json_escape.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── puma.rb
│ │ │ ├── routes.rb
│ │ │ ├── spring.rb
│ │ │ ├── storage.yml
│ │ │ ├── webpack/
│ │ │ │ ├── development.js
│ │ │ │ ├── environment.js
│ │ │ │ ├── production.js
│ │ │ │ └── test.js
│ │ │ └── webpacker.yml
│ │ ├── config.ru
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ ├── run_stuff.rb
│ │ │ ├── tasks/
│ │ │ │ └── .keep
│ │ │ └── view_component/
│ │ │ └── base.rb
│ │ ├── package.json
│ │ └── postcss.config.js
│ ├── rails7/
│ │ ├── MyGemfile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── config/
│ │ │ │ │ └── manifest.js
│ │ │ │ ├── images/
│ │ │ │ │ └── .keep
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── channels/
│ │ │ │ └── application_cable/
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ │ ├── controllers/
│ │ │ │ ├── admin_controller.rb
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ └── application_helper.rb
│ │ │ ├── javascript/
│ │ │ │ ├── application.js
│ │ │ │ └── controllers/
│ │ │ │ ├── application.js
│ │ │ │ ├── hello_controller.js
│ │ │ │ └── index.js
│ │ │ ├── jobs/
│ │ │ │ └── application_job.rb
│ │ │ ├── mailers/
│ │ │ │ └── application_mailer.rb
│ │ │ ├── models/
│ │ │ │ ├── application_record.rb
│ │ │ │ ├── book.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── thing.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ └── layouts/
│ │ │ ├── application.html.erb
│ │ │ ├── mailer.html.erb
│ │ │ └── mailer.text.erb
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── cable.yml
│ │ │ ├── credentials.yml.enc
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── importmap.rb
│ │ │ ├── initializers/
│ │ │ │ ├── assets.rb
│ │ │ │ ├── content_security_policy.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── permissions_policy.rb
│ │ │ │ └── sanitizers.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── master.key
│ │ │ ├── puma.rb
│ │ │ ├── routes.rb
│ │ │ └── storage.yml
│ │ └── lib/
│ │ ├── assets/
│ │ │ └── .keep
│ │ ├── some_lib.rb
│ │ └── tasks/
│ │ └── .keep
│ ├── rails8/
│ │ ├── Gemfile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── channels/
│ │ │ │ └── application_cable/
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── javascript/
│ │ │ │ ├── application.js
│ │ │ │ └── controllers/
│ │ │ │ ├── application.js
│ │ │ │ ├── hello_controller.js
│ │ │ │ └── index.js
│ │ │ ├── jobs/
│ │ │ │ └── application_job.rb
│ │ │ ├── mailers/
│ │ │ │ └── application_mailer.rb
│ │ │ ├── models/
│ │ │ │ ├── application_record.rb
│ │ │ │ ├── thing.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── layouts/
│ │ │ │ ├── application.html.erb
│ │ │ │ ├── mailer.html.erb
│ │ │ │ └── mailer.text.erb
│ │ │ ├── pwa/
│ │ │ │ ├── manifest.json.erb
│ │ │ │ └── service-worker.js
│ │ │ ├── things/
│ │ │ │ ├── _thing.html.erb
│ │ │ │ └── index.html.erb
│ │ │ └── users/
│ │ │ ├── _form.html.erb
│ │ │ ├── _user.html.erb
│ │ │ ├── _user.json.jbuilder
│ │ │ ├── dom_id.haml
│ │ │ ├── edit.html.erb
│ │ │ ├── index.html.erb
│ │ │ ├── index.json.jbuilder
│ │ │ ├── new.html.erb
│ │ │ ├── show.html.erb
│ │ │ └── show.json.jbuilder
│ │ ├── bin/
│ │ │ ├── brakeman
│ │ │ ├── importmap
│ │ │ ├── kamal
│ │ │ ├── rails
│ │ │ ├── rake
│ │ │ ├── rubocop
│ │ │ └── setup
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── cable.yml
│ │ │ ├── credentials.yml.enc
│ │ │ ├── database.yml
│ │ │ ├── deploy.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── importmap.rb
│ │ │ ├── initializers/
│ │ │ │ ├── assets.rb
│ │ │ │ ├── content_security_policy.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ └── permissions_policy.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── master.key
│ │ │ ├── puma.rb
│ │ │ ├── routes.rb
│ │ │ └── storage.yml
│ │ ├── config.ru
│ │ └── lib/
│ │ ├── evals.rb
│ │ └── masgn.rb
│ └── rails_with_xss_plugin/
│ ├── Gemfile
│ ├── README
│ ├── Rakefile
│ ├── app/
│ │ ├── controllers/
│ │ │ ├── application_controller.rb
│ │ │ ├── posts_controller.rb
│ │ │ └── users_controller.rb
│ │ ├── helpers/
│ │ │ ├── application_helper.rb
│ │ │ ├── posts_helper.rb
│ │ │ └── users_helper.rb
│ │ ├── models/
│ │ │ ├── post.rb
│ │ │ └── user.rb
│ │ └── views/
│ │ ├── layouts/
│ │ │ ├── posts.html.erb
│ │ │ └── users.html.erb
│ │ ├── posts/
│ │ │ ├── _show.html.erb
│ │ │ ├── edit.html.erb
│ │ │ ├── index.html.erb
│ │ │ ├── new.html.erb
│ │ │ ├── show.html.erb
│ │ │ └── show_topic.html.erb
│ │ └── users/
│ │ ├── _user.html.erb
│ │ ├── edit.html.erb
│ │ ├── index.html.erb
│ │ ├── login.html.erb
│ │ ├── new.html.erb
│ │ ├── results.html.erb
│ │ ├── search.html.erb
│ │ ├── show.html.erb
│ │ ├── test_sanitize.html.erb
│ │ └── to_json.html.erb
│ ├── config/
│ │ ├── boot.rb
│ │ ├── database.yml
│ │ ├── environment.rb
│ │ ├── environments/
│ │ │ ├── development.rb
│ │ │ ├── production.rb
│ │ │ └── test.rb
│ │ ├── initializers/
│ │ │ ├── backtrace_silencers.rb
│ │ │ ├── cookie_verification_secret.rb
│ │ │ ├── inflections.rb
│ │ │ ├── json_parsing.rb
│ │ │ ├── mime_types.rb
│ │ │ ├── new_rails_defaults.rb
│ │ │ ├── session_store.rb
│ │ │ ├── single_quote_workaround.rb
│ │ │ └── yaml_parsing.rb
│ │ ├── locales/
│ │ │ └── en.yml
│ │ └── routes.rb
│ ├── db/
│ │ ├── migrate/
│ │ │ ├── 20120312064721_create_users.rb
│ │ │ └── 20120312065023_create_posts.rb
│ │ ├── schema.rb
│ │ └── seeds.rb
│ ├── doc/
│ │ └── README_FOR_APP
│ ├── public/
│ │ ├── 404.html
│ │ ├── 422.html
│ │ ├── 500.html
│ │ ├── javascripts/
│ │ │ ├── application.js
│ │ │ ├── controls.js
│ │ │ ├── dragdrop.js
│ │ │ ├── effects.js
│ │ │ └── prototype.js
│ │ ├── robots.txt
│ │ └── stylesheets/
│ │ └── scaffold.css
│ ├── script/
│ │ ├── about
│ │ ├── console
│ │ ├── dbconsole
│ │ ├── destroy
│ │ ├── generate
│ │ ├── performance/
│ │ │ ├── benchmarker
│ │ │ └── profiler
│ │ ├── plugin
│ │ ├── runner
│ │ └── server
│ ├── test/
│ │ ├── fixtures/
│ │ │ ├── posts.yml
│ │ │ └── users.yml
│ │ ├── functional/
│ │ │ ├── posts_controller_test.rb
│ │ │ └── users_controller_test.rb
│ │ ├── performance/
│ │ │ └── browsing_test.rb
│ │ ├── test_helper.rb
│ │ └── unit/
│ │ ├── helpers/
│ │ │ ├── posts_helper_test.rb
│ │ │ └── users_helper_test.rb
│ │ ├── post_test.rb
│ │ └── user_test.rb
│ └── vendor/
│ └── plugins/
│ └── rails_xss/
│ └── README
├── test.rb
├── tests/
│ ├── active_record_only.rb
│ ├── alias_processor.rb
│ ├── app_tree.rb
│ ├── brakeman.rb
│ ├── call_index.rb
│ ├── checks.rb
│ ├── codeclimate_engine_configuration.rb
│ ├── codeclimate_output.rb
│ ├── commandline.rb
│ ├── config.rb
│ ├── constants.rb
│ ├── cves.rb
│ ├── differ.rb
│ ├── file_cache.rb
│ ├── file_parser.rb
│ ├── file_path.rb
│ ├── find_return_value.rb
│ ├── github_output.rb
│ ├── ignore.rb
│ ├── json_compare.rb
│ ├── json_output.rb
│ ├── junit_output.rb
│ ├── logger.rb
│ ├── markdown_output.rb
│ ├── mass_assign_disable.rb
│ ├── oj.rb
│ ├── only_files_option.rb
│ ├── options.rb
│ ├── output_processor.rb
│ ├── pager.rb
│ ├── parser_timeout.rb
│ ├── rails2.rb
│ ├── rails3.rb
│ ├── rails31.rb
│ ├── rails32.rb
│ ├── rails4.rb
│ ├── rails4_with_engines.rb
│ ├── rails5.rb
│ ├── rails52.rb
│ ├── rails52_csrf.rb
│ ├── rails6.rb
│ ├── rails7.rb
│ ├── rails7_redirect.rb
│ ├── rails8.rb
│ ├── rails_61_sql.rb
│ ├── rails_lts.rb
│ ├── rails_with_xss_plugin.rb
│ ├── render_path.rb
│ ├── report_generation.rb
│ ├── rescanner.rb
│ ├── routes_error.rb
│ ├── sarif_output.rb
│ ├── sexp.rb
│ ├── sonar_output.rb
│ ├── tabs_output.rb
│ ├── tracker.rb
│ └── warning.rb
└── to_test.rb
================================================
FILE CONTENTS
================================================
================================================
FILE: .circleci/config.yml
================================================
version: 2.1
orbs:
qlty: qltysh/qlty-orb@0.1
jobs:
default: &default
docker:
- image: cimg/ruby:4.0
steps:
- checkout
- run: ruby --version && bundle check || bundle install
- run:
command: bundle exec rake
- store_test_results:
path: test-results
test-3-2:
<<: *default
docker:
- image: cimg/ruby:3.2
steps:
- checkout
- attach_workspace:
at: ~/repo/tmp
- run: bundle check || bundle install
- run:
name: Run tests and generate coverage
command: |
# This triggers SimpleCov to generate a coverage.json file
export CC_TEST_REPORTER_ID=CC_TEST_REPORTER_ID
bundle exec rake RUBYOPT='--enable-frozen-string-literal --debug-frozen-string-literal'
mkdir -p tmp/
mv coverage/coverage.json tmp/coverage.json
- store_test_results:
path: test-results
- persist_to_workspace:
root: tmp
paths:
- coverage.json
test-3-3:
<<: *default
docker:
- image: cimg/ruby:3.3
test-3-4:
<<: *default
docker:
- image: cimg/ruby:3.4
upload-coverage:
<<: *default
working_directory: ~/repo
steps:
- checkout
- attach_workspace:
at: ~/repo/tmp
- qlty/coverage_publish:
files: tmp/coverage.json
strip_prefix: /home/circleci/project
workflows:
version: 2
tests:
jobs:
- default
- test-3-2
- test-3-3
- test-3-4
- upload-coverage:
requires:
- test-3-2
================================================
FILE: .dockerignore
================================================
# ignore .git and .cache folders
.git
.cache
================================================
FILE: .github/ISSUE_TEMPLATE/bug-report.md
================================================
---
name: Bug Report
about: Create a report to help us improve
---
### Background
Brakeman version: ?
Rails version: ?
Ruby version: ?
Link to Rails application code: ?
### Issue
What problem are you seeing?
#### Other Error
Run Brakeman with `--debug` to see the full stack trace.
Stack trace:
```
?
```
================================================
FILE: .github/ISSUE_TEMPLATE/feature-request.md
================================================
---
name: Feature Request
about: Suggest an idea for this project
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
================================================
FILE: .github/ISSUE_TEMPLATE/hanging-or-slow-scans.md
================================================
---
name: Hanging or Slow Scans
about: Let us know if Brakeman is too slow
---
### Background
Brakeman version: ?
Rails version: ?
Ruby version: ?
Link to Rails application code: ?
#### Hanging or Slowness
_Consult https://brakemanscanner.org/docs/troubleshooting/hanging/ first_
_Please run Brakeman with `--debug` to see which file may be causing the issue._
Code example:
```ruby
?
================================================
FILE: .github/ISSUE_TEMPLATE/parsing-error.md
================================================
---
name: Parsing Error
about: Report a parse error
---
### Background
Brakeman version: ?
Rails version: ?
Ruby version: ?
Link to Rails application code: ?
#### Parse Error
(Consult https://brakemanscanner.org/docs/troubleshooting/parse_errors/ first. Note that (most) parsing errors are from the ruby_parser library, not Brakeman itself.)
Minimal example that does not parse:
```ruby
?
```
================================================
FILE: .github/ISSUE_TEMPLATE/report-a-false-positive.md
================================================
---
name: Report a False Positive
about: When Brakeman warns about something that may not be a vulnerability
---
### Background
Brakeman version: ?
Rails version: ?
Ruby version: ?
Link to Rails application code: ?
#### False Positive
*Full* warning from Brakeman: `?`
Relevant code:
```ruby
?
```
_Why might this be a false positive?_
================================================
FILE: .github/ISSUE_TEMPLATE/something-else.md
================================================
---
name: Something Else
about: Something not covered by an existing issue type
---
================================================
FILE: .github/workflows/docker-hub-push.yml
================================================
name: docker-hub-push
on:
push:
tags:
- '*'
jobs:
docker:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64, linux/arm64
push: true
tags: |
presidentbeef/brakeman:latest
presidentbeef/brakeman:${{ github.ref_name }}
================================================
FILE: .gitignore
================================================
Gemfile.lock
coverage/
test/coverage/
.bundle
bundle
*.gem
================================================
FILE: CHANGES.md
================================================
# 8.0.4 - 2026-02-26
* Load 'date' library for `--ensure-latest`
# 8.0.3 - 2026-02-26
* Fix `polymorphic_name` SQLi false positive (Fredrico Franco)
* Fix logger behavior when loading config files
* Handle application names with module prefixes
* Add release age option for `--ensure-latest`
# 8.0.2 - 2026-02-03
* Reline console control should use stderr
* Fix logger cleanup based method (Imran Iqbal)
# 8.0.1 - 2026-01-29
* Make sure to reset the cursor even when exit code is 0
# 8.0.0 - 2026-01-29
* No longer produce weak dynamic render path warnings
* `--skip-libs` removed
* `--index-libs` removed
* Revamp of scan progress output and logging
* Faster file globbing for templates (Mikael Henriksson)
* Fix singleton method prefixes (viralpraxis)
* Fix qualified constant lookup to respect module/class context (Mike Dalessio)
* Replace Erubis with Erubi
# 7.1.2 - 2025-12-25
* Update `ruby_parser` to remove version restriction (Chedli Bourguiba)
* Raise minimum required Ruby to 3.2.0
* Use Minitest 6.0
* Reduce SQL injection false positives from `count` calls
* Ignore more Haml attribute builder methods
# 7.1.1 - 2025-11-03
* Fix false positive when calling `with_content` on ViewComponents (Peer Allan)
* Word wrap text output in pager
* Consider Tempfile.create.path as safe input (Ali Ismayilov)
* Exclude directories before searching for files
* Check each side of `or` SQL arguments
* Ignore attribute builder in Haml 6
* Add `FilePath#to_path` for Ruby 3.5 compatibility (S-H-GAMELINKS)
* Fix SQL injection check for calculate method (Rohan Sharma)
* Fix missing `td` in HTML report (John Hawthorn)
* Check for unsafe SQL when two arguments are passed to AR methods (Patrick Brinich-Langlois)
# 7.1.0 - 2025-07-18
* Add EOL dates for Rails 8.0 and Ruby 3.4
* Support render model shortcut
* Use lazy file lists for AppTree
* Add Haml 6.x support
* Improve ignored warnings layout in HTML report (Sebastien Savater)
* Update JUnit report for CircleCI (Philippe Bernery)
* Only load escape functionality from cgi library (Earlopain)
* Add `--ensure-no-obsolete-ignore-entries` option (viralpraxis)
# 7.0.2 - 2025-04-04
* Fix error with empty `BUNDLE_GEMFILE` env variable
# 7.0.1 - 2025-04-03
* Avoid warning on evaluation of plain strings
* Enable use of custom/alternative Gemfiles
* Fix error on directory with `rb` extension (viralpraxis)
* Support `terminal-table` 4.0 (Chedli Bourguiba)
* Better support Prism 1.4.0
* Only output timing for each file when using `--debug`
# 7.0.0 - 2024-12-30
* Always warn about deserializing from Marshal
* Output `originalBaseUriIds` for SARIF format report
* Default to using Prism parser if available (disable with `--no-prism`)
* Update `terminal-table` version to use latest
* Update `eval` check to be a little noisier
* Fix array/hash unknown index handling
* Disable following symbolic links by default, re-enable with --follow-symlinks
* Add step (and timing) for finding files
* Add CSV library as explicit dependency for Ruby 3.4 support
* Major changes to how rescanning works
* Raise minimum Ruby version to 3.1
* Fix hardcoded globally excluded paths
* Remove updated entry in Brakeman ignore files (Toby Hsieh)
* Fix recursion when handling multiple assignment expressions
# 6.2.2 - 2024-10-15
* Ignore more native gems when building gem
* Revamp command injection in `pipeline*` calls
* New end-of-support dates for Rails
# 6.2.1 - 2024-08-22
Just a packaging fix for brakeman.gem
# 6.2.0 - 2024-08-22
* Add `--show-ignored` option (Gabriel Zayas)
* Add optional support for Prism parser
* Warn about unscoped finds with `find_by!`
* Treat `::X` and `X` the same, for now (Jill Klang)
* Fix compatibility with default frozen string literals (Jean Boussier)
* Remediation advice for command injection (Nicholas Barone)
* Fix Ruby warnings in test suite (Jean Boussier)
* Support YAML aliases in secret configs (Chedli Bourguiba)
* Add initial Rails 8 support (Ron Shinall)
* Handle mass assignment with splats
* Add support for symbolic links (Lu Zhu)
# 6.1.2 - 2024-02-01
* Update Highline to 3.0
* Add EOL date for Ruby 3.3.0
* Avoid copying Sexps that are too large
* Avoid detecting `ViewComponentContrib::Base` as dynamic render paths (vividmuimui)
* Remove deprecated use of `Kernel#open("|...")`
* Remove `safe_yaml` gem dependency
* Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
# 6.1.1 - 2023-12-24
* Handle racc as a default gem in Ruby 3.3.0
# 6.1.0 - 2023-12-04
* Add `--timing` to add timing duration for scan steps
* Fix keyword splats in filter arguments
* Add check for unfiltered search with Ransack
* Fix class method lookup in parent classes
* Handle `class << self`
* Add `PG::Connection.escape_string` as a SQL sanitization method (Joévin Soulenq)
# 6.0.1 - 2023-07-20
* Accept strings for `load_defaults` version
# 6.0.0 - 2023-05-24
* Add obsolete fingerprints to comparison report
* Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
* Scan directories that include the word `public`
* Raise minimum Ruby version to 3.0
* Drop support for Ruby 1.8/1.9 syntax
* Fix end-of-life dates for Ruby
* Fix false positive with `content_tag` in newer Rails
# 5.4.1 - 2023-02-21
* Fix file/line location for EOL software warnings
* Revise checking for request.env to only consider request headers
* Add `redirect_back` and `redirect_back_or_to` to open redirect check
* Support Rails 7 redirect options
* Add Rails 6.1 and 7.0 default configuration values
* Prevent redirects using `url_from` being marked as unsafe (Lachlan Sylvester)
* Warn about unscoped find for `find_by(id: ...)`
* Support `presence`, `presence_in` and `in?`
* Fix issue with `if` expressions in `when` clauses
# 5.4.0 - 2022-11-17
* Use relative paths for CodeClimate report format (Mike Poage)
* Add check for weak RSA key sizes and padding modes
* Handle multiple values and splats in case/when
* Ignore more model methods in redirects
* Add check for absolute paths issue with Pathname
* Fix `load_rails_defaults` overwriting settings in the Rails application (James Gregory-Monk)
# 5.3.1 - 2022-08-09
* Fix version range for CVE-2022-32209
# 5.3.0 - 2022-08-09
* Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
* Load rexml as a Brakeman dependency
* Fix "full call" information propagating unnecessarily
* Add check for CVE-2022-32209
* Add CWE information to warnings (Stephen Aghaulor)
# 5.2.3 - 2022-05-01
* Fix error with hash shorthand syntax
* Match order of interactive options with help message (Rory O'Kane)
# 5.2.2 - 2022-04-06
* Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
* Handle `nil` when joining values (Dan Buettner)
* Update message for unsafe reflection (Pedro Baracho)
* Add additional String methods for SQL injection check
* Respect equality in `if` conditions
# 5.2.1 - 2022-01-30
* Add warning codes for EOL software warnings
# 5.2.0 - 2021-12-15
* Initial Rails 7 support
* Require Ruby 2.5.0+
* Fix issue with calls to `foo.root` in routes
* Ignore `I18n.locale` in SQL queries
* Do not treat `sanitize_sql_like` as safe
* Add new checks for unsupported Ruby and Rails versions
# 5.1.2 - 2021-10-28
* Handle cases where enums are not symbols
* Support newer Haml with ::Haml::AttributeBuilder.build
* Fix issue where the previous output is still visible (Jason Frey)
* Fix warning sorting with nil line numbers
* Update for latest RubyParser (Ryan Davis)
# 5.1.1 - 2021-07-19
* Unrefactor IgnoreConfig's use of `Brakeman::FilePath`
# 5.1.0 - 2021-07-19
* Initial support for ActiveRecord enums
* Support `Hash#include?`
* Interprocedural dataflow from very simple class methods
* Fix SARIF report when checks have no description (Eli Block)
* Add ignored warnings to SARIF report (Eli Block)
* Add `--sql-safe-methods` option (Esty Scheiner)
* Update SQL injection check for Rails 6.0/6.1
* Fix false positive in command injection with `Open3.capture` (Richard Fitzgerald)
* Fix infinite loop on mixin self-includes (Andrew Szczepanski)
* Ignore dates in SQL
* Refactor `cookie?`/`param?` methods (Keenan Brock)
* Ignore renderables in dynamic render path check (Brad Parker)
* Support `Array#push`
* Better `Array#join` support
* Adjust copy of `--interactive` menu (Elia Schito)
* Support `Array#*`
* Better method definition tracking and lookup
* Support `Hash#values` and `Hash#values_at`
* Check for user-controlled evaluation even if it's a call target
* Support `Array#fetch` and `Hash#fetch`
* Ignore `sanitize_sql_like` in SQL
* Ignore method calls on numbers in SQL
* Add GitHub Actions format (Klaus Badelt)
* Read and parse files in parallel
# 5.0.4 - 2021-06-08
(brakeman gem release only)
* Update bundled `ruby_parser` to include argument forwarding support
# 5.0.2 - 2021-06-07
* Fix Loofah version check
# 5.0.1 - 2021-04-27
* Detect `::Rails.application.configure` too
* Set more line numbers on Sexps
* Support loading `slim/smart`
* Don't fail if $HOME/$USER are not defined
* Always ignore slice/only calls for mass assignment
* Convert splat array arguments to arguments
# 5.0.0 - 2021-01-26
* Ignore `uuid` as a safe attribute
* Collapse `__send__` calls
* Ignore `Tempfile#path` in shell commands
* Ignore development environment
* Revamp CSV report to a CSV list of warnings
* Set Rails configuration defaults based on `load_defaults` version
* Add check for (more) unsafe method reflection
* Suggest using `--force` if no Rails application is detected
* Add Sonarqube report format (Adam England)
* Add check for potential HTTP verb confusion
* Add `--[no-]skip-vendor` option
* Scan (almost) all Ruby files in project
# 4.10.1 - 2020-12-24
* Declare REXML as a dependency (Ruby 3.0 compatibility)
* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
* Prevent render loops when template names are absolute paths
* Ensure RubyParser is passed file path as a String
* Support new Haml 5.2.0 escaping method
# 5.0.0.pre1 - 2020-11-17
* Add check for (more) unsafe method reflection
* Suggest using `--force` if no Rails application is detected
* Add Sonarqube report format (Adam England)
* Add check for potential HTTP verb confusion
* Add `--[no-]skip-vendor` option
* Scan (almost) all Ruby files in project
* Add support for Haml 5.2.0
# 4.10.0 - 2020-09-28
* Add SARIF report format (Steve Winton)
# 4.9.1 - 2020-09-04
* Check `chomp`ed strings for SQL injection
* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
* Always set line number for joined arrays
* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
# 4.9.0 - 2020-08-04
* Add check for CVE-2020-8166 (Jamie Finnigan)
* Avoid warning when `safe_yaml` is used via `YAML.load(..., safe: true)`
* Add check for user input in `ERB.new` (Matt Hickman)
* Add `--ensure-ignore-notes` (Eli Block)
* Remove whitelist/blacklist language, add clarifications
* Do not warn about mass assignment with `params.permit!.slice`
* Add "full call" information to call index results
* Ignore `params.permit!` in path helpers
* Treat `Dir.glob` as safe source of values in guards
* Always scan `environment.rb`
# 4.8.2 - 2020-05-12
* Add check for CVE-2020-8159
* Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
* Add `--text-fields` option
* Add check for escaping HTML entities in JSON configuration
# 4.8.1 - 2020-04-06
* Check SQL query strings using `String#strip` or `String.squish`
* Handle non-symbol keys in locals hash for render()
* Warn about global(!) mass assignment
* Index calls in render arguments
# 4.8.0 - 2020-02-18
* Add JUnit-XML report format (Naoki Kimura)
* Sort ignore files by fingerprint and line (Ngan Pham)
* Freeze call index results
* Fix output test when using newer Minitest
* Properly render confidence in Markdown report
* Report old warnings as fixed if zero warnings reported
* Catch dangerous concatenation in `CheckExecute` (Jacob Evelyn)
* Show user-friendly message when ignore config file has invalid JSON (D. Hicks)
* Initialize Rails version with `nil` (Carsten Wirth)
# 4.7.2 - 2019-11-25
* Remove version guard for `named_scope` vs. `scope`
* Find SQL injection in `String#strip_heredoc` target
* Handle more `permit!` cases
* Ensure file name is set when processing model
* Add `request.params` as query parameters
# 4.7.1 - 2019-10-29
* Check string length against limit before joining
* Fix errors from frozen `Symbol#to_s` in Ruby 2.7
* Fix flaky rails4 test (Adam Kiczula)
* Added release dates to each version in CHANGES (TheSpartan1980)
* Catch reverse tabnabbing with `:_blank` symbol (Jacob Evelyn)
* Convert `s(:lambda)` to `s(:call)` in `Sexp#block_call`
* Sort text report by file and line (Jacob Evelyn)
# 4.7.0 - 2019-10-16
* Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
* Ignore interpolation in `%W[]`
* Fix `version_between?` (Andrey Glushkov)
* Add support for `ruby_parser` 3.14.0
* Ignore `form_for` for XSS check
* Update Haml support to Haml 5.x
* Catch shell injection from `-c` shell commands (Jacob Evelyn)
* Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
# 4.6.1 - 2019-07-24
* Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)
# 4.6.0 - 2019-07-23
* Skip calls to `dup`
* Add reverse tabnabbing check (Linos Giannopoulos)
* Better handling of gems with no version declared
* Warn people that Haml 5 is not fully supported (Jared Beck)
* Avoid warning about file access with `ActiveStorage::Filename#sanitized` (Tejas Bubane)
* Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
* Restore `Warning#relative_path`
* Add check for cookie serialization with Marshal
* Index calls in initializers
* Improve template output handling in conditional branches
* Avoid assigning `nil` line numbers to `Sexp`s
* Add special warning code for custom checks
* Add call matching by regular expression
# 4.5.1 - 2019-05-11
* Add `Brakeman::FilePath` to represent file paths
* Handle trailing comma in block args
* Properly handle empty partial name
* Use relative paths for `__FILE__`
* Convert `!!` calls to boolean value
* Add optional check for `config.force_ssl`
* Remove code for Ruby versions prior to 1.9
* Check `link_to` with block for href XSS
* Add SQL injection checks for `find_or_create_by` and friends
* Add deserialization warning for `Oj.load/object_load`
* Add initial Rails 6 support
* Add SQL injection checks for `destroy_by`/`delete_by`
# 4.5.0 - 2019-03-16
* Update `ruby_parser`, use `ruby_parser-legacy`
* More thoroughly handle `Shellwords` escaping
* Handle non-integer version number comparisons
* Use `FileParser` in `Scanner` to parse files
* Add original exception to `Tracker#errors` list
* Add support for CoffeeScript in Slim templates
* Improve support for embedded template "filters"
* Remove Sass dependency
* Set location information in `CheckContentTag`
* Stop swallowing exceptions in `AliasProcessor`
* Avoid joining strings with different encodings
* Handle `**` inside Hash literals
* Better handling of splat/kwsplat arguments
* Improve "user input" reported for SQL injection
# 4.4.0 - 2019-01-17
* Set default encoding to UTF-8
* Update to Slim 4.0.1 (Jake Peterson)
* Update to RubyParser 3.12.0
* Add rendered template information to render paths
* Fix trim mode for ERb templates in old Rails versions
* Fix thread-safety issue in CallIndex
* Add `--enable` option to enable optional checks
* Support reading gem versions from gemspecs
* Support gem versions which are just major.minor (e.g. 3.0)
* Treat `if not` like `unless`
* Handle empty `secrets.yml` files (Naoki Kimura)
* Correctly set `rel="noreferrer"` in HTML reports
* Avoid warning about command injection when `String#shellescape` and `Shellwords.shelljoin` are used (George Ogata)
* Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
* Trim some unnecessary files from bundled gems
* Add check for CVE-2018-3760
* Avoid nils when concatenating arrays
* Ignore Tempfiles in FileAccess warnings (Christina Koller)
* Complete overhaul of warning message construction
* Deadcode and typo fixes found via Coverity
# 4.3.1 - 2018-06-07
* Ignore `Object#freeze`, use the target instead
* Ignore `foreign_key` calls in SQL
* Handle `included` calls outside of classes/modules
* Add `:BRAKEMAN_SAFE_LITERAL` to represent known-safe literals
* Handle `Array#map` and `Array#each` over literal arrays
* Use safe literal when accessing literal hash with unknown key
* Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
* Allow `symbolize_keys` to be called on `params` in SQL (Jacob Evelyn)
* Improve handling of conditionals in shell commands (Jacob Evelyn)
* Fix error when setting line number in implicit renders
# 4.3.0 - 2018-05-11
* Check exec-type calls even if they are targets
* Convert `Array#join` to string interpolation
* `BaseCheck#include_interp?` should return first string interpolation
* Add `--parser-timeout` option
* Track parent calls in CallIndex
* Warn about dangerous `link_to` href with `sanitize()`
* Ignore `params#to_h` and `params#to_hash` in SQL checks
* Change "".freeze to just ""
* Ignore `Process.pid` in system calls
* Index Kernel#\` calls even if they are targets
* Code Climate: omit leading dot from `only_files` (Todd Mazierski)
* `--color` can be used to force color output
* Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
# 4.2.1 - 2018-03-24
* Add warning for CVE-2018-3741
* Add warning for CVE-2018-8048
* Scan `app/jobs/` directory
* Handle `template_exists?` in controllers
# 4.2.0 - 2018-02-22
* Avoid warning about symbol DoS on `Model#attributes`
* Avoid warning about open redirects with model methods ending with `_path`
* Avoid warning about command injection with `Shellwords.escape`
* Use ivars from `initialize` in libraries
* `Sexp#body=` can accept `:rlist` from `Sexp#body_list`
* Update RubyParser to 3.11.0
* Fix multiple assignment of globals
* Warn about SQL injection in `not`
* Exclude template folders in `lib/` (kru0096)
* Handle ERb use of `String#<<` method for Ruby 2.5 (Pocke)
# 4.1.1 - 2017-12-19
* Remove check for use of `permit` with `*_id` keys
* Avoid duplicate warnings about permitted attributes
# 4.1.0 - 2017-12-14
* Process models as root sexp instead of each sexp
* Avoid CSRF warning in Rails 5.2 default config
* Show better location for Sass errors (Andrew Bromwich)
* Warn about dynamic values in `Arel.sql`
* Fix `include_paths` for Code Climate engine (Will Fleming)
* Add check for dangerous keys in `permit`
* Try to guess options for `less` pager
* Better processing of op_asgn1 (e.g. x[:y] += 1)
* Add optional check for divide by zero
* Remove errors about divide by zero
* Avoid warning about file access for temp files
* Do not warn on params.permit with safe values
* Add Sexp#call_chain
* Use HTTPS for warning links
* Handle nested destructuring/multiple assignment
* Leave results on screen after paging
* Do not page if results fit on screen
* Support `app_path` configuration for Code Climate engine (Noah Davis)
* Refactor Code Climate engine options parsing (Noah Davis)
* Fix upgrade version for CVE-2016-6316
# 4.0.1 - 2017-09-25
* Disable pager when `CI` environment variable is set
* Fix output when pager fails
# 4.0.0 - 2017-09-25
* Add simple pager for reports output to terminal
* Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
* Rearrange tests a little bit
* Treat `request.cookies` like `cookies`
* Treat `fail`/`raise` like early returns
* Remove reliance on `CONFIDENCE` constant in checks
* Remove low confidence mass assignment warnings
* Reduce warnings about XSS in `link_to`
* "Plain" report output is now the default
* --exit-on-error and --exit-on-warn are now the default
* Fix --exit-on-error and --exit-on-warn in config files
# 3.7.2 - 2017-08-16
* Fix --ensure-latest (David Guyon)
# 3.7.1 - 2017-08-16
* Handle simple guard with return at end of branch
* Modularize bin/brakeman
* Improve multi-value Sexp error message
* Add more collection methods for iteration detection
* Update ruby2ruby and ruby_parser
# 3.7.0 - 2017-06-30
* Improve support for rails4/rails5 options in config file
* Track more information about constant assignments
* Show progress indicator in interactive mode
* Handle simple conditional guards that use `return`
* Fix false positive for redirect_to in Rails 4 (Mário Areias)
* Avoid interpolating hashes/arrays on failed access
# 3.6.2 - 2017-05-19
* Handle safe call operator in checks
* Better handling of `if` expressions in HAML rendering
* Remove `--rake` option
* Properly handle template names without `.html` or `.js`
* Set template file names during rendering for better errors
* Limit Slim dependency to before 3.0.8
* Catch YAML parsing errors in session settings check
* Avoid warning about SQLi with `to_s` in `exists?`
* Update RubyParser to 3.9.0
* Do not honor additional check paths in config by default
* Handle empty `if` expressions when finding return values
* Fix finding return value from empty `if`
# 3.6.1 - 2017-03-24
* Fix error when using `--compare` (Sean Gransee)
# 3.6.0 - 2017-03-23
* Avoid recursive Concerns
* Branch inside of `case` expressions
* Print command line option errors without modification
* Fix issue with nested interpolation inside SQL strings
* Ignore GraphQL tags inside ERB templates
* Add `--exit-on-error` (Michael Grosser)
* Only report CVE-2015-3227 when exact version is known
* Check targetless SQL calls outside of known models
# 3.5.0 - 2017-02-01
* Allow `-t None`
* Fail on invalid checks specified by `-x` or `-t`
* Avoid warning about all, first, or last after Rails 4.0
* Avoid warning about models in SQLi
* Lower confidence of SQLi when maybe not on models
* Warn about SQLi even potentially on non-models
* Report check name in JSON and plain reports
* Treat templates without `.html` as HTML anyway
* Add `--ensure-latest` option (tamgrosser / Michael Grosser)
* Add `--no-summary` to hide summaries in HTML/text reports
* Handle `included` block in concerns
* Process concerns before controllers
# 3.4.1 - 2016-11-02
* Show action help at start of interactive ignore
* Check CSRF setting in direct subclasses of `ActionController::Base` (Jason Yeo)
* Configurable engines path (Jason Yeo)
* Use Ruby version to turn off SymbolDoS check
* Pull Ruby version from `.ruby-version` or Gemfile
* Avoid warning about `where_values_hash` in SQLi
* Fix ignoring link interpolation not at beginning of string
# 3.4.0 - 2016-09-08
* Add new `plain` report format
* Add option to prune ignore file with `-I`
* Improved Slim template support
* Show obsolete ignore entries in reports (Jonathan Cheatham)
* Support creating reports in non-existent paths
* Add `--no-exit-warn`
# 3.3.5 - 2016-08-12
* Fix bug in reports when using --debug option
# 3.3.4 - 2016-08-12
* Add generic warning for CVE-2016-6316
* Warn about dangerous use of `content_tag` with CVE-2016-6316
* Add warning for CVE-2016-6317
* Use Minitest
# 3.3.3 - 2016-07-21
* Show path when no Rails app found (Neil Matatall)
* Index calls in view helpers
* Process inline template renders
* Avoid warning about hashes in link_to hrefs
* Add documentation for authentication category
* Ignore boolean methods in render paths
* Reduce open redirect duplicates
* Fix SymbolDoS error with unknown Rails version
* Sexp#value returns nil when there is no value
* Improve return value estimation
# 3.3.2 - 2016-06-10
* Fix serious performance regression with global constant tracking
# 3.3.1 - 2016-06-03
* Delay loading vendored gems and modifying load path
* Avoid warning about SQL injection with `quoted_primary_key`
* Support more safe `&.` operations
* Allow multiple line regex in `validates_format_of` (Dmitrij Fedorenko)
* Only consider `if` branches in templates
* Avoid overwriting instance/class methods with same name (Tim Wade)
* Add `--force-scan` option (Neil Matatall)
* Improved line number accuracy in ERB templates (Patrick Toomey)
# 3.3.0 - 2016-05-05
* Skip processing obviously false if branches (more broadly)
* Skip if branches with `Rails.env.test?`
* Return exit code `4` if no Rails application is detected
* Avoid warning about mass assignment with `params.slice`
* Avoid warning about `u` helper (Chad Dollins)
* Add optional check for secrets in source code
* Process `Array#first`
* Allow non-Hash arguments in `protect_from_forgery` (Jason Yeo)
* Avoid warning on `popen` with array
* Bundle all dependencies in gem
* Track constants globally
* Handle HAML `find_and_preserve` with a block
* [Code Climate engine] When possible, output to /dev/stdout (Gordon Diggs)
* [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
* [Code Climate engine] Report end lines for issues (Gordon Diggs)
# 3.2.1 - 2016-02-25
* Remove `multi_json` dependency from `bin/brakeman`
# 3.2.0 - 2016-02-25
* Skip Symbol DoS check on Rails 5
* Only update ignore config file on changes
* Sort ignore config file
* Support calls using `&.` operator
* Update ruby_parser dependency to 3.8.1
* Remove `fastercsv` dependency
* Fix finding calls with `targets: nil`
* Remove `multi_json` dependency
* Handle CoffeeScript in HAML
* Avoid render warnings about params[:action]/params[:controller]
* Index calls in class bodies but outside methods
# 3.1.5 - 2016-01-28
* Fix CodeClimate construction of --only-files (Will Fleming)
* Add check for denial of service via routes (CVE-2015-7581)
* Warn about RCE with `render params` (CVE-2016-0752)
* Add check for `strip_tags` XSS (CVE-2015-7579)
* Add check for `sanitize` XSS (CVE-2015-7578/80)
* Add check for `reject_if` proc bypass (CVE-2015-7577)
* Add check for mime-type denial of service (CVE-2016-0751)
* Add check for basic auth timing attack (CVE-2015-7576)
* Add initial Rails 5 support
* Check for implicit integer comparison in dynamic finders
* Support directories better in --only-files and --skip-files (Patrick Toomey)
* Avoid warning about `permit` in SQL
* Handle guards using `detect`
* Avoid warning on user input in comparisons
* Handle module names with self methods
* Add session manipulation documentation
# 3.1.4 - 2015-12-22
* Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
* Ignore secrets.yml if in .gitignore
* Clean up Ruby warnings (Andy Waite)
* Increase test coverage for option parsing (Zander Mackie)
* Work around safe_yaml error
# 3.1.3 - 2015-12-03
* Check for session secret in secrets.yml
* Respect `exit_on_warn` in config file
* Avoid warning on `without_protection: true` with hash literals
* Make sure before_filter call with block is still a call
* CallIndex improvements
* Restore minimum Highline version (Kevin Glowacz)
* Add Code Climate output format (Ashley Baldwin-Hunter/Devon Blandin/John Pignata/Michael Bernstein)
* Iteratively replace values
* Output nil instead of false for user_input in JSON
* Depend on safe_yaml 1.0 or later
* Test coverage improvements for Brakema module (Bethany Rentz)
# 3.1.2 - 2015-10-28
* Treat `current_user` like a model
* Set user input value for inline renders
* Avoid warning on inline renders with safe content types
* Handle empty interpolation in HAML filters
* Ignore filters that are not method names
* Avoid warning about model find/find_by* in hrefs
* Use SafeYAML to load configuration files
* Warn on SQL query keys, not values in hashes
* Allow inspection of recursive Sexps
* Add line numbers to class-level warnings
* Handle `private def ...`
* Catch divide-by-zero in alias processing
* Reduce string allocations in Warning#initialize
* Sortable tables in HTML report (David Lanner)
* Search for config file relative to application root
# 3.1.1 - 2015-09-23
* Add optional check for use of MD5 and SHA1
* Avoid warning when linking to decorated models
* Add check for user input in session keys
* Fix chained assignment
* Treat a.try(&:b) like a.b()
* Consider j/escape_javascript safe inside HAML JavaScript blocks
* Better HAML processing of find_and_preserve calls
* Add more Arel methods to be ignored in SQL
* Fix absolute paths for Windows (Cody Frederick)
* Support newer terminal-table releases
* Allow searching call index methods by regex (Alex Ianus)
# 3.1.0 - 2015-08-31
* Add support for gems.rb/gems.locked
* Update render path information in JSON reports
* Remove renaming of several Sexp nodes
* Convert YAML config keys to symbols (Karl Glaser)
* Use railties version if rails gem is missing (Lucas Mazza)
* Warn about unverified SSL mode in Net::HTTP.start
* Add Model, Controller, Template, Config classes internally
* Report file being parsed in debug output
* Update dependencies to Ruby 1.8 incompatible versions
* Treat Array.new and Hash.new as arrays/hashes
* Fix handling of string concatenation with existing string
* Treat html_safe like raw()
* Fix low confidence XSS warning code
* Avoid warning on path creation methods in link_to
* Expand safe methods to match methods with targets
* Avoid duplicate eval() warnings
# 3.0.5 - 2015-06-20
* Fix check for CVE-2015-3227
# 3.0.4 - 2015-06-18
* Add check for CVE-2015-3226 (XSS via JSON keys)
* Add check for CVE-2015-3227 (XML DoS)
* Treat `<%==` as unescaped output
* Update `ruby_parser` dependency to 3.7.0
# 3.0.3 - 2015-04-20
* Ignore more Arel methods in SQL
* Warn about protect_from_forgery without exceptions (Neil Matatall)
* Handle lambdas as filters
* Ignore quoted_table_name in SQL (Gabriel Sobrinho)
* Warn about RCE and file access with `open`
* Handle array include? guard conditionals
* Do not ignore targets of `to_s` in SQL
* Add Rake task to exit with error code on warnings (masarakki)
# 3.0.2 - 2015-03-09
* Alias process methods called in class scope on models
* Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
* Fix using --compare and --add-checks-path together
* Avoid warning about mass assignment with string literals
* Only report original regex DoS locations
* Improve render path information implementation
* Report correct file for simple_format usage CVE warning
* Remove URI.escape from HTML reports with GitHub repos
* Update ruby_parser to ~> 3.6.2
* Remove formatting newlines in HAML template output
* Ignore case value in XSS checks
* Fix CSV output when there are no warnings
* Handle processing of explicitly shadowed block arguments
# 3.0.1 - 2015-01-23
* Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
* Properly format command interpolation (again)
* Remove Slim dependency (Casey West)
* Allow for controllers/models/templates in directories under `app/` (Neal Harris)
* Add `--add-libs-path` for additional libraries (Patrick Toomey)
* Properly process libraries (Patrick Toomey)
# 3.0.0 - 2015-01-03
* Add check for CVE-2014-7829
* Add check for cross-site scripting via inline renders
* Fix formatting of command interpolation
* Local variables are no longer formatted as `(local var)`
* Actually skip skipped before filters
* `--exit-on-warn --compare` only returns error code on new warnings (Jeff Yip)
* Fix parsing of `<%==` in ERB
* Sort warnings by fingerprint in JSON report (Jeff Yip)
* Handle symmetric multiple assignment
* Do not branch for self attribute assignment `x = x.y`
* Fix CVE for CVE-2011-2932
* Remove "fake filters" from warning fingerpints
* Index calls in `lib/` files
* Move Symbol DoS to optional checks
* CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
* Change `--separate-models` to be the default
# 2.6.3 - 2014-10-14
* Whitelist `exists` arel method from SQL injection check
* Avoid warning about Symbol DoS on safe parameters as method targets
* Fix stack overflow in ProcessHelper#class_name
* Add optional check for unscoped find queries (Ben Toews)
* Add framework for optional checks
* Fix stack overflow for cycles in class ancestors (Jeff Rafter)
# 2.6.2 - 2014-08-18
* Add check for CVE-2014-3415
* Avoid warning about symbolizing safe parameters
* Update ruby2ruby dependency to 2.1.1
* Expand app path in one place instead of all over (Jeff Rafter)
* Add `--add-checks-path` option for external checks (Clint Gibler)
* Fix SQL injection detection in deep nested string building
* Add `-4` option to force Rails 4 mode
* Check entire call for `send`
* Check for .gitignore of secrets in subdirectories
* Fix block statement endings in Erubis
* Fix undefined variable in controller processing error (Jason Barnabe)
# 2.6.1 - 2014-07-02
* Add check for CVE-2014-3482 and CVE-2014-3483
* Add support for keyword arguments in blocks
* Remove unused warning codes (Bill Fischer)
# 2.6.0 - 2014-06-06
* Fix detection of `:host` setting in redirects with chained calls
* Add check for CVE-2014-0130
* Add `find_by`/`find_by!` to SQLi check for Rails 4
* Parse most files upfront instead of on demand
* Do not branch values for `+=`
* Update to use RubyParser 3.5.0 (Patrick Toomey)
* Improve default route detection in Rails 3/4 (Jeff Jarmoc)
* Handle controllers and models split across files (Patrick Toomey)
* Fix handling of `protected_attributes` gem in Rails 4 (Geoffrey Hichborn)
* Ignore more model methods in redirects
* Fix CheckRender with nested render calls
# 2.5.0 - 2014-04-30
* Add support for RailsLTS 2.3.18.7 and 2.3.18.8
* Add support for Rails 4 `before_actions` and friends
* Move SQLi CVE checks to `CheckSQLCVEs`
* Check for protected_attributes gem
* Fix SQLi detection in chain calls in scopes
* Add GitHub-flavored Markdown output format (Greg Ose)
* Fix false positives when sanitize() is used in SQL (Jeff Yip)
* Add String#intern and Hash#symbolize_keys DoS check (Jan Rusnacko)
* Check all arguments in Model.select for SQLi
* Fix false positive when :host is specified in redirect
* Handle more non-literals in routes
* Add check for regex denial of service (Ben Toews)
# 2.4.3 - 2014-03-23
No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.
# 2.4.2 - 2014-03-21
* Remove `rescue Exception`
* Fix duplicate warnings about sanitize CVE
* Reuse duplicate call location information
* Only track original template output locations
* Skip identically rendered templates
* Fix HAML template processing
# 2.4.1 - 2014-02-19
* Add check for CVE-2014-0082
* Add check for CVE-2014-0081, replaces CVE-2013-6415
* Add check for CVE-2014-0080
# 2.4.0 - 2014-02-05
* Detect Rails LTS versions
* Reduce false positives for SQL injection in string building
* More accurate user input marking for SQL injection warnings
* Detect SQL injection in `delete_all`/`destroy_all`
* Detect SQL injection raw SQL queries using `connection`
* Parse exact versions from Gemfile.lock for all gems
* Ignore generators
* Update to RubyParser 3.4.0
* Fix false positives when SQL methods are not called on AR models (Aaron Bedra)
* Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra)
* No longer raise exceptions if a class name cannot be determined
* Fingerprint attribute warnings individually (Case Taintor)
# 2.3.1 - 2013-12-13
* Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
* Fix link for CVE-2013-6415 (number_to_currency)
# 2.3.0 - 2013-12-12
* Add check for Parameters#permit!
* Add check for CVE-2013-4491 (i18n XSS)
* Add check for CVE-2013-6414 (header DoS)
* Add check for CVE-2013-6415 (number_to_currency)
* Add check for CVE-2013-6416 (simple_format XSS)
* Add check for CVE-2013-6417 (query generation)
* Fix typos in reflection and translate bug messages
* Collapse send/try calls
* Fix Slim XSS false positives (Noah Davis)
* Whitelist `Model#create` for redirects
* Fix scoping issues with instance variables and blocks
# 2.2.0 - 2013-10-28
* Reduce command injection false positives
* Use Rails version from Gemfile if it is available
* Only add routes with actual names
* Ignore redirects to models using friendly_id (AJ Ostrow)
* Support scanning Rails engines (Geoffrey Hichborn)
* Add check for detailed exceptions in production
# 2.1.2 - 2013-09-18
* Do not attempt to load custom Haml filters
* Do not warn about `to_json` XSS in Rails 4
* Add --table-width option to set width of text reports (ssendev)
* Remove fuzzy matching on dangerous attr_accessible values
# 2.1.1 - 2013-08-21
* New warning code for dangerous attributes in attr_accessible
* Do not warn on attr_accessible using roles
* More accurate results for model attribute warnings
* Use exit code zero with `-z` if all warnings ignored
* Respect ignored warnings in rescans
* Ignore dynamic controller names in routes
* Fix infinite loop when run as rake task (Matthew Shanley)
* Respect ignored warnings in tabs format reports
# 2.1.0 - 2013-07-17
* Support non-native line endings in Gemfile.lock (Paul Deardorff)
* Support for ignoring warnings
* Check for dangerous model attributes defined in attr_accessible (Paul Deardorff)
* Update to ruby_parser 3.2.2
* Add brakeman-min gemspec
* Load gem dependencies on-demand
* Output JSON diff to file if -o option is used
* Add check for authenticate_or_request_with_http_basic
* Refactor of SQL injection check code (Bart ten Brinke)
* Fix detection of duplicate XSS warnings
* Refactor reports into separate classes
* Allow use of Slim 2.x (Ian Zabel)
* Return error exit code when application path is not found
* Add `--branch-limit` option, limit to 5 by default
* Add more methods to check for command injection
* Fix output format detection to be more strict again
* Allow empty Brakeman configuration file
# 2.0.0 - 2013-05-20
* Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
* Add Marshal/CSV deserialization check
* Combine deserialization checks into single check
* Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
* Avoid duplicate results for Symbol DoS check
* Medium confidence for mass assignment to attr_protected models
* Remove "timestamp" key from JSON reports
* Remove deprecated config file locations
* Relative paths are used by default in JSON reports
* `--absolute-paths` replaces `--relative-paths`
* Only treat classes with names containing `Controller` like controllers
* Better handling of classes nested inside controllers
* Better handling of controller classes nested in classes/modules
* Handle `->` lambdas with no arguments
* Handle explicit block argument destructuring
* Skip Rails config options that are real objects
* Detect Rails 3 JSON escape config option
* Much better tracking of warning file names
* Fix errors when using `--separate-models` (Noah Davis)
* Fix fingerprint generation to actually use the file path
* Fix text report console output in JRuby
* Fix false positives on `Model#id`
* Fix false positives on `params.to_json`
* Fix model path guesses to use "models/" instead of "controllers/"
* Clean up SQL CVE warning messages
* Use exceptions instead of abort in brakeman lib
* Update to Ruby2Ruby 2.0.5
# 1.9.5 - 2013-04-05
* Add check for unsafe symbol creation
* Do not warn on mass assignment with `slice`/`only`
* Do not warn on session secret if in `.gitignore`
* Fix scoping for blocks and block arguments
* Fix error when modifying blocks in templates
* Fix session secret check for Rails 4
* Fix crash on `before_filter` outside controller
* Fix `Sexp` hash cache invalidation
* Respect `quiet` option in configuration file
* Convert assignment to simple `if` expressions to `or`
* More fixes for assignments inside branches
* Pin to ruby2ruby version 2.0.3
# 1.9.4 - 2013-03-19
* Add check for CVE-2013-1854
* Add check for CVE-2013-1855
* Add check for CVE-2013-1856
* Add check for CVE-2013-1857
* Fix `--compare` to work with older versions
* Add "no-referrer' to HTML report links
* Don't warn when invoking `send` on user input
* Slightly faster cloning of Sexps
* Detect another way to add `strong_parameters`
# 1.9.3 - 2013-03-01
* Add render path to JSON report
* Add warning fingerprints
* Add check for unsafe reflection (Gabriel Quadros)
* Add check for skipping authentication methods with blacklist
* Add support for Slim templates
* Remove empty tables from reports (Owen Ben Davies)
* Handle `prepend/append_before_filter`
* Performance improvements when handling branches
* Fix processing of `production.rb`
* Fix version check for Ruby 2.0
* Expand HAML dependency to include 4.0
* Scroll errors into view when expanding in HTML report
# 1.9.2 - 2013-02-14
* Add check for CVE-2013-0269
* Add check for CVE-2013-0276
* Add check for CVE-2013-0277
* Add check for CVE-2013-0333
* Check for more send-like methods
* Check for more SQL injection locations
* Check for more dangerous YAML methods
* Support MultiJSON 1.2 for Rails 3.0 and 3.1
# 1.9.1 - 2013-01-19
* Update to RubyParser 3.1.1 (neersighted)
* Remove ActiveSupport dependency (Neil Matatall)
* Do not warn on arrays passed to `link_to` (Neil Matatall)
* Warn on secret tokens
* Warn on more mass assignment methods
* Add check for CVE-2012-5664
* Add check for CVE-2013-0155
* Add check for CVE-2013-0156
* Add check for unsafe `YAML.load`
# 1.9.0 - 2012-12-25
* Update to RubyParser 3
* Ignore route information by default
* Support `strong_parameters`
* Support newer `validates :format` call
* Add scan time to reports
* Add Brakeman version to reports
* Fix `CheckExecute` to warn on all string interpolation
* Fix false positive on `to_sql` calls
* Don't mangle whitespace in JSON code formatting
* Add AppTree as facade for filesystem (brynary)
* Add link for translate vulnerability warning (grosser)
* Rename LICENSE to MIT-LICENSE, remove from README (grosser)
* Add Rakefile to run tests (grosser)
* Better default config file locations (grosser)
* Reduce Sexp creation
* Handle empty model files
* Remove "find by regex" feature from `CallIndex`
# 1.8.3 - 2012-11-13
* Use `multi_json` gem for better harmony
* Performance improvement for call indexing
* Fix issue with processing HAML files
* Handle pre-release versions when processing `Gemfile.lock`
* Only check first argument of `redirect_to`
* Fix false positives from `Model.arel_table` accesses
* Fix false positives on redirects to models decorated with Draper gem
* Fix false positive on redirect to model association
* Fix false positive on `YAML.load`
* Fix false positive XSS on any `to_i` output
* Fix error on Rails 2 name routes with no args
* Fix error in rescan of mixins with symbols in method name
* Do not rescan non-Ruby files in config/
# 1.8.2 - 2012-10-17
* Fixed rescanning problems caused by 1.8.0 changes
* Fix scope calls with single argument
* Report specific model name in rendered collections
* Handle overwritten JSON escape settings
* Much improved test coverage
* Add CHANGES to gemspec
# 1.8.1 - 2012-09-24
* Recover from errors in output formatting
* Fix false positive in redirect_to (Neil Matatall)
* Fix problems with removal of `Sexp#method_missing`
* Fix array indexing in alias processing
* Fix old mail_to vulnerability check
* Fix rescans when only controller action changes
* Allow comparison of versions with unequal lengths
* Handle super calls with blocks
* Respect `-q` flag for "Rails 3 detected" message
# 1.8.0 - 2012-09-05
* Support relative paths in reports (fsword)
* Allow Brakeman to be run without tty (fsword)
* Fix exit code with `--compare` (fsword)
* Fix `--rake` option (Deepak Kumar)
* Add high confidence warnings for `to_json` XSS (Neil Matatall)
* Fix `redirect_to` false negative
* Fix duplicate warnings with `raw` calls
* Fix shadowing of rendered partials
* Add "render chain" to HTML reports
* Add check for XSS in `content_tag`
* Add full backtrace for errors in debug mode
* Treat model attributes in `or` expressions as immediate values
* Switch to method access for Sexp nodes
# 1.7.1 - 2012-08-13
* Add check for CVE-2012-3463
* Add check for CVE-2012-3464
* Add check for CVE-2012-3465
* Add charset to HTML report (hooopo)
* Report XSS in select() for Rails 2
# 1.7.0 - 2012-07-31
* Add check for CVE-2012-3424
* Link report types to descriptions on website
* Report errors raised while running check
* Improve processing of Rails 3 routes
* Fix "empty char-class" error
* Improve file access check
* Avoid warning on non-ActiveModel models
* Speed improvements by stripping down SexpProcessor
* Fix how `params[:x] ||=` is handled
* Treat user input in `or` expressions as immediate values
* Fix processing of negative array indexes
* Add line breaks to truncated table rows
# 1.6.2 - 2012-06-13
* Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
* Avoid warning when redirecting to a model instance
* Add `request.parameters` as a parameters hash
* Raise confidence level for model attributes in redirects
* Return non-zero exit code when missing dependencies
* Fix `before_filter :except` logic
* Only accept symbol literals as before_filter names
* Cache before_filter lookups
* Turn off quiet mode by default for `--compare`
# 1.6.1 - 2012-05-23
* Major rewrite of CheckSQL
* Fix rescanning of deleted templates
* Process actions mixed into controllers
* Handle `render :template => ...`
* Check for inherited attr_accessible (Neil Matatall)
* Fix highlighting of HTML escaped values in HTML report
* Report line number of highlighted value, if available
# 1.6.0 - 2012-04-20
* Remove the Ruport dependency (Neil Matatall)
* Add more informational JSON output (Neil Matatall)
* Add comparison to previous JSON report (Neil Matatall)
* Add highlighting of dangerous values in HTML/text reports
* Model#update_attribute should not raise mass assignment warning (Dave Worth)
* Don't check `find_by_*` method for SQL injection
* Fix duplicate reporting of mass assignment and SQL injection
* Fix rescanning of deleted files
* Properly check for rails_xss in Gemfile
# 1.5.3 - 2012-04-10
* Add check for user input in Object#send (Neil Matatall)
* Handle render :layout in views
* Support output to multiple formats (Nick Green)
* Prevent infinite loops in mutually recursive templates
* Only check eval arguments for user input, not targets
* Search subdirectories for models
* Set values in request hashes and propagate to views
* Add rake task file to gemspec (Anton Ageev)
* Filter rescanning of templates (Neil Matatall)
* Improve handling of modules and nesting
* Test for zero errors in test reports
# 1.5.2 - 2012-03-22
* Fix link_to checks for Rails 2.0 and 2.3
* Fix rescanning of lib files (Neil Matatall)
* Output stack trace on interrupt when debugging
* Ignore user input in if statement conditions
* Fix --skip-files option
* Only warn on user input in render paths
* Fix handling of views when using rails_xss
* Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
# 1.5.1- 2012-03-06
* Fix detection of global mass assignment setting
* Fix partial rendering in Rails 3
* Show backtrace when interrupt received (Ruby 1.9 only)
* More debug output
* Remove duplicate method in Brakeman::Rails2XSSErubis
* Add tracking of module and class to Brakeman::BaseProcessor
* Report module when using Brakeman::FindCall
# 1.5.0 - 2012-03-02
* Add version check for SafeBuffer vulnerability
* Add check for select vulnerability in Rails 3
* select() is no longer considered safe in Rails 2
* Add check for skipping CSRF protection with a blacklist
* Add JSON report format
* Model#id should not be considered XSS
* Standardize methods to check for SQL injection
* Fix Rails 2 route parsing issue with nested routes
# 1.4.0 - 2012-02-24
* Add check for user input in link_to href parameter
* Match ERB processing to rails_xss plugin when plugin used
* Add Brakeman::Report#to_json, Brakeman::Warning#to_json
* Warnings below minimum confidence are dropped completely
* Brakeman.run always returns a Tracker
# 1.3.0 - 2012-02-09
* Add file paths to HTML report
* Add caching of filters
* Add --skip-files option
* Add support for attr_protected
* Add detection of request.env as user input
* Descriptions of checks in -k output
* Improved processing of named scopes
* Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build
* Better variable substitution
* Table output option for rescan reports
# 1.2.2 - 2012-01-26
* --no-progress works again
* Make CheckLinkTo a separate check
* Don't fail on unknown options to resource(s)
* Handle empty resource(s) blocks
* Add RescanReport#existing_warnings
## 1.2.1 - 2012-01-20
* Remove link_to warning for Rails 3.x or when using rails_xss
* Don't warn if first argument to link_to is escaped
* Detect usage of attr_accessible with no arguments
* Fix error when rendering a partial from a view but not through a controller
* Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug
* Simplify Brakeman Rake task
* Avoid modifying $VERBOSE
* Add Brakeman::RescanReport#to_s
* Add Brakeman::Warning#to_s
## 1.2.0 - 2012-01-14
* Speed improvements for CheckExecute and CheckRender
* Check named_scope() and scope() for SQL injection
* Add --rake option to create rake task to run Brakeman
* Add experimental support for rescanning a subset of files
* Add --summary option to only output summary
* Fix a problem with Rails 3 routes
## 1.1.0 - 2011-12-22
* Relax required versions for dependencies
* Performance improvements for source processing
* Better progress reporting
* Handle basic operators like << + - * /
* Rescue more errors to prevent complete crashes
* Compatibility with newer Haml versions
* Fix some warnings
## 1.0.0 - 2011-12-08
* Better handling of assignments inside ifs
* Check more expressions for SQL injection
* Use latest ruby_parser for better 1.9 syntax support
* Better behavior for Brakeman as a library
## 1.0.0rc1 - 2011-12-06
* Brakeman can now be used as a library
* Faster call search
* Add option to return error code if warnings are found (tw-ngreen)
* Allow truncated messages to be expanded in HTML
* Fix summary when using warning thresholds
* Better support for Rails 3 routes
* Reduce SQL injection duplicate warnings
* Lower confidence on mass assignment with no user input
* Ignore mass assignment using all literal arguments
* Keep expanded context in view with HTML output
## 0.9.2 - 2011-11-22
* Fix Rails 3 configuration parsing
* Add t() helper to check for translate XSS bug
## 0.9.1 - 2011-11-18
* Add warning for translator helper XSS vulnerability
## 0.9.0 - 2011-11-17
* Process Rails 3 configuration files
* Fix CSV output
* Check for config.active_record.whitelist_attributes = true
* Always produce a warning for without_protection => true
## 0.8.4 - 2011-11-04
* Option for separate attr_accessible warnings
* Option to set CSS file for HTML output
* Add file names for version-specific warnings
* Add line number for default routes in a controller
* Fix hash_insert()
* Remove use of Queue from threaded checks
## 0.8.3 - 2011-10-25
* Respect -w flag in .tabs format (tw-ngreen)
* Escape HTML output of error messages
* Add --skip-libs option
## 0.8.2 - 2011-10-01
* Run checks in parallel threads by default
* Fix compatibility with ruby_parser 2.3.1
## 0.8.1 - 2011-09-28
* Add option to assume all controller methods are actions
* Recover from errors when parsing routes
## 0.8.0 - 2011-09-15
* Add check for mass assignment using without_protection
* Add check for password in http_basic_authenticate_with
* Warn on user input in hash argument with mass assignment
* auto_link is now considered safe for Rails >= 3.0.6
* Output detected Rails version in report
* Keep track of methods called in class definition
* Add ruby_parser hack for Ruby 1.9 hash syntax
* Add a few Rails 3.1 tests
## 0.7.2 - 2011-08-27
* Fix handling of params and cookies with nested access
* Add CVEs for checks added in 0.7.0
## 0.7.1 - 2011-08-18
* Require BaseProcessor for GemProcessor
## 0.7.0 - 2011-08-17
* Allow local variable as a class name
* Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
* Check for default routes in Rails 3 apps
* Look in Gemfile or Gemfile.lock for Rails version
## 0.6.1 - 2011-07-29
* Fix XSS check for cookies as parameters in output
* Don't bother calling super in CheckSessionSettings
* Add escape_once as a safe method
* Accept '\Z' or '\z' in model validations
## 0.6.0 - 2011-07-20
* Tests are in place and fully functional
* Hide errors by default in HTML output
* Warn if routes.rb cannot be found
* Narrow methods assumed to be file access
* Increase confidence for methods known to not escape output
* Fixes to output processing for Erubis
* Fixes for Rails 3 XSS checks
* Fixes to line numbers with Erubis
* Fixes to escaped output scanning
* Update CSRF CVE-2011-0447 message to be less assertive
## 0.5.2 - 2011-06-29
* Output report file name when finished
* Add initial tests for Rails 2.x
* Fix ERB line numbers when using Ruby 1.9
## 0.5.1 - 2011-06-17
* Fix issue with 'has_one' => in routes
## 0.5.0 - 2011-06-08
* Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
* Allow empty blocks in Rails 3 routes
* Check initializer for session settings
* Add line numbers to session setting warnings
* Add --checks option to list checks
## 0.4.1 - 2011-05-23
* Fix reported line numbers when using new Erubis parser
(Mostly affects Rails 3 apps)
## 0.4.0 - 2011-05-19
* Handle Rails XSS protection properly
* More detection options for rails_xss
* Add --escape-html option
## 0.3.2 - 2011-05-12
* Autodetect Rails 3 applications
* Turn on auto-escaping for Rails 3 apps
* Check Model.create() for mass assignment
## 0.3.1 - 2011-05-03
* Always output a line number in tabbed output format
* Restrict characters in category name in tabbed output format to
word characters and spaces, for Hudson/Jenkins plugin
## 0.3.0 - 2011-03-21
* Check for SQL injection in calls using constantize()
* Check for SQL injection in calls to count_by_sql()
## 0.2.2 - 2011-02-22
* Fix version_between? when no Rails version is specified
## 0.2.1 - 2011-02-18
* Add code snippet to tab output messages
## 0.2.0 - 2011-02-16
* Add check for mail_to vulnerability - CVE-2011-0446
* Add check for CSRF weakness - CVE-2011-0447
## 0.1.1 - 2011-01-25
* Be more permissive with ActiveSupport version
## 0.1.0 - 2011-01-18
* Check link_to for XSS (because arguments are not escaped)
* Process layouts better (although not perfectly yet)
* Load custom Haml filters if they are in lib/
* Tab separated output via .tabs output extension
* Switch to normal versioning scheme
================================================
FILE: CODE_OF_CONDUCT.md
================================================
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery and unwelcome sexual attention or advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at conduct@brakeman.org. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
[homepage]: http://contributor-covenant.org
[version]: http://contributor-covenant.org/version/1/4/
================================================
FILE: CONTRIBUTING.md
================================================
## Copyright Assignment
By opening a pull request to https://github.com/presidentbeef/brakeman,
you agree to assign all rights to the code to Synopsys, Inc. under the [Brakeman Public Use License](LICENSE.md).
## Submitting a Pull Request
Pull requests are welcome!
Please follow the typical GitHub flow:
* Fork Brakeman
* Clone locally `git clone your_new_fork`
* Create a new branch `git checkout -b fix_some_broken_stuff`
* Add new tests
* Make fixes, follow coding conventions of project
* Run tests with `ruby test/test.rb` or just `rake`
* Push your changes `git push origin fix_some_broken_stuff`
* Go to *your* fork, click "Submit pull request"
* Provide a description of the bug and fix
* Submit!
### Code Conventions
These are some code conventions to follow so your code fits into the rest of Brakeman.
* Must use typical Ruby 2 space indentation
* Must work with Ruby 2.4.0
* Prefer to wrap lines near 80 characters but it's not a hard rule
### Preparing Tests
Tests are very important to ensure fixes actually work, and to make it obvious what your changes are supposed to fix. They also protect against breaking features in the future.
#### Run Tests
To run Brakeman tests:
ruby test/test.rb
or
rake
To check test coverage, install `simplecov` before running tests. Then open `coverage/index.html` in a browser. For a correct report, run the tests from the root directory.
#### Add a Test Case
Brakeman has several Rails applications in the `test/apps` directory. Choose the one that best matches your situation and modify it to reproduce the issue. It is preferable to modify the application in such a way that the fewest existing tests are broken. In particular, the tests for "expected number of reported warnings" will probably change, but no other tests should. Unless the tests or expected behavior are broken.
In the `test/tests` directory, each application has its own set of tests. Most of these consist of `assert_warning` or `assert_no_warning`, which test for warnings generated by Brakeman.
When adding a test for a false positive, use `assert_no_warning` so the expected behavior is clear.
#### Generating Tests
Writing the `assert_warning` tests can be tedious, especially in bulk. There is a tool which will convert Brakeman reports to tests in `tests/to_test.rb`. This file takes exactly the same options as Brakeman. This makes it easy to generate a smaller set of tests (as opposed to tests for every Brakeman warning, which probably already have tests).
Example:
```
ruby to_test.rb apps/rails2 -t Execute
```
will generate some boilerplate and then a set of methods:
```ruby
#...
def test_command_injection_1
assert_warning :type => :warning,
:warning_type => "Command Injection",
:line => 34,
:message => /^Possible\ command\ injection/,
:confidence => 0,
:file => /home_controller\.rb/
end
def test_command_injection_2
assert_warning :type => :warning,
:warning_type => "Command Injection",
:line => 36,
:message => /^Possible\ command\ injection/,
:confidence => 0,
:file => /home_controller\.rb/
end
#...
```
The boilerplate is unnecessary unless you are adding a whole new test application.
When adding a single test or set of tests, copy the tests from here, change the names to something descriptive, and you are done!
Note that when adding an `assert_no_warning` test for false positives, you can still generate the test with the false positive, then change the assertion.
================================================
FILE: COPYING.md
================================================
Code committed on or after June 15, 2018 is licensed under the [Brakeman Public Use License](https://github.com/presidentbeef/brakeman/blob/main/LICENSE.md) and is owned by Synopsys, Inc.
Code committed prior to June 15, 2018 is licensed under the MIT license and is owned by the respective copyright holders.
The code available on [GitHub](https://github.com/presidentbeef/brakeman/) and as packaged on [RubyGems](https://rubygems.org/gems/brakeman) is distributed under the [Brakeman Public Use License](https://github.com/presidentbeef/brakeman/blob/main/LICENSE.md), sublicensed as necessary under MIT.
================================================
FILE: Dockerfile
================================================
FROM ruby:3.3-alpine
LABEL maintainer="Justin Collins <gem@brakeman.org>"
WORKDIR /usr/src/app
RUN apk --update add build-base
# Copy our Gemfile (and related files) *without* copying our actual source code yet
COPY Gemfile* *.gemspec gem_common.rb ./
# Copy lib/brakeman/version.rb so that bundle install works
COPY lib/brakeman/version.rb ./lib/brakeman/
# Install the necessary gems
RUN bundle install --jobs 4 --without "development test"
# Copy in the latest Brakeman source code as the final stage
COPY . /usr/src/app
# Default to looking for source in /code
WORKDIR /code
ENTRYPOINT ["/usr/src/app/bin/brakeman"]
================================================
FILE: Dockerfile.codeclimate
================================================
FROM ruby:3.0-alpine
LABEL maintainer="Justin Collins"
WORKDIR /usr/src/app
# Create user named app with uid=9000, give it ownership of /usr/src/app
RUN adduser -u 9000 -D app && \
chown -R app:app /usr/src/app
USER app
# Copy our Gemfile (and related files) *without* copying our actual source code yet
COPY Gemfile* *.gemspec gem_common.rb ./
# Copy lib/brakeman/version.rb so that bundle install works
COPY lib/brakeman/version.rb ./lib/brakeman/
# Install the necessary gems
RUN bundle install --jobs 4 --without "development test"
# Copy in the latest Brakeman source code as the final stage
COPY . /usr/src/app
# Default to looking for source in /code
WORKDIR /code
CMD ["/usr/src/app/bin/codeclimate-brakeman"]
================================================
FILE: FEATURES
================================================
Can detect:
-Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)
-Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
-String interpolation in find_by_sql (SQL Injection)
-String interpolation or params in calls to system, exec, and syscall and `` (Command Injection)
-Unrestricted mass assignments
-Global restriction of mass assignment
-Missing call to protect_from_forgery in ApplicationController (CSRF protection)
-Default routes, per-controller and globally
-Redirects based on params (probably too broad currently)
-Validation regexes not using \A and \z
-Calls to render with dynamic paths
General capabilities:
-Search for method calls based on target class and/or method name
-Determine 'output' of templates using ERB, Erubis, or HAML. Can handle automatic escaping
================================================
FILE: Gemfile
================================================
source "https://rubygems.org"
gemspec :name => "brakeman"
unless ENV['BM_PACKAGE']
group :test do
gem 'rake'
gem 'minitest', '>= 6.0'
end
end
================================================
FILE: LICENSE.md
================================================
**LICENSE**
# Brakeman Public Use License
Synopsys, Inc. is willing to authorize use of the Software pursuant to the terms and conditions of this License by Licensee only upon the condition that Licensee accepts that the Agreement governs Licensee's use of the Software. By accepting this Agreement or installing or using the Software (directly or through the actions of an authorized representative), Licensee confirms its acceptance of the License and the Agreement and its agreement to comply with the License terms.
The Brakeman software (the "***Software***") is licensed for use by third parties according to the terms and conditions set forth in this license agreement (the "***Agreement***"). The copyright to the Software and this license agreement is owned by Synopsys, Inc. and its global affiliates ("***Synopsys***").
**Copyright 2019 Synopsys, Inc. All rights not granted in this Agreement are expressly reserved.**
Commercial Uses (as defined below) of the Software for commercial purposes require a commercial, non-free license. Otherwise, the Software may be used by the party that has downloaded the Software and accepted the terms of this Agreement without charge.
## 1. Definitions
1.1 "***License***" means this Agreement.
1.2 "***Licensee***" means you, the end user of the Software.
1.3 "***Contributor***" means each individual or legal entity that creates, contributes to the creation of, or owns the Software.
1.4 "***Contribution***" means the creation of and/or contribution to the development of the Software
1.5 "***Software***" has the meaning set forth in the recital to this Agreement.
## 2. Commercial Uses
A "***Commercial Use***" of the Software is one intended for commercial advantage or monetary compensation.
Examples of Commercial Uses include (but are not limited to):
* Using the Software to provide commercial managed/Software-as-a-Service services.
* Distributing the Software as a commercial product or as part of one.
* Using the Software as a component of a value-added service/product.
Example of uses that are not Commercial Uses, and are subject to the terms of this License, include (but are not limited to):
* Using the Software to analyze Licensee's software.
* Any non-commercial use of the Software.
To purchase a license to the Software for Commercial Use, or if Licensee is unsure whether it needs to purchase a Commercial Use license, contact Synopsys at \[sig-sales-ww@synopsys.com\].
Synopsys may grant commercial licenses at no monetary cost at its own discretion if the commercial usage is deemed by Synopsys to significantly benefit the development of the Software.
## 3. License Grant
Synopsys grants Licensee a nonexclusive, nontransferable (except as permitted in this Agreement), limited license to use and modify the Software, subject to the terms and conditions stated in this Agreement, only for the purpose of non-Commercial Use and not for any other purpose. Licensee may make copies of the Software to the extent reasonably necessary to exercise the License granted in this Agreement.
As a condition to the grant of the foregoing License, Licensee agrees not to do or undertake to do the following:
* Use the Software for any Commercial Use;
* Remove or modify any trademarks or any copyright notice in the Software; or
* Assign the License or the Agreement, or distribute, give, or transfer the Software to any third party, except as expressly permitted in this Agreement.
All rights not expressly granted in this Agreement are reserved by Synopsys. Synopsys or its licensors retain all ownership and intellectual property rights to the Software.
## 4. Redistribution
Redistribution is permitted solely under the following conditions:
* A copy of this License, without modification, is provided with the Software.
* All Copyright notices to the Software and this Agreement are provided with the Software.
* Redistribution and subsequent use does not conflict with the Commercial Uses clause above.
## 4. Copying
Copying of the Software is permitted so long as it does not conflict with the Redistribution and Commercial Uses clauses.
## 5. Modification
Modification of the Software is permitted so long as it does not conflict with the Redistribution clause.
## 6. Contributions
All right, title, and interest in any Contributions to the Software are hereby assigned to Synopsys, effective upon the date of creation of any such Contribution. Synopsys shall have the unlimited, exclusive right to reuse, modify and relicense any Contributions.
## 7. Support
The Software is provided under an AS-IS basis and without any support, updates or maintenance. Updates to the Software may be provided by Synopsys at its the sole discretion.
## 8. Disclaimer of Warranty
The Software is provided under this License on an "as is" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Software is free of defects, merchantable, fit for a particular purpose or non-infringing.
## 9. Disclaimer of Liability
To the extent permitted under law, the Software is provided under an AS-IS basis. Synopsys shall never be liable for any damage (including without limitation indirect, incidental, special, punitive or consequential damage, or damage for loss of profits, revenue, data, of data use), cost, expense or any other payment incurred as a result of Licensee's use of the Software for any purpose, even if Synopsys has been advised of the possibility of such damages and regardless of whether the action for such damage arises in contract or tort. The entire liability of Synopsys under the Agreement shall not exceed one hundred dollars (USD $100).
## 10. Trademark
"Synopsys" is a registered trademark of Synopsys, Inc. All rights are reserved to Synopsys, Inc. This Agreement does not grant the use of the trademark or the use of the Synopsys logo to you for any purpose.
## 11. Export Controls
Export laws and regulations of the United States and any other relevant local export laws and regulations apply to the Software. Licensee agrees that United States export control laws govern the use of the Software (including any corresponding documentation). Licensee also agrees to comply with all United States export laws and regulations (including "deemed export" and "deemed re-export" regulations). Licensee agrees that no results of analysis created or derived from the use of the Software will be exported, directly or indirectly, in violation of these laws, or will be used for any purpose prohibited by these laws including, without limitation, nuclear, chemical, or biological weapons proliferation, or development of missile technologies.
Licensee confirms and agrees:
* Licensee will not download, provide, make available or otherwise export or re-export the Software, directly or indirectly, to countries prohibited by applicable laws and regulations nor to citizens, nationals or residents of those countries.
* Licensee is not listed on the United States Department of Treasury lists of Specially Designated Nationals and Blocked Persons, Specially Designated Terrorists, and Specially Designated Narcotic Traffickers, nor is Licensee listed on the United States Department of Commerce Table of Denial Orders.
* Licensee will not export or re-export the Software, directly or indirectly, to persons on the above mentioned lists.
* Licensee will not use or allow the Software to be used for, any purposes prohibited by applicable law, including, without limitation, for the development, design, manufacture or production of nuclear, chemical or biological weapons of mass destruction.
## 12. Relationship Between the Parties
Licensee is an independent contractor and hereby agrees that no partnership, joint venture, or agency relationship exists between Licensee and Synopsys.
## 13. Entire Agreement; Governing Law
The Agreement is the complete agreement for the Software. The Agreement supersedes all prior or contemporaneous agreements or representations, including any license agreements for prior versions of the Software.
This Agreement may not be modified and the rights and restrictions may not be altered or waived except in a writing signed by authorized representatives of the parties. If any term of the License or the Agreement is found to be invalid or unenforceable, the remaining provisions will remain effective.
The Agreement is governed by California law. The parties agree to submit to the exclusive jurisdiction of, and venue in, the courts of Santa Clara county, California with respect to any action arising out of or relating to the License or the Agreement.
## 14. Notices
Any questions concerning the License and/or the Agreement and any notices to Synopsys under this agreement shall be directed to:
Synopsys, Inc.
800 E. Middlefield Road
Mountain View, CA 94045
End of Agreement
================================================
FILE: MIT-LICENSE
================================================
The MIT License
Copyright (c) 2010-2012, YELLOWPAGES.COM, LLC
Copyright (c) 2012, Twitter, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
================================================
FILE: OPTIONS.md
================================================
This file may or may not be up-to-date. For best results but less information, run `brakeman --help`.
## Scanning Options
There are some checks which are not run by default. To run all checks, use:
brakeman -A
Each check will be run in a separate thread by default. To disable this behavior:
brakeman -n
By default, Brakeman scans the current directory. A path can also be specified as a bare argument, like:
brakeman some/path/to/app
But to be even more specific, the `-p` or `--path` option may be used:
brakeman -p path/to/app
To suppress informational warnings and just output the report:
brakeman -q
Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.
By default, Brakeman will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this:
brakeman --no-exit-on-warn --no-exit-on-error
To force Brakeman into Rails 3 mode:
brakeman -3
Or to force Brakeman into Rails 4 mode:
brakeman -4
Beware some behavior and checks rely on knowing the exact version name. This shouldn't be a problem with any modern Rails app using a `Gemfile.lock` though.
Brakeman used to parse `routes.rb` and attempt to infer which controller methods are used as actions. However, this is not perfect (especially for Rails 3/4), so now it assumes all controller methods are actions. To disable this behavior:
brakeman --no-assume-routes
While this shouldn't be necessary, it is possible to force Brakeman to assume output is escaped by default:
brakeman --escape-html
If Brakeman is running a bit slow, try
brakeman --faster
This will disable some features, but will probably be much faster (currently it is the same as `--no-branching`). *WARNING*: This may cause Brakeman to miss some vulnerabilities.
To disable flow sensitivity in `if` expressions:
brakeman --no-branching
To instead limit the number of branches tracked for a given value:
brakeman --branch-limit LIMIT
`LIMIT` should be an integer value. `0` is almost the same as `--no-branching` but `--no-branching` is preferred. The default value is `5`. Lower values generally make Brakeman go faster. `-1` is the same as unlimited.
To skip certain files or directories use:
brakeman --skip-files file1,/path1/,path2/
Directories are matched relative to the root path of your application and must end in a path separator for your platform (ex. `/`). The above invocation would match and skip the following:
* Any file named `file1`. Any file that has `file1` as a path component would still be scanned.
* Any file within `/path1`. Because of the leading `/`, only directories from the application's root directory will match. For example, `/lib/path1/some_path1_file.rb` would still be scanned.
* Any directory named `path2`. Because there is no leading `/`, any directory with `path2` as a path component will be skipped. For example, `/lib/path2/some_lib_for_testing.rb` would not be scanned.
Note Brakeman does "whole program" analysis, therefore skipping a file may affect warning results from more than just that one file.
The inverse but even more dangerous option is to choose specific files or directories to scan:
brakeman --only-files file1,/path2/,path2/
Again, since Brakeman looks at the whole program, it is very likely not going to behave as expected when scanning a subset of files. Also, if certain files are excluded Brakeman may not function at all.
To run a subset of checks:
brakeman --test Check1,Check2,etc
To exclude certain checks:
brakeman --except Check1,Check2,etc
Note it is not necessary to include the `Check` part of the check. For example, these are equivalent:
brakeman --test CheckSQL
brakeman --test SQL
## Output Options
To see all kinds of debugging information:
brakeman -d
To specify an output file for the results:
brakeman -o output_file
The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, `github`, `sarif` and `sonar`.
Multiple output files can be specified:
brakeman -o output.html -o output.json
To output to both a file and to the console, with color:
brakeman --color -o /dev/stdout -o output.json
To specify a CSS stylesheet to use with the HTML report:
brakeman --css-file my_cool_styling
By default, Brakeman will only report a single warning of a given type for the same line of code. This can be disabled using
brakeman --no-combine-locations
To disable highlighting of "dangerous" or "user input" values in warnings:
brakeman --no-highlights
To report controller and route information:
brakeman --routes
However, if you really want to know what routes an app has, use
rake routes
To set the limit on message length in HTML reports, use
brakeman --message-limit LIMIT
The default LIMIT is 100.
To limit width of the tables output in text reports, use
brakeman --table-width LIMIT
By default, there is no limit.
Brakeman will warn about each model without `attr_accessible`. In the HTML report it may be nicer to get all models in one warning with
brakeman --no-separate-models
Sometimes you don't need a big report, just the summary:
brakeman --summary
Reports show relative paths by default. To use absolute paths instead:
brakeman --absolute-paths
This does not affect HTML or tab-separated reports.
To output Markdown with nice links to files on GitHub, use
brakeman --github-repo USER/REPO[/PATH][@REF]
For example,
brakeman --github-repo presidentbeef/inject-some-sql
To compare results of a scan with a previous scan, use the JSON output option and then:
brakeman --compare old_report.json
This will output JSON with two lists: one of fixed warnings and one of new warnings.
By default, brakeman opens output in `less` pager. To have brakeman output directly to terminal, use
brakeman --no-pager
## Ignoring Stuff
Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in `config/brakeman.ignore`.
To specify a file to use:
brakeman -i path/to/config.ignore
To create and manage this file, use:
brakeman -I
To ignore possible XSS from model attributes:
brakeman --ignore-model-output
Brakeman will raise warnings on models that use `attr_protected`. To suppress these warnings:
brakeman --ignore-protected
To show all ignored warnings without affecting the exit code (i.e. - Will return `0` if the application shows no warnings when simply running `brakeman`):
brakeman --show-ignored
Brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would cause a warning (Rails 2):
<%= some_method(:option => params[:input]) %>
To only raise warnings only when untrusted data is being directly used:
brakeman --report-direct
This option is not supported very consistently, though.
To indicate certain methods return properly escaped output and should not be warned about in XSS checks:
brakeman --safe-methods benign_method_escapes_output,totally_safe_from_xss
To indicate certain methods return properly escaped output and should not be warned about in SQL checks:
brakeman --sql-safe-methods benign_method_escapes_output,totally_safe_from_sql
Brakeman warns about use of user input in URLs generated with `link_to`. Since Rails does not provide anyway of making these URLs really safe (e.g. limiting protocols to HTTP(S)), safe methods can be ignored with
brakeman --url-safe-methods ensure_safe_protocol_or_something
## Confidence Levels
Brakeman assigns a confidence level to each warning. This provides a rough estimate of how certain the tool is that a given warning is actually a problem. Naturally, these ratings should not be taken as absolute truth.
There are three levels of confidence:
+ High - Either this is a simple warning (boolean value) or user input is very likely being used in unsafe ways.
+ Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.
+ Weak - Typically means user input was indirectly used in a potentially unsafe manner.
To only get warnings above a given confidence level:
brakeman -w3
The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).
## Configuration Files
Brakeman options can stored and read from YAML files. To simplify the process of writing a configuration file, the `-C` option will output the currently set options.
Options passed in on the commandline have priority over configuration files.
The default config locations are `./config/brakeman.yml`, `~/.brakeman/config.yml`, and `/etc/brakeman/config.yml`
The `-c` option can be used to specify a configuration file to use.
## Miscellaneous
To list available checks with short descriptions:
brakeman --checks
To show checks which are optional (not run by default):
brakeman --optional-checks
To see Brakeman's version:
brakeman --version
To see the real list of options:
brakeman --help
================================================
FILE: README.md
================================================
[](http://brakemanscanner.org/)
[](https://circleci.com/gh/presidentbeef/brakeman)
[](https://qlty.sh/gh/presidentbeef/projects/brakeman)
# Brakeman
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
# Installation
Using RubyGems:
gem install brakeman
Using Bundler:
```ruby
group :development do
gem 'brakeman', require: false
end
```
Using Docker:
docker pull presidentbeef/brakeman
Using Docker to build from source:
git clone https://github.com/presidentbeef/brakeman.git
cd brakeman
docker build . -t brakeman
# Usage
#### Running locally
From a Rails application's root directory:
brakeman
Outside of Rails root:
brakeman /path/to/rails/application
#### Running with Docker
From a Rails application's root directory:
docker run -v "$(pwd)":/code presidentbeef/brakeman
With a little nicer color:
docker run -v "$(pwd)":/code presidentbeef/brakeman --color
For an HTML report:
docker run -v "$(pwd)":/code presidentbeef/brakeman -o brakeman_results.html
Outside of Rails root (note that the output file is relative to path/to/rails/application):
docker run -v 'path/to/rails/application':/code presidentbeef/brakeman -o brakeman_results.html
# Compatibility
Brakeman should work with any version of Rails from 2.3.x to 8.x.
Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.2.0 to run.
# Basic Options
For a full list of options, use `brakeman --help` or see the [OPTIONS.md](OPTIONS.md) file.
To specify an output file for the results:
brakeman -o output_file
The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, `github`, `sarif`, and `sonar`.
Multiple output files can be specified:
brakeman -o output.html -o output.json
To output to both a file and to the console, with color:
brakeman --color -o /dev/stdout -o output.json
To suppress informational warnings and just output the report:
brakeman -q
Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.
To see all kinds of debugging information:
brakeman -d
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (`DefaultRoutes`):
brakeman -x DefaultRoutes
Multiple checks should be separated by a comma:
brakeman -x DefaultRoutes,Redirect
To do the opposite and only run a certain set of tests:
brakeman -t SQL,ValidationRegex
If Brakeman is running a bit slow, try
brakeman --faster
This will disable some features, but will probably be much faster (currently it is the same as `--skip-libs --no-branching`). *WARNING*: This may cause Brakeman to miss some vulnerabilities.
By default, Brakeman will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this:
brakeman --no-exit-on-warn --no-exit-on-error
To skip certain files or directories that Brakeman may have trouble parsing, use:
brakeman --skip-files file1,/path1/,path2/
To compare results of a scan with a previous scan, use the JSON output option and then:
brakeman --compare old_report.json
This will output JSON with two lists: one of fixed warnings and one of new warnings.
Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in `config/brakeman.ignore`.
To create and manage this file, use:
brakeman -I
If you want to temporarily see the warnings you ignored without affecting the exit code, use:
brakeman --show-ignored
# Warning information
See [warning\_types](docs/warning_types) for more information on the warnings reported by this tool.
# Warning context
The HTML output format provides an excerpt from the original application source where a warning was triggered. Due to the processing done while looking for vulnerabilities, the source may not resemble the reported warning and reported line numbers may be slightly off. However, the context still provides a quick look into the code which raised the warning.
# Confidence levels
Brakeman assigns a confidence level to each warning. This provides a rough estimate of how certain the tool is that a given warning is actually a problem. Naturally, these ratings should not be taken as absolute truth.
There are three levels of confidence:
+ High - Either this is a simple warning (boolean value) or user input is very likely being used in unsafe ways.
+ Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.
+ Weak - Typically means user input was indirectly used in a potentially unsafe manner.
To only get warnings above a given confidence level:
brakeman -w3
The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).
# Configuration files
Brakeman options can be stored and read from YAML files.
To simplify the process of writing a configuration file, the `-C` option will output the currently set options:
```sh
$ brakeman -C --skip-files plugins/
---
:skip_files:
- plugins/
```
Options passed in on the commandline have priority over configuration files.
The default config locations are `./config/brakeman.yml`, `~/.brakeman/config.yml`, and `/etc/brakeman/config.yml`
The `-c` option can be used to specify a configuration file to use.
# Continuous Integration
There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
There are a couple [GitHub Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
# Building
git clone git://github.com/presidentbeef/brakeman.git
cd brakeman
gem build brakeman.gemspec
gem install brakeman*.gem
# Who is Using Brakeman?
* [Code Climate](https://codeclimate.com/)
* [GitHub](https://github.com/)
* [Groupon](http://www.groupon.com/)
* [New Relic](http://newrelic.com)
* [Twitter](https://twitter.com/)
[..and more!](http://brakemanscanner.org/brakeman_users)
# Homepage/News
Website: http://brakemanscanner.org/
Twitter: https://twitter.com/brakeman
Chat: https://gitter.im/presidentbeef/brakeman
# License
Brakeman is free for non-commercial use.
See [COPYING](COPYING.md) for details.
================================================
FILE: Rakefile
================================================
require 'bundler/setup'
require 'rake/testtask'
Rake::TestTask.new do |t|
t.pattern = 'test/tests/*.rb'
end
task default: :test
================================================
FILE: SECURITY.md
================================================
# Security Policy
## Supported Versions
The following versions are supported for security updates.
| Version | Supported |
| ------- | ------------------ |
| >= 4.4.0 | :white_check_mark:|
| < 4.4.0 | :x: |
## Reporting a Vulnerability
To report a vulnerability, email security@brakeman.org.
We will work as quickly as possible to investigate and address the issue, if necessary.
We do not have a vulnerability reward program.
================================================
FILE: bin/brakeman
================================================
#!/usr/bin/env ruby
#Adjust path in case called directly and not through gem
$:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
Encoding.default_external = 'UTF-8'
require 'brakeman'
require 'brakeman/commandline'
Brakeman::Commandline.start
================================================
FILE: bin/codeclimate-brakeman
================================================
#!/usr/bin/env ruby
$:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
require "brakeman"
require "json"
require "brakeman/codeclimate/engine_configuration"
engine_options = {}
if File.exist?("/config.json")
engine_options = JSON.parse(File.read("/config.json"))
end
Brakeman.run Brakeman::Codeclimate::EngineConfiguration.new(engine_options).options
================================================
FILE: brakeman-lib.gemspec
================================================
require './lib/brakeman/version'
require './gem_common'
Gem::Specification.new do |s|
s.name = %q{brakeman-lib}
s.version = Brakeman::Version
s.authors = ["Justin Collins"]
s.email = "gem@brakeman.org"
s.summary = "Security vulnerability scanner for Ruby on Rails."
s.description = "Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis. This package declares gem dependencies instead of bundling them."
s.homepage = "http://brakemanscanner.org"
s.files = ["bin/brakeman", "CHANGES.md", "FEATURES", "README.md"] + Dir["lib/**/*"]
s.executables = ["brakeman"]
s.license = "Brakeman Public Use License"
s.required_ruby_version = '>= 3.2.0'
s.metadata = {
"bug_tracker_uri" => "https://github.com/presidentbeef/brakeman/issues",
"changelog_uri" => "https://github.com/presidentbeef/brakeman/releases",
"documentation_uri" => "https://brakemanscanner.org/docs/",
"homepage_uri" => "https://brakemanscanner.org/",
"mailing_list_uri" => "https://gitter.im/presidentbeef/brakeman",
"source_code_uri" => "https://github.com/presidentbeef/brakeman",
"wiki_uri" => "https://github.com/presidentbeef/brakeman/wiki"
}
Brakeman::GemDependencies.dev_dependencies(s)
Brakeman::GemDependencies.base_dependencies(s)
Brakeman::GemDependencies.extended_dependencies(s)
end
================================================
FILE: brakeman-min.gemspec
================================================
require './lib/brakeman/version'
require './gem_common'
Gem::Specification.new do |s|
s.name = %q{brakeman-min}
s.version = Brakeman::Version
s.authors = ["Justin Collins"]
s.email = "gem@brakeman.org"
s.summary = "Security vulnerability scanner for Ruby on Rails."
s.description = "Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis. This version of the gem only requires the minimum number of dependencies. Use the 'brakeman' gem for a full install."
s.homepage = "http://brakemanscanner.org"
s.files = ["bin/brakeman", "CHANGES.md", "FEATURES", "README.md"] + Dir["lib/**/*"]
s.executables = ["brakeman"]
s.license = "Brakeman Public Use License"
s.required_ruby_version = '>= 3.2.0'
s.metadata = {
"bug_tracker_uri" => "https://github.com/presidentbeef/brakeman/issues",
"changelog_uri" => "https://github.com/presidentbeef/brakeman/releases",
"documentation_uri" => "https://brakemanscanner.org/docs/",
"homepage_uri" => "https://brakemanscanner.org/",
"mailing_list_uri" => "https://gitter.im/presidentbeef/brakeman",
"source_code_uri" => "https://github.com/presidentbeef/brakeman",
"wiki_uri" => "https://github.com/presidentbeef/brakeman/wiki"
}
Brakeman::GemDependencies.dev_dependencies(s)
Brakeman::GemDependencies.base_dependencies(s)
end
================================================
FILE: brakeman-public_cert.pem
================================================
-----BEGIN CERTIFICATE-----
MIIDijCCAnKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQ8wDQYDVQQDDAZqdXN0
aW4xHTAbBgoJkiaJk/IsZAEZFg1wcmVzaWRlbnRiZWVmMRMwEQYKCZImiZPyLGQB
GRYDY29tMB4XDTE1MDEwMzAxMjI0NFoXDTE2MDEwMzAxMjI0NFowRTEPMA0GA1UE
AwwGanVzdGluMR0wGwYKCZImiZPyLGQBGRYNcHJlc2lkZW50YmVlZjETMBEGCgmS
JomT8ixkARkWA2NvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjt
xjn8ArkEqQNrRjEeyZAOyr0O8+WZ54AcObsKg2osrcAW6iFd7tjnTFclQHmZgje+
cwxeF/YG4PbA72ElmCvjn8vQJkdgHspKds1otSozvTF2VDnyAEg0nDTMgkQGQy4R
HX3NHXMJ8UCAJv2IV/FsItzcPzPmhhf6vu/QaNrmAm3/nF52EsMSEJNC9eTPWudC
kPgt19T9LRKMk5YbXDM6jWGRubusE03bTwY3RThqYM5ra1DwI/HpWKsKdmNrBbse
f065WyR7RNAxindc2wMyq1EaInmO7Vds+rsOFZ4ZnO90z046ywmTLTadqlfuc9Qo
CEw/AhYB6f6DLH8ICkMCAwEAAaOBhDCBgTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
sDAdBgNVHQ4EFgQUmIuIvxLr7ziB52LOpVgd694EfaEwIwYDVR0RBBwwGoEYanVz
dGluQHByZXNpZGVudGJlZWYuY29tMCMGA1UdEgQcMBqBGGp1c3RpbkBwcmVzaWRl
bnRiZWVmLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAbgSKdn/VSDdl5H2ayE+OM662
gTJWP1CWfbcRVJW/UDjDucEF42t6V/dZTDmwyYTR8Qv+5FsQoPHsDsD3Jr1E62dl
VYDeUkbmiV5f8fANbvnGUknzrHwp2T0/URxiIY8oFcaCGT+iua9zlNU20+XhB9JN
fsOSUNBuuE/MYGA37MR1sP7lFHr5e7I1Qk1x3HvjNB/kSv1+Cj26Lde1ehvMqpmi
bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
-----END CERTIFICATE-----
================================================
FILE: brakeman.gemspec
================================================
require './lib/brakeman/version'
require './gem_common'
Gem::Specification.new do |s|
s.name = %q{brakeman}
s.version = Brakeman::Version
s.authors = ["Justin Collins"]
s.email = "gem@brakeman.org"
s.summary = "Security vulnerability scanner for Ruby on Rails."
s.description = "Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis."
s.homepage = "https://brakemanscanner.org"
s.files = ["bin/brakeman", "CHANGES.md", "FEATURES", "README.md"] + Dir["lib/**/*"]
s.executables = ["brakeman"]
s.license = "Brakeman Public Use License"
s.required_ruby_version = '>= 3.2.0'
s.metadata = {
"bug_tracker_uri" => "https://github.com/presidentbeef/brakeman/issues",
"changelog_uri" => "https://github.com/presidentbeef/brakeman/releases",
"documentation_uri" => "https://brakemanscanner.org/docs/",
"homepage_uri" => "https://brakemanscanner.org/",
"source_code_uri" => "https://github.com/presidentbeef/brakeman",
"wiki_uri" => "https://github.com/presidentbeef/brakeman/wiki"
}
if File.exist? 'bundle/load.rb'
# Pull in vendored dependencies
s.files << 'bundle/load.rb'
s.files += Dir['bundle/ruby/*/gems/**/*'].reject do |path|
# Skip unnecessary files in dependencies
path =~ %r{^bundle/ruby/\d\.\d\.\d/gems/[^\/]+/(Rakefile|benchmark|bin|doc|example|man|site|spec|test)} or
path =~ %r{/gems/(io-console|prism|racc|strscan)/}
end
# racc is not only a built-in gem, but also has native code which we cannot
# bundle with Brakeman, so leaving it as a regular dependency
s.add_dependency "racc"
else
Brakeman::GemDependencies.dev_dependencies(s) unless ENV['BM_PACKAGE']
Brakeman::GemDependencies.base_dependencies(s)
Brakeman::GemDependencies.extended_dependencies(s)
end
end
================================================
FILE: build.rb
================================================
#!/usr/bin/env ruby
require 'fileutils'
bundle_exclude = %w[io-console prism racc strscan thor]
puts 'Packaging Brakeman gem...'
system 'rm -rf bundle Gemfile.lock brakeman-*.gem' and
system 'BM_PACKAGE=true bundle install --standalone'
abort "No bundle installed" unless Dir.exist? 'bundle'
File.delete "bundle/bundler/setup.rb"
Dir.delete "bundle/bundler"
File.open "bundle/load.rb", "w" do |f|
f.puts "path = File.expand_path('../..', __FILE__)"
Dir["bundle/ruby/**/lib"].each do |dir|
if bundle_exclude.any? { |gem_name| dir.include? gem_name }
FileUtils.rm_rf(File.expand_path('..', dir))
else
f.puts %Q[$:.unshift "\#{path}/#{dir}"]
end
end
end
system "BM_PACKAGE=true gem build brakeman.gemspec"
================================================
FILE: docs/warning_types/CVE-2010-3933/index.markdown
================================================
Rails 2.3.9 and 3.0.0 are vulnerable to an attack on nested attributes wherein a malicious user could alter data in any record in the system.
It is recommended to upgrade to at least 2.3.10 or 3.0.1.
For more details see [CVE-2011-0446](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c).
================================================
FILE: docs/warning_types/CVE-2011-0446/index.markdown
================================================
Certain versions of Rails were vulnerable to a cross-site scripting vulnerability mail\_to.
Versions of Rails after 2.3.10 or 3.0.3 are not affected. Updating or removing the mail\_to links is advised.
For more details see [CVE-2011-0446](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81).
================================================
FILE: docs/warning_types/CVE-2011-3186/index.markdown
================================================
Response splitting is a simple attack that can be used as part or a larger exploit chain. A malicious user sends data that causes the HTTP response header to include unintended newline characters which are interpreted as the end of the header. The attacker may then forge their own response body and an entirely false HTTP response, essentially hijacking the entire page load.
Versions of Rails 2 previous to 2.3.13 were vulnerable to this type of attack. The Rails 3 branch is not affected.
For more details see [CVE-2011-3186](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768).
================================================
FILE: docs/warning_types/attribute_restriction/index.markdown
================================================
This warning comes up if a model does not limit what attributes can be set through mass assignment.
In particular, this check looks for `attr_accessible` inside model definitions. If it is not found, this warning will be issued.
Brakeman also warns on use of `attr_protected` - especially since it was found to be [vulnerable to bypass](https://groups.google.com/d/topic/rubyonrails-security/AFBKNY7VSH8/discussion). Warnings for mass assignment on models using `attr_protected` will be reported, but at a lower confidence level.
Note that disabling mass assignment globally will suppress these warnings.
================================================
FILE: docs/warning_types/authentication/index.markdown
================================================
"Authentication" is the act of verifying that a user or client is who they say they are.
Right now, the only Brakeman warning in the authentication category is regarding hardcoded passwords.
Brakeman will warn about constants with literal string values that appear to be passwords.
Hardcoded passwords are security issues since they imply a single password and that password is stored in the source code.
Typically source code is available to a wide number of people inside an organization, and there have been many instances of source
code leaking to the public. Passwords and secrets should be stored in a separate, secure location to limit access.
Additionally, it is recommended not to use a single password for accessing sensitive information.
Each user should have their own password to make it easier to audit and revoke access.
================================================
FILE: docs/warning_types/authentication_whitelist/index.markdown
================================================
When skipping `before_filter`s with security implications, a "whitelist" approach using `only` should be used instead of `except`. This ensures actions are protected by default, and unprotected only by exception.
================================================
FILE: docs/warning_types/basic_auth/index.markdown
================================================
In Rails 3.1, a new feature was added to simplify basic authentication.
The example provided in the official [Rails Guide](http://guides.rubyonrails.org/getting_started.html) looks like this:
class PostsController < ApplicationController
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
#...
end
This warning will be raised if `http_basic_authenticate_with` is used and the password is found to be a string (i.e., stored somewhere in the code).
================================================
FILE: docs/warning_types/command_injection/index.markdown
================================================
Injection is #1 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A1) web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.
There are many ways to run commands in Ruby:
`ls #{params[:file]}`
system("ls #{params[:dir]}")
exec("md5sum #{params[:input]}")
Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.
You can use [`shellescape`](https://apidock.com/ruby/Shellwords/shellescape) to render a variable safe:
`ls #{params[:file].shellescape}`
See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#command-line-injection) for details.
================================================
FILE: docs/warning_types/content_tag/index.markdown
================================================
Cross-site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere. XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.
[content\_tag](http://apidock.com/rails/ActionView/Helpers/TagHelper/content_tag) is a view helper which generates an HTML tag with some content:
>> content_tag :p, "Hi!"
=> "<p>Hi!</p>"
In Rails 2, this content is unescaped (although attribute values are escaped):
>> content_tag :p, "<script>alert(1)</script>"
=> "<p><script>alert(1)</script></p>"
In Rails 3, the content is escaped. However, only the *content* and the tag attribute *values* are escaped. The tag and attribute names are never escaped in Rails 2 or 3.
This is more dangerous than a typical method call because `content_tag` marks its output as "HTML safe", meaning the `rails_xss` plugin and Rails 3 auto-escaping will not escape its output. Due to this, `content_tag` should be used carefully if user input is provided as an argument.
Note that while `content_tag` does have an `escape` parameter, this only applies to tag attribute *values* and is true by default.
================================================
FILE: docs/warning_types/cross-site_request_forgery/index.markdown
================================================
Cross-site request forgery is #5 on the [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A5). CSRF allows an attacker to perform actions on a website as if they are an authenticated user.
This warning is raised when no call to `protect_from_forgery` is found in `ApplicationController`. This method prevents CSRF.
For Rails 4 applications, it is recommended that you use `protect_from_forgery :with => :exception`. This code is inserted into newly generated applications. The default is to `nil` out the session object, which has been a source of many CSRF bypasses due to session memoization.
See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf) for details.
================================================
FILE: docs/warning_types/cross_site_scripting/index.markdown
================================================
Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.
XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..
In Rails 2.x, values need to be explicitly escaped (e.g., by using the `h` method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the `raw` or `html_safe` methods to output a value directly.
See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#cross-site-scripting-xss) for more details.
### Query Parameters and Cookies
ERB example:
<%= params[:query].html_safe %>
Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the `params` or `cookies` is being directly output to a view. In such cases, it will issue a warning like:
Unescaped parameter value near line 3: params[:query]
By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
For example:
<%= raw some_method(cookie[:name]) %>
This raises a warning like:
Unescaped cookie value near line 5: some_method(cookies[:oreo])
However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
Some methods are known to Brakeman to either be dangerous (`link_to` is one) or safe (`escape_once`). Users can specify safe methods using the `--safe-methods` option. Alternatively, Brakeman can be set to _only_ warn when values are used directly with the `--report-direct` option.
### Model Attributes
Because (many) models come from database values, Brakeman mistrusts them by default.
For example, if `@user` is an instance of a model set in an action like
def set_user
@user = User.first
end
and there is a view with
<%= @user.name.html_safe %>
Brakeman will raise a warning like
Unescaped model attribute near line 3: User.first.name
If you trust all your data (although you probably shouldn't), this can be disabled with `--ignore-model-output`.
================================================
FILE: docs/warning_types/cross_site_scripting_to_json/index.markdown
================================================
Cross-site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web security risks and it pops up nearly everywhere.
XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page. Calls to `Hash#to_json` can be used to trigger XSS. Brakeman will check to see if there are any calls to `Hash#to_json` with `ActiveSupport#escape_html_entities_in_json` set to false (or if you are running Rails < 2.1.0 which did not have this functionality).
`ActiveSupport#escape_html_entities_in_json` was introduced in the "new\_rails\_defaults" initializer in Rails 2.1.0 which is set to `false` by default. In Rails 3.0.0, `true` became the default setting. Setting this value to `true` will automatically escape '<', '>', '&' which are commonly used to break out of code generated by a to\_json call.
See [ActiveSupport#escape\_html\_entities\_in\_json](http://rubydoc.info/docs/rails/ActiveSupport/JSON/Encoding.escape_html_entities_in_json=) for more details.
### Exploiting to\_json
Consider the following snippet of Rails 2.x ERB:
# controller
@attrs = {:email => 'some@email.com</script><script>alert(document.domain)//'}
<!-- view -->
<script>
var attributes = <%= @attrs.to_json %>
</script>
Which generates the following html:
<script>
var attributes = {"email":"some@email.com</script><script>alert(document.domain)//"}
</script>
While the generated Javascript appears valid, the browser parses the script tags first, so it sees something like this:
<script>
var attributes = {"email":"some@email.com
</script>
<script>
alert(document.domain)//"}
</script>
The attribute assignment causes a Javascript error, but the alert triggers just fine!
With `escape_html_entities_in_json = true`, you will receive the following innocuous output:
<script>
var attributes = {"email":"some@email.com\u003C/script\u003E\u003Cscript\u003Ealert(document.domain)//"}
</script>
================================================
FILE: docs/warning_types/dangerous_eval/index.markdown
================================================
User input in an `eval` statement is VERY dangerous, so this will always raise a warning. Brakeman looks for calls to `eval`, `instance_eval`, `class_eval`, and `module_eval`.
================================================
FILE: docs/warning_types/dangerous_send/index.markdown
================================================
Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.
It is much safer to whitelist the desired target or method.
Unsafe use of method:
method = params[:method]
@result = User.send(method.to_sym)
Safe:
method = params[:method] == 1 ? :method_a : :method_b
@result = User.send(method, *args)
Unsafe use of target:
table = params[:table]
model = table.classify.constantize
@result = model.send(:method)
Safe:
target = params[:target] == 1 ? Account : User
@result = target.send(:method, *args)
Including user data in the arguments passed to an Object#send is safe, as long as the method can properly handle potentially bad data.
Safe:
args = params["args"] || []
@result = User.send(:method, *args)
================================================
FILE: docs/warning_types/default_routes/index.markdown
================================================
The general default routes warning means there is a call to
#Rails 2.x
map.connect ":controller/:action/:id"
or
Rails 3.x
match ':controller(/:action(/:id(.:format)))'
in `config/routes.rb`. This allows any public method on any controller to be called as an action.
If this warning is reported for a particular controller, it means there is a route to that controller containing `:action`.
Default routes can be dangerous if methods are made public which are not intended to be used as URLs or actions.
================================================
FILE: docs/warning_types/denial_of_service/index.markdown
================================================
Denial of Service (DoS) is any attack which causes a service to become unavailable for legitimate clients.
For issues that Brakeman detects, this typically arises in the form of memory leaks.
### Symbol DoS
Since Symbols are not garbage collected in Ruby versions prior to 2.2.0, creation of large numbers of Symbols could lead to a server running out of memory.
Brakeman checks for instances of user input which is converted to a Symbol. When this is not restricted, an attacker could create an unlimited number of Symbols.
The best approach is to simply never convert user-controlled input to a Symbol. If this cannot be avoided, use a whitelist of acceptable values.
For example:
valid_values = ["valid", "values", "here"]
if valid_values.include? params[:value]
symbolized = params[:value].to_sym
end
### Regex DoS
Regular expressions can be used for DoS if the pattern and input requires exponential time to process.
Brakeman will warn about dynamic regular expressions which may be controlled by an attacker. The attacker can create an "[evil regex](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)" and then supply input which causes the server to use a large amount of resources.
It is recommended to avoid interpolating user input into regular expressions.
================================================
FILE: docs/warning_types/dynamic_render_path/index.markdown
================================================
When a call to `render` uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.
This warning is shown whenever the path to be rendered is not a static string or symbol.
These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.
================================================
FILE: docs/warning_types/file_access/index.markdown
================================================
Using user input when accessing files (local or remote) will raise a warning in Brakeman.
For example
File.open("/tmp/#{cookie[:file]}")
will raise an error like
Cookie value used in file name near line 4: File.open("/tmp/#{cookie[:file]}")
This type of vulnerability can be used to access arbitrary files on a server (including `/etc/passwd`.
If you are using `ActiveStorage`, use [sanitized](https://api.rubyonrails.org/classes/ActiveStorage/Filename.html#method-i-sanitized) URLs:
ActiveStorage::Filename.new("foo/bar.jpg").sanitized # => "foo-bar.jpg"
Note: It replaces `/` with `-`.
================================================
FILE: docs/warning_types/format_validation/index.markdown
================================================
Calls to `validates_format_of ..., :with => //` which do not use `\A` and `\z` as anchors will cause this warning. Using `^` and `$` is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.
See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#regular-expressions) for details.
================================================
FILE: docs/warning_types/information_disclosure/index.markdown
================================================
Also known as [information leakage](https://www.owasp.org/index.php/Information_Leakage) or [information exposure](http://cwe.mitre.org/data/definitions/200.html), this vulnerability refers to system or internal information (such as debugging output, stack traces, error messages, etc.) which is displayed to an end user.
For example, Rails provides detailed exception reports by default in the development environment, but it is turned off by default in production:
# Full error reports are disabled
config.consider_all_requests_local = false
Brakeman warns if this setting is `true` in production or there is a `show_detailed_exceptions?` method in a controller which does not return `false`.
================================================
FILE: docs/warning_types/link_to/index.markdown
================================================
In the 2.x versions of Rails, `link_to` would not escape the body of the HREF.
For example, this will popup an alert box:
link_to "<script>alert(1)</script>", "http://google.com"
Brakeman warns on cases where the first parameter contains user input.
================================================
FILE: docs/warning_types/link_to_href/index.markdown
================================================
Even though Rails will escape the link provided to `link_to`, values starting with `javascript:` or `data:` are unescaped and dangerous.
Brakeman will warn on if user values are used to provide the HREF value in `link_to` or if they are interpolated at the beginning of a string.
The `--url-safe-methods` option can be used to specify methods which make URLs safe.
See [here](https://github.com/presidentbeef/brakeman/pull/45) for more details.
================================================
FILE: docs/warning_types/mass_assignment/index.markdown
================================================
Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.
Example:
User.new(params[:user])
Unfortunately, if there is a user field called `admin` which controls administrator access, now any user can make themselves an administrator.
`attr_accessible` and `attr_protected` can be used to limit mass assignment. However, Brakeman will warn unless `attr_accessible` is used, or mass assignment is completely disabled.
There are two different mass assignment warnings which can arise. The first is when mass assignment actually occurs, such as the example above. This results in a warning like
Unprotected mass assignment near line 61: User.new(params[:user])
The other warning is raised whenever a model is found which does not use `attr_accessible`. This produces generic warnings like
Mass assignment is not restricted using attr_accessible
with a list of affected models.
In Rails 3.1 and newer, mass assignment can easily be disabled:
config.active_record.whitelist_attributes = true
Unfortunately, it can also easily be bypassed:
User.new(params[:user], :without_protection => true)
Brakeman will warn on uses of `without_protection`.
================================================
FILE: docs/warning_types/redirect/index.markdown
================================================
Unvalidated redirects and forwards are #10 on the [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A10).
Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
Brakeman will raise warnings whenever `redirect_to` appears to be used with a user-supplied value that may allow them to change the `:host` option.
For example,
redirect_to params.merge(:action => :home)
will create a warning like
Possible unprotected redirect near line 46: redirect_to(params)
This is because `params` could contain `:host => 'evilsite.com'` which would redirect away from your site and to a malicious site.
If the first argument to `redirect_to` is a hash, then adding `:only_path => true` will limit the redirect to the current host. Another option is to specify the host explicitly.
redirect_to params.merge(:only_path => true)
redirect_to params.merge(:host => 'myhost.com')
If the first argument is a string, then it is possible to parse the string and extract the path:
redirect_to URI.parse(some_url).path
If the URL does not contain a protocol (e.g., `http://`), then you will probably get unexpected results, as `redirect_to` will prepend the current host name and a protocol.
================================================
FILE: docs/warning_types/remote_code_execution/index.markdown
================================================
Brakeman reports on several cases of remote code execution, in which a user is able to control and execute code in ways unintended by application authors.
The obvious form of this is the use of `eval` with user input.
However, Brakeman also reports on dangerous uses of `send`, `constantize`, and other methods which allow creation of arbitrary objects or calling of arbitrary methods.
================================================
FILE: docs/warning_types/remote_code_execution_yaml_load/index.markdown
================================================
As seen in [CVE-2013-0156](https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion), calling `YAML.load` with user input can lead to remote execution of arbitrary code. (To see a real point-and-fire exploit, see the [Metasploit payload](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb)). While upgrading Rails, disabling XML parsing, or disabling YAML types in XML request parsing will fix the Rails vulnerability, manually passing user input to `YAML.load` remains unsafe.
For example:
#Do not do this!
YAML.load(params[:file])
================================================
FILE: docs/warning_types/session_manipulation/index.markdown
================================================
Session manipulation can occur when an application allows user-input in session keys.
Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens),
allowing an attacker to manipulate the session may lead to unintended behavior.
For example:
user_id = session[params[:name]]
current_user = User.find(user_id)
In this scenario, the attacker can point the `name` parameter to some other session value (for example, `_csrf_token`) that will be interpreted
as a user ID. If the ID matches an existing account, the attacker will now have access to that account.
To prevent this type of session manipulation, avoid using user-supplied input as session keys.
================================================
FILE: docs/warning_types/session_setting/index.markdown
================================================
Brakeman warns about several different session-related issues.
### HTTP Only
It is recommended that session cookies be set to `http-only`. This helps prevent stealing of cookies via cross-site scripting.
### Secret Length
Brakeman will warn if the key length for the session cookies is less than 30 characters.
### Session Secret in Version Control
Brakeman will warn if the `config/initializers/secret_token.rb` is included in the version control. It is recommended to exclude `secret_token.rb` from version control and include it in `.gitignore`.
================================================
FILE: docs/warning_types/sql_injection/index.markdown
================================================
Injection is #1 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A1-Injection) web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See [the Ruby Security Guide](http://guides.rubyonrails.org/security.html#sql-injection) for more information and [Rails-SQLi.org](http://rails-sqli.org) for many examples of SQL injection in Rails.
================================================
FILE: docs/warning_types/ssl_verification_bypass/index.markdown
================================================
Simply using SSL isn't enough to ensure the data you are sending is secure. Man in the middle (MITM) attacks are well known and widely used. In some cases, these attacks rely on the client to establish a connection that doesn't check the validity of the SSL certificate presented by the server. In this case, the attacker can present their own certificate and act as a man in the middle.
In Ruby, this happens when the OpenSSL verification mode is set to `VERIFY_NONE`
require "net/https"
require "uri"
uri = URI.parse("https://ssl-site.com/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
In this case, if an invalid certificate was presented, no verification would occur, providing an opportunity for attack. When successful, the data transmitted (cookies, request parameters, POST bodies, etc.) would all be able to be intercepted by the MITM.
Brakeman would produce a warning like this:
SSL certificate verification was bypassed near line 24: http.verify_mode = OpenSSL::SSL::VERIFY_NONE
To ensure that SSL verification happens use the following mode:
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
If the server certificate is invalid or context.ca_file is not set when verifying peers an OpenSSL::SSL::SSLError will be raised.
For more information on the impact of this issue, see the paper [The Most Dangerous Code in the World](https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf).
================================================
FILE: docs/warning_types/template_injection/index.markdown
================================================
User input passed into ruby templates that are evaluated is VERY dangerous, so this will always raise a warning. Brakeman looks foir calls of the form:
```ruby
ERB.new(user_input).result
```
================================================
FILE: docs/warning_types/unsafe_deserialization/index.markdown
================================================
Objects in Ruby may be serialized to strings. The main method for doing so is the built-in `Marshal` class. The `YAML`, `JSON`, and `CSV` libraries also have methods for dumping Ruby objects into strings, and then creating objects from those strings.
Deserialization of arbitrary objects can lead to [remote code execution](/docs/warning_types/remote_code_execution), as was demonstrated with [CVE-2013-0156](https://groups.google.com/d/msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ).
Brakeman warns when loading user input with `Marshal`, `YAML`, or `CSV`. `JSON` is covered by the checks for [CVE-2013-0333](https://groups.google.com/d/msg/rubyonrails-security/1h2DR63ViGo/GOUVafeaF1IJ)
================================================
FILE: docs/warning_types/unscoped_find/index.markdown
================================================
Unscoped `find` (and related methods) are a form of [Direct Object Reference](https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References). Models which belong to another model should typically be accessed via a scoped query.
For example, if an `Account` belongs to a `User`, then this may be an unsafe unscoped find:
Account.find(params[:id])
Depending on the action, this could allow an attacker to access any account they wish.
Instead, it should be scoped to the currently logged-in user:
current_user = User.find(session[:user_id])
current_user.accounts.find(params[:id])
================================================
FILE: gem_common.rb
================================================
module Brakeman
module GemDependencies
def self.dev_dependencies spec
spec.add_development_dependency "minitest", ">= 6.0"
spec.add_development_dependency "minitest-ci"
spec.add_development_dependency "minitest-mock"
spec.add_development_dependency "simplecov"
end
def self.base_dependencies spec
spec.add_dependency "parallel", "~>1.20"
spec.add_dependency "ruby_parser", "~>3.22.0"
spec.add_dependency "sexp_processor", "~> 4.7"
spec.add_dependency "ruby2ruby", "~>2.5.1"
spec.add_dependency "racc"
end
def self.extended_dependencies spec
spec.add_dependency "csv"
spec.add_dependency "terminal-table", "< 5.0"
spec.add_dependency "highline", "~>3.0"
spec.add_dependency "erubi", "~>1.13"
spec.add_dependency "haml", "< 7.0"
spec.add_dependency "slim", ">=1.3.6", "< 5.3"
spec.add_dependency "rexml", "~>3.0"
spec.add_dependency "reline", "~>0.6"
spec.add_dependency "prism", "~>1.0"
end
end
end
================================================
FILE: lib/brakeman/app_tree.rb
================================================
require 'pathname'
require 'brakeman/file_path'
module Brakeman
class AppTree
VIEW_EXTENSIONS = %w[html.erb html.haml rhtml js.erb html.slim].join(",")
attr_reader :root
def self.from_options(options)
root = File.expand_path options[:app_path]
# Convert files into Regexp for matching
init_options = {}
if options[:skip_files]
init_options[:skip_files] = regex_for_paths(options[:skip_files])
end
if options[:only_files]
init_options[:only_files] = regex_for_paths(options[:only_files])
end
init_options[:additional_libs_path] = options[:additional_libs_path]
init_options[:engine_paths] = options[:engine_paths]
init_options[:skip_vendor] = options[:skip_vendor]
init_options[:follow_symlinks] = options[:follow_symlinks]
new(root, init_options)
end
# Accepts an array of filenames and paths with the following format and
# returns a Regexp to match them:
# * "path1/file1.rb" - Matches a specific filename in the project directory.
# * "path1/" - Matches any path that contains "path1" in the project directory.
# * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
#
# TODO: This is wacky and I don't like it.
def self.regex_for_paths(paths)
path_regexes = paths.map do |f|
# If path ends in a file separator then we assume it is a path rather
# than a filename.
if f.end_with?(File::SEPARATOR)
# If path starts with a file separator then we assume that they
# want the project relative path to start with this path prefix.
if f.start_with?(File::SEPARATOR)
"\\A#{Regexp.escape f}"
# If it ends in a file separator, but does not begin with a file
# separator then we assume the path can match any path component in
# the project.
else
Regexp.escape f
end
else
"#{Regexp.escape f}\\z"
end
end
Regexp.new("(?:#{path_regexes.join("|")})")
end
private_class_method(:regex_for_paths)
def initialize(root, init_options = {})
@root = root
@project_root_path = Pathname.new(@root)
@skip_files = init_options[:skip_files]
@only_files = init_options[:only_files]
@additional_libs_path = init_options[:additional_libs_path] || []
@engine_paths = init_options[:engine_paths] || []
@absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
@relative_engine_paths = @engine_paths - @absolute_engine_paths
@skip_vendor = init_options[:skip_vendor]
@follow_symlinks = init_options[:follow_symlinks]
@gemspec = nil
@root_search_pattern = nil
end
# Create a new Brakeman::FilePath
def file_path(path)
Brakeman::FilePath.from_app_tree(self, path)
end
# Should only be used by Brakeman::FilePath.
# Use AppTree#file_path(path).absolute instead.
def expand_path(path)
File.expand_path(path, @root)
end
# Should only be used by Brakeman::FilePath
# Use AppTree#file_path(path).relative instead.
def relative_path(path)
pname = Pathname.new path
if path and not path.empty? and pname.absolute?
pname.relative_path_from(Pathname.new(self.root)).to_s
else
path
end
end
def exists?(path)
if path.is_a? Brakeman::FilePath
path.exists?
else
File.exist?(File.join(@root, path))
end
end
def ruby_file_paths
find_paths(".").uniq
end
def initializer_paths
@initializer_paths ||= prioritize_concerns(find_paths("config/initializers"))
end
def controller_paths
@controller_paths ||= prioritize_concerns(find_paths("app/**/controllers"))
end
def model_paths
@model_paths ||= prioritize_concerns(find_paths("app/**/models"))
end
def template_paths
@template_paths ||= find_paths(".", "*.{#{VIEW_EXTENSIONS}}") +
find_paths(".", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
end
def layout_exists?(name)
!Dir.glob("#{root_search_pattern}app/views/layouts/#{name}.html.{erb,haml,slim}").empty?
end
def lib_paths
@lib_files ||= find_paths("lib").reject { |path| path.relative.include? "/generators/" or path.relative.include? "lib/tasks/" or path.relative.include? "lib/templates/" } +
find_additional_lib_paths +
find_helper_paths +
find_job_paths
end
def gemspec
return @gemspec unless @gemspec.nil?
gemspecs = Dir.glob(File.join(@root, "*.gemspec"))
if gemspecs.length > 1 or gemspecs.empty?
@gemspec = false
else
@gemspec = file_path(File.basename(gemspecs.first))
end
end
# Call this to be able to marshall the AppTree
def marshallable
@initializer_paths = @initializer_paths.to_a
@controller_paths = @controller_paths.to_a
@template_paths = @template_paths.to_a
@lib_files = @file_paths.to_a
self
end
private
def find_helper_paths
find_paths "app/helpers"
end
def find_job_paths
find_paths "app/jobs"
end
def find_additional_lib_paths
@additional_libs_path.collect{ |path| find_paths path }.flatten
end
def find_paths(directory, extensions = ".rb")
select_files(glob_files(directory, "*", extensions))
end
def glob_files(directory, name, extensions = ".rb")
if @follow_symlinks
root_directory = "#{root_search_pattern}#{directory}"
patterns = ["#{root_directory}/**/#{name}#{extensions}"]
Dir.glob("#{root_directory}/**/*", File::FNM_DOTMATCH).each do |path|
if File.symlink?(path) && File.directory?(path)
symlink_target = File.readlink(path)
if Pathname.new(symlink_target).relative?
symlink_target = File.join(File.dirname(path), symlink_target)
end
patterns << "#{search_pattern(symlink_target)}/**/#{name}#{extensions}"
end
end
files = patterns.flat_map { |pattern| Dir.glob(pattern) }
files.uniq.lazy
else
if directory == '.'
pattern = File.join(top_directories_pattern, '**', "#{name}#{extensions}")
else
pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
end
Dir.glob(pattern).lazy
end
end
def select_files(paths)
paths = select_only_files(paths)
paths = reject_skipped_files(paths)
paths = convert_to_file_paths(paths)
paths = reject_global_excludes(paths)
paths = reject_directories(paths)
paths
end
def reject_directories(paths)
paths.reject do |path|
Brakeman.logger.spin
File.directory?(path)
end
end
def select_only_files(paths)
return paths unless @only_files
paths.select do |path|
Brakeman.logger.spin
match_path @only_files, path
end
end
def reject_skipped_files(paths)
return paths unless @skip_files
paths.reject do |path|
Brakeman.logger.spin
match_path @skip_files, path
end
end
EXCLUDED_PATHS = regex_for_paths %w[
generators/
lib/tasks/
lib/templates/
db/
spec/
test/
tmp/
]
def reject_global_excludes(paths)
paths.reject do |path|
relative_path = path.relative
if @skip_vendor and relative_path.include? 'vendor/' and !in_engine_paths?(path) and !in_add_libs_paths?(path)
true
else
match_path EXCLUDED_PATHS, path
end
end
end
def in_engine_paths?(path)
@engine_paths.any? { |p| path.absolute.include?(p) }
end
def in_add_libs_paths?(path)
@additional_libs_path.any? { |p| path.absolute.include?(p) }
end
def match_path files, path
# TODO: Converting to Pathnames and Strings seems like a lot
# of converting that could perhaps all be handled in Brakeman::FilePath
# instead?
absolute_path = Pathname.new(path)
# relative root never has a leading separator. But, we use a leading
# separator in a @skip_files entry to imply that a directory is
# "absolute" with respect to the project directory.
#
# Also directories need a trailing separator.
project_relative_path = if File.directory?(path)
File.join(
File::SEPARATOR,
absolute_path.relative_path_from(@project_root_path).to_s,
File::SEPARATOR
)
else
File.join(
File::SEPARATOR,
absolute_path.relative_path_from(@project_root_path).to_s
)
end
files.match(project_relative_path)
end
def top_directories_pattern
top_dirs = convert_to_file_paths(Dir.glob(File.join(root_search_pattern, '*/')))
top_dirs.reject! { |d| File.symlink?(d) or !File.directory?(d) }
top_dirs = reject_global_excludes(top_dirs)
top_dirs = reject_skipped_files(top_dirs)
if top_dirs.empty?
# Fall back to searching everything, otherwise the empty pattern
# will start searching from the global root
root_search_pattern
else
"{#{top_dirs.join(',')}}"
end
end
def root_search_pattern
return @root_search_pattern if @root_search_pattern
@root_search_pattern = search_pattern(@root)
end
def search_pattern(root_dir)
abs = @absolute_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
rel = @relative_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
roots = ([root_dir] + abs).join(",")
rel_engines = (rel + [""]).join("/,")
"{#{roots}}/{#{rel_engines}}"
end
def prioritize_concerns paths
paths.partition { |path| path.relative.include? "concerns" }.flatten
end
def convert_to_file_paths paths
paths.map { |path| file_path(path) }
end
end
end
================================================
FILE: lib/brakeman/call_index.rb
================================================
require 'set'
#Stores call sites to look up later.
class Brakeman::CallIndex
#Initialize index with calls from FindAllCalls
def initialize calls
@calls_by_method = {}
@calls_by_target = {}
index_calls calls
end
#Find calls matching specified option hash.
#
#Options:
#
# * :target - symbol, array of symbols, or regular expression to match target(s)
# * :method - symbol, array of symbols, or regular expression to match method(s)
# * :chained - boolean, whether or not to match against a whole method chain (false by default)
# * :nested - boolean, whether or not to match against a method call that is a target itself (false by default)
def find_calls options
target = options[:target] || options[:targets]
method = options[:method] || options[:methods]
nested = options[:nested]
if options[:chained]
return find_chain options
#Find by narrowest category
elsif target.is_a? Array and method.is_a? Array
if target.length > method.length
calls = filter_by_target calls_by_methods(method), target
else
calls = calls_by_targets(target)
calls = filter_by_method calls, method
end
elsif target.is_a? Regexp and method
calls = filter_by_target(calls_by_method(method), target)
elsif method.is_a? Regexp and target
calls = filter_by_method(calls_by_target(target), method)
#Find by target, then by methods, if provided
elsif target
calls = calls_by_target target
if calls and method
calls = filter_by_method calls, method
end
#Find calls with no explicit target
#with either :target => nil or :target => false
elsif (options.key? :target or options.key? :targets) and not target and method
calls = calls_by_method method
calls = filter_by_target calls, nil
#Find calls by method
elsif method
calls = calls_by_method method
else
raise "Invalid arguments to CallCache#find_calls: #{options.inspect}"
end
return [] if calls.nil?
#Remove calls that are actually targets of other calls
#Unless those are explicitly desired
calls = filter_nested calls unless nested
calls
end
def remove_template_indexes template_name = nil
[@calls_by_method, @calls_by_target].each do |calls_by|
calls_by.each do |_name, calls|
calls.delete_if do |call|
from_template call, template_name
end
end
end
end
def remove_indexes_by_class classes
[@calls_by_method, @calls_by_target].each do |calls_by|
calls_by.each do |_name, calls|
calls.delete_if do |call|
call[:location][:type] == :class and classes.include? call[:location][:class]
end
end
end
end
def remove_indexes_by_file file
[@calls_by_method, @calls_by_target].each do |calls_by|
calls_by.each do |_name, calls|
calls.delete_if do |call|
call[:location][:file] == file
end
end
end
end
def index_calls calls
calls.each do |call|
@calls_by_method[call[:method]] ||= []
@calls_by_method[call[:method]] << call
target = call[:target]
if not target.is_a? Sexp
@calls_by_target[target] ||= []
@calls_by_target[target] << call
elsif target.node_type == :params or target.node_type == :session
@calls_by_target[target.node_type] ||= []
@calls_by_target[target.node_type] << call
end
end
end
private
def find_chain options
target = options[:target] || options[:targets]
method = options[:method] || options[:methods]
calls = calls_by_method method
return [] if calls.nil?
calls = filter_by_chain calls, target
end
def calls_by_target target
case target
when Array
calls_by_targets target
when Regexp
calls_by_targets_regex target
else
@calls_by_target[target] || []
end
end
def calls_by_targets targets
calls = []
targets.each do |target|
calls.concat @calls_by_target[target] if @calls_by_target.key? target
end
calls
end
def calls_by_targets_regex targets_regex
calls = []
@calls_by_target.each do |key, value|
case key
when String, Symbol
calls.concat value if key.match targets_regex
end
end
calls
end
def calls_by_method method
case method
when Array
calls_by_methods method
when Regexp
calls_by_methods_regex method
else
@calls_by_method[method.to_sym] || []
end
end
def calls_by_methods methods
methods = methods.map { |m| m.to_sym }
calls = []
methods.each do |method|
calls.concat @calls_by_method[method] if @calls_by_method.key? method
end
calls
end
def calls_by_methods_regex methods_regex
calls = []
@calls_by_method.each do |key, value|
calls.concat value if key.match methods_regex
end
calls
end
def filter calls, key, value
case value
when Array
values = Set.new value
calls.select do |call|
values.include? call[key]
end
when Regexp
calls.select do |call|
case call[key]
when String, Symbol
call[key].match value
end
end
else
calls.select do |call|
call[key] == value
end
end
end
def filter_by_method calls, method
filter calls, :method, method
end
def filter_by_target calls, target
filter calls, :target, target
end
def filter_nested calls
filter calls, :nested, false
end
def filter_by_chain calls, target
case target
when Array
targets = Set.new target
calls.select do |call|
targets.include? call[:chain].first
end
when Regexp
calls.select do |call|
case call[:chain].first
when String, Symbol
call[:chain].first.match target
end
end
else
calls.select do |call|
call[:chain].first == target
end
end
end
def from_template call, template_name
return false unless call[:location][:type] == :template
return true if template_name.nil?
call[:location][:template] == template_name
end
end
================================================
FILE: lib/brakeman/checks/base_check.rb
================================================
require 'brakeman/processors/output_processor'
require 'brakeman/processors/lib/processor_helper'
require 'brakeman/warning'
require 'brakeman/util'
require 'brakeman/messages'
#Basis of vulnerability checks.
class Brakeman::BaseCheck < Brakeman::SexpProcessor
include Brakeman::ProcessorHelper
include Brakeman::SafeCallHelper
include Brakeman::Util
include Brakeman::Messages
attr_reader :tracker, :warnings
# This is for legacy support.
# Use :high, :medium, or :low instead when creating warnings.
CONFIDENCE = Brakeman::Warning::CONFIDENCE
Match = Struct.new(:type, :match)
class << self
attr_accessor :name
def inherited(subclass)
subclass.name = subclass.to_s.match(/^Brakeman::(.*)$/)[1]
end
end
#Initialize Check with Checks.
def initialize(tracker)
super()
@app_tree = tracker.app_tree
@results = [] #only to check for duplicates
@warnings = []
@tracker = tracker
@string_interp = false
@current_set = nil
@current_template = @current_module = @current_class = @current_method = nil
@active_record_models = nil
@mass_assign_disabled = nil
@has_user_input = nil
@in_array = false
@safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id, :uuid]
@comparison_ops = Set[:==, :!=, :>, :<, :>=, :<=]
end
#Add result to result list, which is used to check for duplicates
def add_result result
location = get_location result
location, line = get_location result
@results << [line, location, result]
end
#Default Sexp processing. Iterates over each value in the Sexp
#and processes them if they are also Sexps.
def process_default exp
exp.each do |e|
process e if sexp? e
end
exp
end
#Process calls and check if they include user input
def process_call exp
unless @comparison_ops.include? exp.method
process exp.target if sexp? exp.target
process_call_args exp
end
target = exp.target
unless always_safe_method? exp.method
if params? target
@has_user_input = Match.new(:params, exp)
elsif cookies? target
@has_user_input = Match.new(:cookies, exp)
elsif request_headers? target
@has_user_input = Match.new(:request, exp)
elsif sexp? target and model_name? target[1] #TODO: Can this be target.target?
@has_user_input = Match.new(:model, exp)
end
end
exp
end
def process_if exp
#This is to ignore user input in condition
current_user_input = @has_user_input
process exp.condition
@has_user_input = current_user_input
process exp.then_clause if sexp? exp.then_clause
process exp.else_clause if sexp? exp.else_clause
exp
end
#Note that params are included in current expression
def process_params exp
@has_user_input = Match.new(:params, exp)
exp
end
#Note that cookies are included in current expression
def process_cookies exp
@has_user_input = Match.new(:cookies, exp)
exp
end
def process_array exp
@in_array = true
process_default exp
ensure
@in_array = false
end
#Does not actually process string interpolation, but notes that it occurred.
def process_dstr exp
unless array_interp? exp or @string_interp # don't overwrite existing value
@string_interp = Match.new(:interp, exp)
end
process_default exp
end
private
# Checking for
#
# %W[#{a}]
#
# which will be parsed as
#
# s(:array, s(:dstr, "", s(:evstr, s(:call, nil, :a))))
def array_interp? exp
@in_array and
string_interp? exp and
exp[1] == "".freeze and
exp.length == 3 # only one interpolated value
end
def always_safe_method? meth
@safe_input_attributes.include? meth or
@comparison_ops.include? meth
end
def boolean_method? method
method[-1] == "?"
end
TEMP_FILE_PATH = [
s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze,
s(:call, s(:call, s(:const, :Tempfile), :create), :path).freeze
].freeze
def temp_file_path? exp
TEMP_FILE_PATH.include? exp
end
#Report a warning
def warn options
extra_opts = { :check => self.class.to_s }
if options[:file]
options[:file] = @app_tree.file_path(options[:file])
end
@warnings << Brakeman::Warning.new(options.merge(extra_opts))
end
#Run _exp_ through OutputProcessor to get a nice String.
def format_output exp
Brakeman::OutputProcessor.new.format(exp).gsub(/\r|\n/, "")
end
#Checks if mass assignment is disabled globally in an initializer.
def mass_assign_disabled?
return @mass_assign_disabled unless @mass_assign_disabled.nil?
@mass_assign_disabled = false
if version_between?("3.1.0", "3.9.9") and
tracker.config.whitelist_attributes?
@mass_assign_disabled = true
elsif tracker.options[:rails4] && (!tracker.config.has_gem?(:protected_attributes) || tracker.config.whitelist_attributes?)
@mass_assign_disabled = true
else
#Check for ActiveRecord::Base.send(:attr_accessible, nil)
tracker.find_call(target: :"ActiveRecord::Base", method: :attr_accessible).each do |result|
call = result[:call]
if call? call
if call.first_arg == Sexp.new(:nil)
@mass_assign_disabled = true
break
end
end
end
unless @mass_assign_disabled
#Check for
# class ActiveRecord::Base
# attr_accessible nil
# end
tracker.check_initializers([], :attr_accessible).each do |result|
if result.module == "ActiveRecord" and result.result_class == :Base
arg = result.call.first_arg
if arg.nil? or node_type? arg, :nil
@mass_assign_disabled = true
break
end
end
end
end
end
#There is a chance someone is using Rails 3.x and the `strong_parameters`
#gem and still using hack above, so this is a separate check for
#including ActiveModel::ForbiddenAttributesProtection in
#ActiveRecord::Base in an initializer.
if not @mass_assign_disabled and version_between?("3.1.0", "3.9.9") and tracker.config.has_gem? :strong_parameters
matches = tracker.check_initializers([], :include)
forbidden_protection = Sexp.new(:colon2, Sexp.new(:const, :ActiveModel), :ForbiddenAttributesProtection)
matches.each do |result|
if call? result.call and result.call.first_arg == forbidden_protection
@mass_assign_disabled = true
end
end
unless @mass_assign_disabled
tracker.find_call(target: :"ActiveRecord::Base", method: [:send, :include]).each do |result|
call = result[:call]
if call? call and (call.first_arg == forbidden_protection or call.second_arg == forbidden_protection)
@mass_assign_disabled = true
end
end
end
end
@mass_assign_disabled
end
def original? result
return false if result[:call].original_line or duplicate? result
add_result result
true
end
#This is to avoid reporting duplicates. Checks if the result has been
#reported already from the same line number.
def duplicate? result, location = nil
location, line = get_location result
@results.each do |r|
if r[0] == line and r[1] == location
if tracker.options[:combine_locations]
return true
elsif r[2] == result
return true
end
end
end
false
end
def get_location result
if result.is_a? Hash
line = result[:call].original_line || result[:call].line
elsif sexp? result
line = result.original_line || result.line
else
raise ArgumentError
end
location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template] || result[:location][:file].to_s
location = location[:name] if location.is_a? Hash
location = location.name if location.is_a? Brakeman::Collection
location = location.to_sym
return location, line
end
#Checks if _exp_ includes user input in the form of cookies, parameters,
#request environment, or model attributes.
#
#If found, returns a struct containing a type (:cookies, :params, :request, :model) and
#the matching expression (Match#type and Match#match).
#
#Returns false otherwise.
def include_user_input? exp
@has_user_input = false
process exp
@has_user_input
end
#This is used to check for user input being used directly.
#
##If found, returns a struct containing a type (:cookies, :params, :request) and
#the matching expression (Match#type and Match#match).
#
#Returns false otherwise.
def has_immediate_user_input? exp
if exp.nil?
false
elsif call? exp and not always_safe_method? exp.method
if params? exp
return Match.new(:params, exp)
elsif cookies? exp
return Match.new(:cookies, exp)
elsif request_headers? exp
return Match.new(:request, exp)
else
has_immediate_user_input? exp.target
end
elsif sexp? exp
case exp.node_type
when :dstr
exp.each do |e|
if sexp? e
match = has_immediate_user_input?(e)
return match if match
end
end
false
when :evstr
if sexp? exp.value
if exp.value.node_type == :rlist
exp.value.each_sexp do |e|
match = has_immediate_user_input?(e)
return match if match
end
false
else
has_immediate_user_input? exp.value
end
end
when :format
has_immediate_user_input? exp.value
when :if
(sexp? exp.then_clause and has_immediate_user_input? exp.then_clause) or
(sexp? exp.else_clause and has_immediate_user_input? exp.else_clause)
when :or
has_immediate_user_input? exp.lhs or
has_immediate_user_input? exp.rhs
when :splat, :kwsplat
exp.each_sexp do |e|
match = has_immediate_user_input?(e)
return match if match
end
false
when :hash
if kwsplat? exp
exp[1].each_sexp do |e|
match = has_immediate_user_input?(e)
return match if match
end
false
end
else
false
end
end
end
#Checks for a model attribute at the top level of the
#expression.
def has_immediate_model? exp, out = nil
out = exp if out.nil?
if sexp? exp and exp.node_type == :output
exp = exp.value
end
if call? exp
target = exp.target
method = exp.method
if always_safe_method? method
false
elsif call? target and not method.to_s[-1,1] == "?"
if has_immediate_model?(target, out)
exp
else
false
end
elsif model_name? target
exp
else
false
end
elsif sexp? exp
case exp.node_type
when :dstr
exp.each do |e|
if sexp? e and match = has_immediate_model?(e, out)
return match
end
end
false
when :evstr
if sexp? exp.value
if exp.value.node_type == :rlist
exp.value.each_sexp do |e|
if match = has_immediate_model?(e, out)
return match
end
end
false
else
has_immediate_model? exp.value, out
end
end
when :format
has_immediate_model? exp.value, out
when :if
((sexp? exp.then_clause and has_immediate_model? exp.then_clause, out) or
(sexp? exp.else_clause and has_immediate_model? exp.else_clause, out))
when :or
has_immediate_model? exp.lhs or
has_immediate_model? exp.rhs
else
false
end
end
end
#Checks if +exp+ is a model name.
#
#Prior to using this method, either @tracker must be set to
#the current tracker, or else @models should contain an array of the model
#names, which is available via tracker.models.keys
def model_name? exp
@models ||= @tracker.models.keys
if exp.is_a? Symbol
@models.include? exp
elsif call? exp and exp.target.nil? and exp.method == :current_user
true
elsif sexp? exp
@models.include? class_name(exp)
else
false
end
end
#Returns true if +target+ is in +exp+
def include_target? exp, target
return false unless call? exp
exp.each do |e|
return true if e == target or include_target? e, target
end
false
end
def lts_version? version
tracker.config.has_gem? :'railslts-version' and
version_between? version, "2.3.18.99", tracker.config.gem_version(:'railslts-version')
end
def version_between? low_version, high_version, current_version = nil
tracker.config.version_between? low_version, high_version, current_version
end
def gemfile_or_environment gem_name = :rails
if gem_name and info = tracker.config.get_gem(gem_name.to_sym)
info
elsif @app_tree.exists?("Gemfile")
@app_tree.file_path "Gemfile"
elsif @app_tree.exists?("gems.rb")
@app_tree.file_path "gems.rb"
else
@app_tree.file_path "config/environment.rb"
end
end
def self.description
@description
end
def active_record_models
return @active_record_models if @active_record_models
@active_record_models = {}
tracker.models.each do |name, model|
if model.ancestor? :"ActiveRecord::Base"
@active_record_models[name] = model
end
end
@active_record_models
end
STRING_METHODS = Set[:<<, :+, :concat, :prepend]
private_constant :STRING_METHODS
def string_building? exp
return false unless call? exp and STRING_METHODS.include? exp.method
node_type? exp.target, :str, :dstr or
node_type? exp.first_arg, :str, :dstr or
string_building? exp.target or
string_building? exp.first_arg
end
I18N_CLASS = s(:const, :I18n)
def locale_call? exp
return unless call? exp
(exp.target == I18N_CLASS and
exp.method == :locale) or
locale_call? exp.target
end
end
================================================
FILE: lib/brakeman/checks/check_basic_auth.rb
================================================
require 'brakeman/checks/base_check'
#Checks if password is stored in controller
#when using http_basic_authenticate_with
#
#Only for Rails >= 3.1
class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Checks for the use of http_basic_authenticate_with"
def run_check
return if version_between? "0.0.0", "3.0.99"
check_basic_auth_filter
check_basic_auth_request
end
def check_basic_auth_filter
controllers = tracker.controllers.select do |_name, c|
c.options[:http_basic_authenticate_with]
end
Hash[controllers].each do |name, controller|
controller.options[:http_basic_authenticate_with].each do |call|
if pass = get_password(call) and string? pass
warn :controller => name,
:warning_type => "Basic Auth",
:warning_code => :basic_auth_password,
:message => "Basic authentication password stored in source code",
:code => call,
:confidence => :high,
:file => controller.file,
:cwe_id => [259]
break
end
end
end
end
# Look for
# authenticate_or_request_with_http_basic do |username, password|
# username == "foo" && password == "bar"
# end
def check_basic_auth_request
tracker.find_call(:target => nil, :method => :authenticate_or_request_with_http_basic).each do |result|
if include_password_literal? result
warn :result => result,
:code => @include_password,
:warning_type => "Basic Auth",
:warning_code => :basic_auth_password,
:message => "Basic authentication password stored in source code",
:confidence => :high,
:cwe_id => [259]
end
end
end
# Check if the block of a result contains a comparison of password to string
def include_password_literal? result
return false if result[:block_args].nil?
@password_var = result[:block_args].last
@include_password = false
process result[:block]
@include_password
end
# Looks for :== calls on password var
def process_call exp
target = exp.target
if node_type?(target, :lvar) and
target.value == @password_var and
exp.method == :== and
string? exp.first_arg
@include_password = exp
end
exp
end
def get_password call
arg = call.first_arg
return false if arg.nil? or not hash? arg
hash_access(arg, :password)
end
end
================================================
FILE: lib/brakeman/checks/check_basic_auth_timing_attack.rb
================================================
require 'brakeman/checks/base_check'
class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Check for timing attack in basic auth (CVE-2015-7576)"
def run_check
@upgrade = case
when version_between?("0.0.0", "3.2.22")
"3.2.22.1"
when version_between?("4.0.0", "4.1.14")
"4.1.14.1"
when version_between?("4.2.0", "4.2.5")
"4.2.5.1"
else
return
end
check_basic_auth_call
end
def check_basic_auth_call
tracker.find_call(target: nil, method: :http_basic_authenticate_with).each do |result|
warn :result => result,
:warning_type => "Timing Attack",
:warning_code => :CVE_2015_7576,
:message => msg("Basic authentication in ", msg_version(rails_version), " is vulnerable to timing attacks. Upgrade to ", msg_version(@upgrade)),
:confidence => :high,
:link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ",
:cwe_id => [1254]
end
end
end
================================================
FILE: lib/brakeman/checks/check_content_tag.rb
================================================
require 'brakeman/checks/check_cross_site_scripting'
#Checks for unescaped values in `content_tag`
#
# content_tag :tag, body
# ^-- Unescaped in Rails 2.x
#
# content_tag, :tag, body, attribute => value
# ^-- Unescaped in all versions
#
# content_tag, :tag, body, attribute => value
# ^
# |
# Escaped by default, can be explicitly escaped
# or not by passing in (true|false) as fourth argument
class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
Brakeman::Checks.add self
@description = "Checks for XSS in calls to content_tag"
def run_check
@ignore_methods = Set[:button_to, :check_box, :escapeHTML, :escape_once,
:field_field, :fields_for, :h, :hidden_field,
:hidden_field, :hidden_field_tag, :image_tag, :label,
:mail_to, :radio_button, :select,
:submit_tag, :text_area, :text_field,
:text_field_tag, :url_encode, :u, :url_for,
:will_paginate].merge tracker.options[:safe_methods]
@known_dangerous = []
@content_tags = tracker.find_call :target => false, :method => :content_tag
@models = tracker.models.keys
@inspect_arguments = tracker.options[:check_arguments]
@mark = nil
Brakeman.debug "Checking for XSS in content_tag"
@content_tags.each do |call|
process_result call
end
check_cve_2016_6316
end
def process_result result
return if duplicate? result
case result[:location][:type]
when :template
@current_template = result[:location][:template]
when :class
@current_class = result[:location][:class]
@current_method = result[:location][:method]
end
@current_file = result[:location][:file]
call = result[:call]
args = call.arglist
tag_name = args[1]
content = args[2]
attributes = args[3]
escape_attr = args[4]
@matched = false
#Silly, but still dangerous if someone uses user input in the tag type
check_argument result, tag_name
#Versions before 3.x do not escape body of tag, nor does the rails_xss gem
unless @matched or (tracker.options[:rails3] and not raw? content)
check_argument result, content
end
# This changed in Rails 6.1.6
if version_between? '0.0.0', '6.1.5'
#Attribute keys are never escaped, so check them for user input
if not @matched and hash? attributes and not request_value? attributes
hash_iterate(attributes) do |k, _v|
check_argument result, k
return if @matched
end
end
end
#By default, content_tag escapes attribute values passed in as a hash.
#But this behavior can be disabled. So only check attributes hash
#if they are explicitly not escaped.
if not @matched and attributes and (false? escape_attr or cve_2016_6316?)
if request_value? attributes or not hash? attributes
check_argument result, attributes
else #check hash values
hash_iterate(attributes) do |_k, v|
check_argument result, v
return if @matched
end
end
end
ensure
@current_template = @current_class = @current_method = @current_file = nil
end
def check_argument result, exp
#Check contents of raw() calls directly
if raw? exp
arg = process exp.first_arg
else
arg = process exp
end
if input = has_immediate_user_input?(arg)
message = msg("Unescaped ", msg_input(input), " in ", msg_code("content_tag"))
add_result result
warn :result => result,
:warning_type => "Cross-Site Scripting",
:warning_code => :xss_content_tag,
:message => message,
:user_input => input,
:confidence => :high,
:link_path => "content_tag",
:cwe_id => [79]
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
unless IGNORE_MODEL_METHODS.include? match.method
add_result result
if likely_model_attribute? match
confidence = :high
else
confidence = :medium
end
warn :result => result,
:warning_type => "Cross-Site Scripting",
:warning_code => :xss_content_tag,
:message => msg("Unescaped model attribute in ", msg_code("content_tag")),
:user_input => match,
:confidence => confidence,
:link_path => "content_tag",
:cwe_id => [79]
end
elsif @matched
return if @matched.type == :model and tracker.options[:ignore_model_output]
message = msg("Unescaped ", msg_input(@matched), " in ", msg_code("content_tag"))
add_result result
warn :result => result,
:warning_type => "Cross-Site Scripting",
:warning_code => :xss_content_tag,
:message => message,
:user_input => @matched,
:confidence => :medium,
:link_path => "content_tag",
:cwe_id => [79]
end
end
def process_call exp
if @mark
actually_process_call exp
else
@mark = true
actually_process_call exp
@mark = false
end
exp
end
def check_cve_2016_6316
if cve_2016_6316?
confidence = if @content_tags.any?
:high
else
:medium
end
fix_version = case
when version_between?("3.0.0", "3.2.22.3")
"3.2.22.4"
when version_between?("4.0.0", "4.2.7.0")
"4.2.7.1"
when version_between?("5.0.0", "5.0.0")
"5.0.0.1"
when (version.nil? and tracker.options[:rails3])
"3.2.22.4"
when (version.nil? and tracker.options[:rails4])
"4.2.7.2"
else
return
end
warn :warning_type => "Cross-Site Scripting",
:warning_code => :CVE_2016_6316,
:message => msg(msg_version(rails_version), " ", msg_code("content_tag"), " does not escape double quotes in attribute values ", msg_cve("CVE-2016-6316"), ". Upgrade to ", msg_version(fix_version)),
:confidence => confidence,
:gem_info => gemfile_or_environment,
:link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ",
:cwe_id => [79]
end
end
def raw? exp
call? exp and exp.method == :raw
end
def cve_2016_6316?
version_between? "3.0.0", "3.2.22.3" or
version_between? "4.0.0", "4.2.7.0" or
version_between? "5.0.0", "5.0.0.0"
end
end
================================================
FILE: lib/brakeman/checks/check_cookie_serialization.rb
================================================
require 'brakeman/checks/base_check'
class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Check for use of Marshal for cookie serialization"
def run_check
tracker.find_call(target: :'Rails.application.config.action_dispatch', method: :cookies_serializer=).each do |result|
setting = result[:call].first_arg
if symbol? setting and [:marshal, :hybrid].include? setting.value
warn :result => result,
:warning_type => "Remote Code Execution",
:warning_code => :unsafe_cookie_serialization,
:message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
:confidence => :medium,
:link_path => "unsafe_deserialization",
:cwe_id => [565, 502]
end
end
end
end
================================================
FILE: lib/brakeman/checks/check_create_with.rb
================================================
require 'brakeman/checks/base_check'
class Brakeman::CheckCreateWith < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Checks for strong params bypass in CVE-2014-3514"
def run_check
@warned = false
if version_between? "4.0.0", "4.0.8"
suggested_version = "4.0.9"
elsif version_between? "4.1.0", "4.1.4"
suggested_version = "4.1.5"
else
return
end
@message = msg(msg_code("create_with"), " is vulnerable to strong params bypass. Upgrade to ", msg_version(suggested_version), " or patch")
tracker.find_call(:method => :create_with, :nested => true).each do |result|
process_result result
end
generic_warning unless @warned
end
def process_result result
return unless original? result
arg = result[:call].first_arg
confidence = danger_level arg
if confidence
@warned = true
warn :warning_type => "Mass Assignment",
:warning_code => :CVE_2014_3514_call,
:result => result,
:message => @message,
:confidence => confidence,
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
:cwe_id => [915]
end
end
#For a given create_with call, set confidence level.
#Ignore calls that use permit()
def danger_level exp
return unless sexp? exp
if call? exp and exp.method == :permit
nil
elsif request_value? exp
:high
elsif hash? exp
nil
elsif has_immediate_user_input?(exp)
:high
elsif include_user_input? exp
:medium
else
:weak
end
end
def generic_warning
warn :warning_type => "Mass Assignment",
:warning_code => :CVE_2014_3514,
:message => @message,
:gem_info => gemfile_or_environment,
:confidence => :medium,
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
:cwe_id => [915]
end
end
================================================
FILE: lib/brakeman/checks/check_cross_site_scripting.rb
================================================
require 'brakeman/checks/base_check'
require 'brakeman/processors/lib/find_call'
require 'brakeman/processors/lib/processor_helper'
require 'brakeman/util'
require 'set'
#This check looks for unescaped output in templates which contains
#parameters or model attributes.
#
#For example:
#
# <%= User.find(:id).name %>
# <%= params[:id] %>
class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Checks for unescaped output in views"
#Model methods which are known to be harmless
IGNORE_MODEL_METHODS = Set[:average, :count, :maximum, :minimum, :sum, :id]
MODEL_METHODS = Set[:all, :find, :first, :last, :new]
IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
HAML_HELPERS = Sexp.new(:colon2, Sexp.new(:const, :Haml), :Helpers)
XML_HELPER = Sexp.new(:colon2, Sexp.new(:const, :Erubis), :XmlHelper)
URI = Sexp.new(:const, :URI)
CGI = Sexp.new(:const, :CGI)
FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
def initialize *args
super
@matched = @mark = false
end
#Run check
def run_check
setup
tracker.each_template do |name, template|
Brakeman.debug "Checking #{name} for XSS"
@current_template = template
template.each_output do |out|
unless check_for_immediate_xss out
@matched = false
@mark = false
process out
end
end
end
end
def check_for_immediate_xss exp
return :duplicate if duplicate? exp
if exp.node_type == :output
out = exp.value
end
if raw_call? exp
out = exp.value.first_arg
elsif html_safe_call? exp
out = exp.value.target
end
return if call? out and ignore_call? out.target, out.method
if input = has_immediate_user_input?(out)
add_result exp
message = msg("Unescaped ", msg_input(input))
warn :template => @current_template,
:warning_type => "Cross-Site Scripting",
:warning_code => :cross_site_scripting,
:message => message,
:code => input.match,
:confidence => :high,
:cwe_id => [79]
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
method = if call? match
match.method
else
nil
end
unless IGNORE_MODEL_METHODS.include? method
add_result exp
if likely_model_attribute? match
confidence = :high
else
confidence = :medium
end
message = "Unescaped model attribute"
link_path = "cross_site_scripting"
warning_code = :cross_site_scripting
if node_type?(out, :call, :safe_call, :attrasgn, :safe_attrasgn) && out.method == :to_json
message += " in JSON hash"
link_path += "_to_json"
warning_code = :xss_to_json
end
warn :template => @current_template,
:warning_type => "Cross-Site Scripting",
:warning_code => warning_code,
:message => message,
:code => match,
:confidence => confidence,
:link_path => link_path,
:cwe_id => [79]
end
else
false
end
end
#Call already involves a model, but might not be acting on a record
def likely_model_attribute? exp
return false unless call? exp
method = exp.method
if MODEL_METHODS.include? method or method.to_s.start_with? "find_by_"
true
else
likely_model_attribute? exp.target
end
end
#Process an output Sexp
def process_output exp
process exp.value.dup
end
#Look for calls to raw()
#Otherwise, ignore
def process_escaped_output exp
unless check_for_immediate_xss exp
if not duplicate? exp
if raw_call? exp
process exp.value.first_arg
elsif html_safe_call? exp
process exp.value.target
end
end
end
exp
end
#Check a call for user input
#
#
#Since we want to report an entire call and not just part of one, use @mark
#to mark when a call is started. Any dangerous values inside will then
#report the entire call chain.
def process_call exp
if @mark
actually_process_call exp
else
@mark = true
actually_process_call exp
message = nil
if @matched
unless @matched.type and tracker.options[:ignore_model_output]
message = msg("Unescaped ", msg_input(@matched))
end
if message and not duplicate? exp
add_result exp
link_path = "cross_site_scripting"
warning_code = :cross_site_scripting
if @known_dangerous.include? exp.method
confidence = :high
if exp.method == :to_json
message << msg_plain(" in JSON hash")
link_path += "_to_json"
warning_code = :xss_to_json
end
else
confidence = :weak
end
warn :template => @current_template,
:warning_type => "Cross-Site Scripting",
:warning_code => warning_code,
:message => message,
:code => exp,
:user_input => @matched,
:confidence => confidence,
:link_path => link_path,
:cwe_id => [79]
end
end
@mark = @matched = false
end
exp
end
def actually_process_call exp
return if @matched
target = exp.target
if sexp? target
target = process target
end
method = exp.method
#Ignore safe items
if ignore_call? target, method
@matched = false
elsif sexp? target and model_name? target[1] #TODO: use method call?
@matched = Match.new(:model, exp)
elsif cookies? exp
@matched = Match.new(:cookies, exp)
elsif @inspect_arguments and params? exp
@matched = Match.new(:params, exp)
elsif @inspect_arguments
process_call_args exp
end
end
#Note that params have been found
def process_params exp
@matched = Match.new(:params, exp)
exp
end
#Note that cookies have been found
def process_cookies exp
@matched = Match.new(:cookies, exp)
exp
end
#Ignore calls to render
def process_render exp
exp
end
#Process as default
def process_dstr exp
process_default exp
end
#Process as default
def process_format exp
process_default exp
end
#Ignore output HTML escaped via HAML
def process_format_escaped exp
exp
end
#Ignore condition in if Sexp
def process_if exp
process exp.then_clause if sexp? exp.then_clause
process exp.else_clause if sexp? exp.else_clause
exp
end
def process_case exp
#Ignore user input in case value
#TODO: also ignore when values
current = 2
while current < exp.length
process exp[current] if exp[current]
current += 1
end
exp
end
def setup
@ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
:field_field, :fields_for, :form_for, :h, :hidden_field,
:hidden_field, :hidden_field_tag, :image_tag, :label,
:link_to, :mail_to, :radio_button, :select,
:submit_tag, :text_area, :text_field,
:text_field_tag, :url_encode, :u, :url_for,
:will_paginate].merge tracker.options[:safe_methods]
@models = tracker.models.keys
@inspect_arguments = tracker.options[:check_arguments]
@known_dangerous = Set[:truncate, :concat]
if version_between? "2.0.0", "3.0.5"
@known_dangerous << :auto_link
elsif version_between? "3.0.6", "3.0.99"
@ignore_methods << :auto_link
end
if version_between? "2.0.0", "2.3.14" or tracker.config.gem_version(:'rails-html-sanitizer') == '1.0.2'
@known_dangerous << :strip_tags
end
if tracker.config.has_gem? :'rails-html-sanitizer' and
version_between? "1.0.0", "1.0.2", tracker.config.gem_version(:'rails-html-sanitizer')
@known_dangerous << :sanitize
end
json_escape_on = false
initializers = tracker.find_call(target: :ActiveSupport, method: :escape_html_entities_in_json=)
initializers.each {|result| json_escape_on = true?(result[:call].first_arg) }
if tracker.config.escape_html_entities_in_json?
json_escape_on = true
elsif version_between? "4.0.0", "9.9.9"
json_escape_on = true
end
if !json_escape_on or version_between? "0.0.0", "2.0.99"
@known_dangerous << :to_json
Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
else
@safe_input_attributes << :to_json
Brakeman.debug("Automatic to_json escaping is enabled.")
end
end
def raw_call? exp
exp.value.node_type == :call and exp.value.method == :raw
end
def html_safe_call? exp
call? exp.value and exp.value.method == :html_safe
end
def ignore_call? target, method
ignored_method?(target, method) or
safe_input_attribute?(target, method) or
ignored_model_method?(target, method) or
form_builder_method?(target, method) or
haml_escaped?(target, method) or
boolean_method?(method) or
cgi_escaped?(target, method) or
xml_escaped?(target, method)
end
def ignored_model_method? target, method
((@matched and @matched.type == :model) or
model_name? target) and
IGNORE_MODEL_METHODS.include? method
end
def ignored_method? target, method
@ignore_methods.include? method or method.to_s =~ IGNORE_LIKE
end
def cgi_escaped? target, method
method == :escape and
(target == URI or target == CGI)
end
def haml_escaped? target, method
method == :html_escape and target == HAML_HELPERS
end
def xml_escaped? target, method
method == :escape_xml and target == XML_HELPER
end
def form_builder_method? target, method
target == FORM_BUILDER and @ignore_methods.include? method
end
def safe_input_attribute? target, method
target and always_safe_method? method
end
end
================================================
FILE: lib/brakeman/checks/check_csrf_token_forgery_cve.rb
================================================
require 'brakeman/checks/base_check'
class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Checks for versions with CSRF token forgery vulnerability (CVE-2020-8166)"
def run_check
fix_version = case
when version_between?('0.0.0', '5.2.4.2')
'5.2.4.3'
when version_between?('6.0.0', '6.0.3')
'6.0.3.1'
else
nil
end
if fix_version
warn :warning_type => "Cross-Site Request Forgery",
:warning_code => :CVE_2020_8166,
:message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
:confidence => :medium,
:gem_info => gemfile_or_environment,
:link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw",
:cwe_id => [352]
end
end
end
================================================
FILE: lib/brakeman/checks/check_default_routes.rb
================================================
require 'brakeman/checks/base_check'
#Checks if default routes are allowed in routes.rb
class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Checks for default routes"
def initialize *args
super
@actions_allowed_on_controller = nil
end
#Checks for :allow_all_actions globally and for individual routes
#if it is not enabled globally.
def run_check
check_for_default_routes
check_for_action_globs
check_for_cve_2014_0130
end
def check_for_default_routes
if allow_all_actions?
#Default routes are enabled globally
warn :warning_type => "Default Routes",
:warning_code => :all_default_routes,
:message => msg("All public methods in controllers are available as actions in ", msg_file("routes.rb")),
:line => tracker.routes[:allow_all_actions].line,
:confidence => :high,
:file => "#{tracker.app_path}/config/routes.rb",
:cwe_id => [22]
end
end
def check_for_action_globs
return if allow_all_actions?
Brakeman.debug "Checking each controller for default routes"
tracker.routes.each do |name, actions|
if actions.is_a? Array and actions[0] == :allow_all_actions
@actions_allowed_on_controller = true
if actions[1].is_a? Hash and actions[1][:allow_verb]
verb = actions[1][:allow_verb]
else
verb = "any"
end
warn :controller => name,
:warning_type => "Default Routes",
:warning_code => :controller_default_routes,
:message => msg("Any public method in ", msg_code(name), " can be used as an action for ", msg_code(verb), " requests."),
:line => actions[2],
:confidence => :medium,
:file => "#{tracker.app_path}/config/routes.rb",
:cwe_id => [22]
end
end
end
def check_for_cve_2014_0130
case
when lts_version?("2.3.18.9")
#TODO: Should support LTS 3.0.20 too
return
when version_between?("2.0.0", "2.3.18")
upgrade = "3.2.18"
when version_between?("3.0.0", "3.2.17")
upgrade = "3.2.18"
when version_between?("4.0.0", "4.0.4")
upgrade = "4.0.5"
when version_between?("4.1.0", "4.1.0")
upgrade = "4.1.1"
else
return
end
if allow_all_actions? or @actions_allowed_on_controller
confidence = :high
else
confidence = :medium
end
warn :warning_type => "Remote Code Execution",
:warning_code => :CVE_2014_0130,
:message => msg(msg_version(rails_version), " with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to ", msg_version(upgrade)),
:confidence => confidence,
:file => "#{tracker.app_path}/config/routes.rb",
:link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf",
:cwe_id => [22]
end
def allow_all_actions?
tracker.routes[:allow_all_actions]
end
end
================================================
FILE: lib/brakeman/checks/check_deserialize.rb
================================================
require 'brakeman/checks/base_check'
class Brakeman::CheckDeserialize < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Checks for unsafe deserialization of objects"
def run_check
check_yaml
check_csv
check_marshal
check_oj
end
def check_yaml
check_methods :YAML, :load_documents, :
gitextract_9gn_whxm/
├── .circleci/
│ └── config.yml
├── .dockerignore
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug-report.md
│ │ ├── feature-request.md
│ │ ├── hanging-or-slow-scans.md
│ │ ├── parsing-error.md
│ │ ├── report-a-false-positive.md
│ │ └── something-else.md
│ └── workflows/
│ └── docker-hub-push.yml
├── .gitignore
├── CHANGES.md
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── COPYING.md
├── Dockerfile
├── Dockerfile.codeclimate
├── FEATURES
├── Gemfile
├── LICENSE.md
├── MIT-LICENSE
├── OPTIONS.md
├── README.md
├── Rakefile
├── SECURITY.md
├── bin/
│ ├── brakeman
│ └── codeclimate-brakeman
├── brakeman-lib.gemspec
├── brakeman-min.gemspec
├── brakeman-public_cert.pem
├── brakeman.gemspec
├── build.rb
├── docs/
│ └── warning_types/
│ ├── CVE-2010-3933/
│ │ └── index.markdown
│ ├── CVE-2011-0446/
│ │ └── index.markdown
│ ├── CVE-2011-3186/
│ │ └── index.markdown
│ ├── attribute_restriction/
│ │ └── index.markdown
│ ├── authentication/
│ │ └── index.markdown
│ ├── authentication_whitelist/
│ │ └── index.markdown
│ ├── basic_auth/
│ │ └── index.markdown
│ ├── command_injection/
│ │ └── index.markdown
│ ├── content_tag/
│ │ └── index.markdown
│ ├── cross-site_request_forgery/
│ │ └── index.markdown
│ ├── cross_site_scripting/
│ │ └── index.markdown
│ ├── cross_site_scripting_to_json/
│ │ └── index.markdown
│ ├── dangerous_eval/
│ │ └── index.markdown
│ ├── dangerous_send/
│ │ └── index.markdown
│ ├── default_routes/
│ │ └── index.markdown
│ ├── denial_of_service/
│ │ └── index.markdown
│ ├── dynamic_render_path/
│ │ └── index.markdown
│ ├── file_access/
│ │ └── index.markdown
│ ├── format_validation/
│ │ └── index.markdown
│ ├── information_disclosure/
│ │ └── index.markdown
│ ├── link_to/
│ │ └── index.markdown
│ ├── link_to_href/
│ │ └── index.markdown
│ ├── mass_assignment/
│ │ └── index.markdown
│ ├── redirect/
│ │ └── index.markdown
│ ├── remote_code_execution/
│ │ └── index.markdown
│ ├── remote_code_execution_yaml_load/
│ │ └── index.markdown
│ ├── session_manipulation/
│ │ └── index.markdown
│ ├── session_setting/
│ │ └── index.markdown
│ ├── sql_injection/
│ │ └── index.markdown
│ ├── ssl_verification_bypass/
│ │ └── index.markdown
│ ├── template_injection/
│ │ └── index.markdown
│ ├── unsafe_deserialization/
│ │ └── index.markdown
│ └── unscoped_find/
│ └── index.markdown
├── gem_common.rb
├── lib/
│ ├── brakeman/
│ │ ├── app_tree.rb
│ │ ├── call_index.rb
│ │ ├── checks/
│ │ │ ├── base_check.rb
│ │ │ ├── check_basic_auth.rb
│ │ │ ├── check_basic_auth_timing_attack.rb
│ │ │ ├── check_content_tag.rb
│ │ │ ├── check_cookie_serialization.rb
│ │ │ ├── check_create_with.rb
│ │ │ ├── check_cross_site_scripting.rb
│ │ │ ├── check_csrf_token_forgery_cve.rb
│ │ │ ├── check_default_routes.rb
│ │ │ ├── check_deserialize.rb
│ │ │ ├── check_detailed_exceptions.rb
│ │ │ ├── check_digest_dos.rb
│ │ │ ├── check_divide_by_zero.rb
│ │ │ ├── check_dynamic_finders.rb
│ │ │ ├── check_eol_rails.rb
│ │ │ ├── check_eol_ruby.rb
│ │ │ ├── check_escape_function.rb
│ │ │ ├── check_evaluation.rb
│ │ │ ├── check_execute.rb
│ │ │ ├── check_file_access.rb
│ │ │ ├── check_file_disclosure.rb
│ │ │ ├── check_filter_skipping.rb
│ │ │ ├── check_force_ssl.rb
│ │ │ ├── check_forgery_setting.rb
│ │ │ ├── check_header_dos.rb
│ │ │ ├── check_i18n_xss.rb
│ │ │ ├── check_jruby_xml.rb
│ │ │ ├── check_json_encoding.rb
│ │ │ ├── check_json_entity_escape.rb
│ │ │ ├── check_json_parsing.rb
│ │ │ ├── check_link_to.rb
│ │ │ ├── check_link_to_href.rb
│ │ │ ├── check_mail_to.rb
│ │ │ ├── check_mass_assignment.rb
│ │ │ ├── check_mime_type_dos.rb
│ │ │ ├── check_model_attr_accessible.rb
│ │ │ ├── check_model_attributes.rb
│ │ │ ├── check_model_serialize.rb
│ │ │ ├── check_nested_attributes.rb
│ │ │ ├── check_nested_attributes_bypass.rb
│ │ │ ├── check_number_to_currency.rb
│ │ │ ├── check_page_caching_cve.rb
│ │ │ ├── check_pathname.rb
│ │ │ ├── check_permit_attributes.rb
│ │ │ ├── check_quote_table_name.rb
│ │ │ ├── check_ransack.rb
│ │ │ ├── check_redirect.rb
│ │ │ ├── check_regex_dos.rb
│ │ │ ├── check_render.rb
│ │ │ ├── check_render_dos.rb
│ │ │ ├── check_render_inline.rb
│ │ │ ├── check_render_rce.rb
│ │ │ ├── check_response_splitting.rb
│ │ │ ├── check_reverse_tabnabbing.rb
│ │ │ ├── check_route_dos.rb
│ │ │ ├── check_safe_buffer_manipulation.rb
│ │ │ ├── check_sanitize_config_cve.rb
│ │ │ ├── check_sanitize_methods.rb
│ │ │ ├── check_secrets.rb
│ │ │ ├── check_select_tag.rb
│ │ │ ├── check_select_vulnerability.rb
│ │ │ ├── check_send.rb
│ │ │ ├── check_send_file.rb
│ │ │ ├── check_session_manipulation.rb
│ │ │ ├── check_session_settings.rb
│ │ │ ├── check_simple_format.rb
│ │ │ ├── check_single_quotes.rb
│ │ │ ├── check_skip_before_filter.rb
│ │ │ ├── check_sprockets_path_traversal.rb
│ │ │ ├── check_sql.rb
│ │ │ ├── check_sql_cves.rb
│ │ │ ├── check_ssl_verify.rb
│ │ │ ├── check_strip_tags.rb
│ │ │ ├── check_symbol_dos.rb
│ │ │ ├── check_symbol_dos_cve.rb
│ │ │ ├── check_template_injection.rb
│ │ │ ├── check_translate_bug.rb
│ │ │ ├── check_unsafe_reflection.rb
│ │ │ ├── check_unsafe_reflection_methods.rb
│ │ │ ├── check_unscoped_find.rb
│ │ │ ├── check_validation_regex.rb
│ │ │ ├── check_verb_confusion.rb
│ │ │ ├── check_weak_hash.rb
│ │ │ ├── check_weak_rsa_key.rb
│ │ │ ├── check_without_protection.rb
│ │ │ ├── check_xml_dos.rb
│ │ │ ├── check_yaml_parsing.rb
│ │ │ └── eol_check.rb
│ │ ├── checks.rb
│ │ ├── codeclimate/
│ │ │ └── engine_configuration.rb
│ │ ├── commandline.rb
│ │ ├── differ.rb
│ │ ├── file_parser.rb
│ │ ├── file_path.rb
│ │ ├── format/
│ │ │ └── style.css
│ │ ├── logger.rb
│ │ ├── messages.rb
│ │ ├── options.rb
│ │ ├── parsers/
│ │ │ ├── haml6_embedded.rb
│ │ │ ├── haml_embedded.rb
│ │ │ ├── rails_erubi.rb
│ │ │ ├── slim_embedded.rb
│ │ │ └── template_parser.rb
│ │ ├── processor.rb
│ │ ├── processors/
│ │ │ ├── alias_processor.rb
│ │ │ ├── base_processor.rb
│ │ │ ├── config_processor.rb
│ │ │ ├── controller_alias_processor.rb
│ │ │ ├── controller_processor.rb
│ │ │ ├── erb_template_processor.rb
│ │ │ ├── erubi_template_procesor.rb
│ │ │ ├── gem_processor.rb
│ │ │ ├── haml6_template_processor.rb
│ │ │ ├── haml_template_processor.rb
│ │ │ ├── lib/
│ │ │ │ ├── basic_processor.rb
│ │ │ │ ├── call_conversion_helper.rb
│ │ │ │ ├── file_type_detector.rb
│ │ │ │ ├── find_all_calls.rb
│ │ │ │ ├── find_call.rb
│ │ │ │ ├── find_return_value.rb
│ │ │ │ ├── module_helper.rb
│ │ │ │ ├── processor_helper.rb
│ │ │ │ ├── rails2_config_processor.rb
│ │ │ │ ├── rails2_route_processor.rb
│ │ │ │ ├── rails3_config_processor.rb
│ │ │ │ ├── rails3_route_processor.rb
│ │ │ │ ├── rails4_config_processor.rb
│ │ │ │ ├── render_helper.rb
│ │ │ │ ├── render_path.rb
│ │ │ │ ├── route_helper.rb
│ │ │ │ └── safe_call_helper.rb
│ │ │ ├── library_processor.rb
│ │ │ ├── model_processor.rb
│ │ │ ├── output_processor.rb
│ │ │ ├── route_processor.rb
│ │ │ ├── slim_template_processor.rb
│ │ │ ├── template_alias_processor.rb
│ │ │ └── template_processor.rb
│ │ ├── report/
│ │ │ ├── config/
│ │ │ │ └── remediation.yml
│ │ │ ├── ignore/
│ │ │ │ ├── config.rb
│ │ │ │ └── interactive.rb
│ │ │ ├── pager.rb
│ │ │ ├── renderer.rb
│ │ │ ├── report_base.rb
│ │ │ ├── report_codeclimate.rb
│ │ │ ├── report_csv.rb
│ │ │ ├── report_github.rb
│ │ │ ├── report_hash.rb
│ │ │ ├── report_html.rb
│ │ │ ├── report_json.rb
│ │ │ ├── report_junit.rb
│ │ │ ├── report_markdown.rb
│ │ │ ├── report_sarif.rb
│ │ │ ├── report_sonar.rb
│ │ │ ├── report_table.rb
│ │ │ ├── report_tabs.rb
│ │ │ ├── report_text.rb
│ │ │ └── templates/
│ │ │ ├── controller_overview.html.erb
│ │ │ ├── controller_warnings.html.erb
│ │ │ ├── error_overview.html.erb
│ │ │ ├── header.html.erb
│ │ │ ├── ignored_warnings.html.erb
│ │ │ ├── model_warnings.html.erb
│ │ │ ├── overview.html.erb
│ │ │ ├── security_warnings.html.erb
│ │ │ ├── template_overview.html.erb
│ │ │ ├── view_warnings.html.erb
│ │ │ └── warning_overview.html.erb
│ │ ├── report.rb
│ │ ├── rescanner.rb
│ │ ├── scanner.rb
│ │ ├── tracker/
│ │ │ ├── collection.rb
│ │ │ ├── config.rb
│ │ │ ├── constants.rb
│ │ │ ├── controller.rb
│ │ │ ├── file_cache.rb
│ │ │ ├── library.rb
│ │ │ ├── method_info.rb
│ │ │ ├── model.rb
│ │ │ └── template.rb
│ │ ├── tracker.rb
│ │ ├── util.rb
│ │ ├── version.rb
│ │ ├── warning.rb
│ │ └── warning_codes.rb
│ ├── brakeman.rb
│ └── ruby_parser/
│ ├── bm_sexp.rb
│ └── bm_sexp_processor.rb
└── test/
├── README.md
├── apps/
│ ├── active_record_only/
│ │ ├── Gemfile
│ │ ├── app/
│ │ │ └── models/
│ │ │ └── book.rb
│ │ └── script/
│ │ └── .gitkeep
│ ├── rails2/
│ │ ├── README
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── emails_controller.rb
│ │ │ │ ├── home_controller.rb
│ │ │ │ └── other_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ ├── home_helper.rb
│ │ │ │ └── other_helper.rb
│ │ │ ├── models/
│ │ │ │ ├── account.rb
│ │ │ │ ├── email.rb
│ │ │ │ ├── protected.rb
│ │ │ │ ├── unprotected.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── home/
│ │ │ │ ├── _models.html.erb
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── test_command.html.erb
│ │ │ │ ├── test_content_tag.html.erb
│ │ │ │ ├── test_cookie.html.erb
│ │ │ │ ├── test_dynamic_render.html.erb
│ │ │ │ ├── test_eval.html.erb
│ │ │ │ ├── test_filter.html.erb
│ │ │ │ ├── test_link_to.html.erb
│ │ │ │ ├── test_mass_assignment.html.erb
│ │ │ │ ├── test_model.html.erb
│ │ │ │ ├── test_params.html.erb
│ │ │ │ ├── test_redirect.html.erb
│ │ │ │ ├── test_render.html.erb
│ │ │ │ ├── test_render_template.html.haml
│ │ │ │ ├── test_sanitized_param.html.erb
│ │ │ │ ├── test_send_target.html.erb
│ │ │ │ ├── test_sql.html.erb
│ │ │ │ ├── test_strip_tags.html.erb
│ │ │ │ ├── test_to_json.html.erb
│ │ │ │ └── test_xss_with_or.html.erb
│ │ │ ├── layouts/
│ │ │ │ └── thing.html.erb
│ │ │ └── other/
│ │ │ ├── _account.html.haml
│ │ │ ├── _user.html.erb
│ │ │ ├── ignore_me.html.erb
│ │ │ ├── not_used.html.erb
│ │ │ ├── test_collection.html.erb
│ │ │ ├── test_env.html.erb
│ │ │ ├── test_haml_stuff.html.haml
│ │ │ ├── test_iteration.html.erb
│ │ │ ├── test_locals.html.erb
│ │ │ ├── test_object.html.erb
│ │ │ ├── test_to_i.html.erb
│ │ │ ├── test_trim_mode.html.erb
│ │ │ └── xss_dupes.html.erb
│ │ ├── config/
│ │ │ ├── boot.rb
│ │ │ ├── brakeman.ignore
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── cookie_verification_secret.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── new_rails_defaults.rb
│ │ │ │ ├── security_defaults.rb
│ │ │ │ └── session_store.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ └── routes.rb
│ │ ├── db/
│ │ │ ├── migrate/
│ │ │ │ ├── 20110520193611_create_users.rb
│ │ │ │ └── 20110523184125_create_accounts.rb
│ │ │ └── seeds.rb
│ │ ├── doc/
│ │ │ └── README_FOR_APP
│ │ ├── lib/
│ │ │ └── generators/
│ │ │ └── test_generator/
│ │ │ └── templates/
│ │ │ └── model.rb
│ │ ├── log/
│ │ │ ├── development.log
│ │ │ ├── production.log
│ │ │ ├── server.log
│ │ │ └── test.log
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ ├── index.html
│ │ │ ├── javascripts/
│ │ │ │ ├── application.js
│ │ │ │ ├── controls.js
│ │ │ │ ├── dragdrop.js
│ │ │ │ ├── effects.js
│ │ │ │ └── prototype.js
│ │ │ └── robots.txt
│ │ ├── script/
│ │ │ ├── about
│ │ │ ├── console
│ │ │ ├── dbconsole
│ │ │ ├── destroy
│ │ │ ├── generate
│ │ │ ├── performance/
│ │ │ │ ├── benchmarker
│ │ │ │ └── profiler
│ │ │ ├── plugin
│ │ │ ├── runner
│ │ │ └── server
│ │ └── test/
│ │ ├── fixtures/
│ │ │ ├── accounts.yml
│ │ │ └── users.yml
│ │ ├── functional/
│ │ │ ├── home_controller_test.rb
│ │ │ └── other_controller_test.rb
│ │ ├── performance/
│ │ │ └── browsing_test.rb
│ │ ├── test_helper.rb
│ │ └── unit/
│ │ ├── account_test.rb
│ │ ├── helpers/
│ │ │ ├── home_helper_test.rb
│ │ │ └── other_helper_test.rb
│ │ └── user_test.rb
│ ├── rails3/
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ ├── README
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── base_thing.rb
│ │ │ │ ├── before_controller.rb
│ │ │ │ ├── child_controller.rb
│ │ │ │ ├── home_controller.rb
│ │ │ │ ├── nested_controller.rb
│ │ │ │ ├── other_controller.rb
│ │ │ │ └── products_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ ├── home_helper.rb
│ │ │ │ ├── other_helper.rb
│ │ │ │ └── products_helper.rb
│ │ │ ├── models/
│ │ │ │ ├── account.rb
│ │ │ │ ├── bill.rb
│ │ │ │ ├── noticia.rb
│ │ │ │ ├── notifier.rb
│ │ │ │ ├── product.rb
│ │ │ │ ├── purchase.rb
│ │ │ │ ├── underline_model.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── before/
│ │ │ │ ├── use_filter12345.html.erb
│ │ │ │ └── use_filters12.html.erb
│ │ │ ├── child/
│ │ │ │ └── action_in_child.html.erb
│ │ │ ├── home/
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── test_command.html.erb
│ │ │ │ ├── test_content_tag.html.erb
│ │ │ │ ├── test_cookie.html.erb
│ │ │ │ ├── test_dynamic_render.html.erb
│ │ │ │ ├── test_eval.html.erb
│ │ │ │ ├── test_file_access.html.erb
│ │ │ │ ├── test_filter.html.erb
│ │ │ │ ├── test_mass_assignment.html.erb
│ │ │ │ ├── test_model.html.erb
│ │ │ │ ├── test_newlines.html.erb
│ │ │ │ ├── test_params.html.erb
│ │ │ │ ├── test_redirect.html.erb
│ │ │ │ ├── test_render.html.erb
│ │ │ │ └── test_sql.html.erb
│ │ │ ├── layouts/
│ │ │ │ └── application.html.erb
│ │ │ ├── other/
│ │ │ │ ├── _account.html.haml
│ │ │ │ ├── _user.html.erb
│ │ │ │ ├── test_collection.html.erb
│ │ │ │ ├── test_iteration.html.erb
│ │ │ │ ├── test_locals.html.erb
│ │ │ │ ├── test_mail_to.html.erb
│ │ │ │ ├── test_object.html.erb
│ │ │ │ ├── test_select_tag.html.erb
│ │ │ │ ├── test_send_file.html.erb
│ │ │ │ └── test_strip_tags.html.erb
│ │ │ ├── products/
│ │ │ │ ├── _form.html.erb
│ │ │ │ ├── edit.html.erb
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── new.html.erb
│ │ │ │ └── show.html.erb
│ │ │ └── whatever/
│ │ │ └── wherever/
│ │ │ └── nested/
│ │ │ └── so_nested.html.erb
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── brakeman.yml
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── disable_xml_parsing.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ └── session_store.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ └── routes.rb
│ │ ├── config.ru
│ │ ├── db/
│ │ │ └── seeds.rb
│ │ ├── doc/
│ │ │ └── README_FOR_APP
│ │ ├── lib/
│ │ │ ├── controller_filter.rb
│ │ │ └── tasks/
│ │ │ └── .gitkeep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ ├── index.html
│ │ │ ├── javascripts/
│ │ │ │ ├── application.js
│ │ │ │ ├── controls.js
│ │ │ │ ├── dragdrop.js
│ │ │ │ ├── effects.js
│ │ │ │ ├── prototype.js
│ │ │ │ └── rails.js
│ │ │ ├── robots.txt
│ │ │ └── stylesheets/
│ │ │ └── .gitkeep
│ │ ├── script/
│ │ │ └── rails
│ │ ├── test/
│ │ │ ├── functional/
│ │ │ │ ├── home_controller_test.rb
│ │ │ │ └── other_controller_test.rb
│ │ │ ├── performance/
│ │ │ │ └── browsing_test.rb
│ │ │ ├── test_helper.rb
│ │ │ └── unit/
│ │ │ └── helpers/
│ │ │ ├── home_helper_test.rb
│ │ │ └── other_helper_test.rb
│ │ └── vendor/
│ │ └── plugins/
│ │ └── .gitkeep
│ ├── rails3.1/
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ ├── README
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── javascripts/
│ │ │ │ │ ├── application.js
│ │ │ │ │ └── users.js.coffee
│ │ │ │ └── stylesheets/
│ │ │ │ ├── application.css
│ │ │ │ ├── scaffolds.css.scss
│ │ │ │ └── users.css.scss
│ │ │ ├── controllers/
│ │ │ │ ├── admin_controller.rb
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── mixins/
│ │ │ │ │ └── user_mixin.rb
│ │ │ │ ├── other_controller.rb
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── mailers/
│ │ │ │ └── .gitkeep
│ │ │ ├── models/
│ │ │ │ ├── .gitkeep
│ │ │ │ ├── account.rb
│ │ │ │ ├── product.rb
│ │ │ │ ├── some_model.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── layouts/
│ │ │ │ └── application.html.erb
│ │ │ ├── other/
│ │ │ │ ├── _partial.html.erb
│ │ │ │ ├── a.html.erb
│ │ │ │ ├── b.html.erb
│ │ │ │ ├── c.html.erb
│ │ │ │ ├── d.html.erb
│ │ │ │ ├── e.html.erb
│ │ │ │ ├── f.html.erb
│ │ │ │ ├── g.html.erb
│ │ │ │ ├── test_model_in_haml.html.haml
│ │ │ │ ├── test_partial.html.erb
│ │ │ │ ├── test_select_tag.html.erb
│ │ │ │ ├── test_string_interp.html.erb
│ │ │ │ └── test_strip_tags.html.erb
│ │ │ └── users/
│ │ │ ├── _bio.html.erb
│ │ │ ├── _circular.html.erb
│ │ │ ├── _circular_too.html.erb
│ │ │ ├── _form.html.erb
│ │ │ ├── _test_layout.html.erb
│ │ │ ├── _user.html.erb
│ │ │ ├── circular_render.html.erb
│ │ │ ├── drape.html.erb
│ │ │ ├── edit.html.erb
│ │ │ ├── index.html.erb
│ │ │ ├── interpolated_value.html.haml
│ │ │ ├── json_test.html.erb
│ │ │ ├── mixin_default.html.erb
│ │ │ ├── mixin_template.html.erb
│ │ │ ├── new.html.erb
│ │ │ ├── show.html.erb
│ │ │ ├── test_assign_if.html.erb
│ │ │ ├── test_assign_twice.html.erb
│ │ │ ├── test_less_simple_helpers.html.erb
│ │ │ └── test_simple_helper.html.erb
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_type_fix.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── secret_token.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ ├── set_escape_json.rb
│ │ │ │ ├── unset_escape_json.rb
│ │ │ │ ├── wrap_parameters.rb
│ │ │ │ ├── xml_parsing.rb
│ │ │ │ └── yaml_parsing.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ └── routes.rb
│ │ ├── config.ru
│ │ ├── db/
│ │ │ ├── migrate/
│ │ │ │ └── 20110908172338_create_users.rb
│ │ │ └── seeds.rb
│ │ ├── doc/
│ │ │ └── README_FOR_APP
│ │ ├── lib/
│ │ │ ├── alib.rb
│ │ │ ├── assets/
│ │ │ │ └── .gitkeep
│ │ │ ├── somelib.rb
│ │ │ └── tasks/
│ │ │ └── .gitkeep
│ │ ├── log/
│ │ │ └── .gitkeep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ ├── index.html
│ │ │ └── robots.txt
│ │ ├── script/
│ │ │ └── rails
│ │ ├── test/
│ │ │ ├── fixtures/
│ │ │ │ ├── .gitkeep
│ │ │ │ └── users.yml
│ │ │ ├── functional/
│ │ │ │ ├── .gitkeep
│ │ │ │ └── users_controller_test.rb
│ │ │ ├── integration/
│ │ │ │ └── .gitkeep
│ │ │ ├── performance/
│ │ │ │ └── browsing_test.rb
│ │ │ ├── test_helper.rb
│ │ │ └── unit/
│ │ │ ├── .gitkeep
│ │ │ ├── helpers/
│ │ │ │ └── users_helper_test.rb
│ │ │ └── user_test.rb
│ │ └── vendor/
│ │ ├── assets/
│ │ │ └── stylesheets/
│ │ │ └── .gitkeep
│ │ └── plugins/
│ │ └── .gitkeep
│ ├── rails3.2/
│ │ ├── Gemfile
│ │ ├── README.rdoc
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── javascripts/
│ │ │ │ │ ├── application.js
│ │ │ │ │ └── users.js.coffee
│ │ │ │ └── stylesheets/
│ │ │ │ ├── application.css
│ │ │ │ ├── scaffolds.css.scss
│ │ │ │ └── users.css.scss
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── exec_controller/
│ │ │ │ │ └── command_dependency.rb
│ │ │ │ ├── exec_controller.rb
│ │ │ │ ├── removal_controller.rb
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── models/
│ │ │ │ ├── .gitkeep
│ │ │ │ ├── account.rb
│ │ │ │ ├── multi_model.rb
│ │ │ │ ├── no_protection.rb
│ │ │ │ ├── user/
│ │ │ │ │ └── command_dependency.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── layouts/
│ │ │ │ └── application.html.erb
│ │ │ ├── removal/
│ │ │ │ ├── _partial.html.erb
│ │ │ │ ├── controller_removed.html.erb
│ │ │ │ └── implicit_render.html.erb
│ │ │ └── users/
│ │ │ ├── _form.html.erb
│ │ │ ├── _slimmer.html.slim
│ │ │ ├── edit.html.erb
│ │ │ ├── index.html.erb
│ │ │ ├── mixed_in.html.erb
│ │ │ ├── new.html.erb
│ │ │ ├── sanitized.html.erb
│ │ │ ├── show.html.erb
│ │ │ └── slimming.html.slim
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── header_dos_protection.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── secret_token.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ └── routes.rb
│ │ ├── config.ru
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .gitkeep
│ │ │ ├── tasks/
│ │ │ │ └── .gitkeep
│ │ │ └── user_controller_mixin.rb
│ │ └── script/
│ │ └── rails
│ ├── rails4/
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ ├── README.rdoc
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── api/
│ │ │ │ └── api.rb
│ │ │ ├── assets/
│ │ │ │ ├── javascripts/
│ │ │ │ │ └── application.js
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── controllers/
│ │ │ │ ├── another_controller.rb
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── friendly_controller.rb
│ │ │ │ ├── mixed_controller.rb
│ │ │ │ ├── mixed_in_proxy.rb
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ └── application_helper.rb
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ ├── .keep
│ │ │ │ ├── account.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── email.rb
│ │ │ │ ├── phone.rb
│ │ │ │ ├── recursive/
│ │ │ │ │ └── stack_level.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── _global_partial.html.erb
│ │ │ ├── another/
│ │ │ │ ├── html_safe_is_not.html.erb
│ │ │ │ ├── overflow.html.erb
│ │ │ │ ├── use_params_in_regex.html.erb
│ │ │ │ └── various_xss.html.erb
│ │ │ ├── layouts/
│ │ │ │ └── application.html.erb
│ │ │ └── users/
│ │ │ ├── eval_it.html.erb
│ │ │ ├── haml_test.html.haml
│ │ │ ├── index.html.erb
│ │ │ ├── more_haml.html.haml
│ │ │ └── test_parse.html.erb
│ │ ├── bin/
│ │ │ ├── rails
│ │ │ └── rake
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── brakeman.ignore
│ │ │ ├── brakeman.yml
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── i18n.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── secret_token.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── routes.rb
│ │ │ └── secrets.yml
│ │ ├── config.ru
│ │ ├── db/
│ │ │ └── seeds.rb
│ │ ├── external_checks/
│ │ │ └── check_external_check_test.rb
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ ├── sweet_lib.rb
│ │ │ └── tasks/
│ │ │ ├── .keep
│ │ │ └── some_task.rb
│ │ ├── log/
│ │ │ └── .keep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ └── robots.txt
│ │ ├── test/
│ │ │ ├── controllers/
│ │ │ │ └── .keep
│ │ │ ├── fixtures/
│ │ │ │ └── .keep
│ │ │ ├── helpers/
│ │ │ │ └── .keep
│ │ │ ├── integration/
│ │ │ │ └── .keep
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ └── .keep
│ │ │ └── test_helper.rb
│ │ └── vendor/
│ │ └── assets/
│ │ ├── javascripts/
│ │ │ └── .keep
│ │ └── stylesheets/
│ │ └── .keep
│ ├── rails4_non_standard_structure/
│ │ ├── .gitignore
│ │ ├── README.rdoc
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── images/
│ │ │ │ │ └── .keep
│ │ │ │ ├── javascripts/
│ │ │ │ │ └── application.js
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ └── concerns/
│ │ │ │ └── .keep
│ │ │ ├── foo_team/
│ │ │ │ ├── controllers/
│ │ │ │ │ └── api/
│ │ │ │ │ └── foo_controller.rb
│ │ │ │ ├── models/
│ │ │ │ │ └── foo.rb
│ │ │ │ └── views/
│ │ │ │ └── foo.html.erb
│ │ │ ├── helpers/
│ │ │ │ └── application_helper.rb
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ ├── .keep
│ │ │ │ └── concerns/
│ │ │ │ └── .keep
│ │ │ └── views/
│ │ │ └── layouts/
│ │ │ └── application.html.erb
│ │ ├── bin/
│ │ │ ├── rails
│ │ │ ├── rake
│ │ │ └── spring
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── assets.rb
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── cookies_serializer.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── routes.rb
│ │ │ └── secrets.yml
│ │ ├── config.ru
│ │ ├── db/
│ │ │ └── seeds.rb
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ └── tasks/
│ │ │ └── .keep
│ │ ├── log/
│ │ │ └── .keep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ └── robots.txt
│ │ ├── rails4test.gemspec
│ │ ├── test/
│ │ │ ├── controllers/
│ │ │ │ └── .keep
│ │ │ ├── fixtures/
│ │ │ │ └── .keep
│ │ │ ├── helpers/
│ │ │ │ └── .keep
│ │ │ ├── integration/
│ │ │ │ └── .keep
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ └── .keep
│ │ │ └── test_helper.rb
│ │ └── vendor/
│ │ └── assets/
│ │ ├── javascripts/
│ │ │ └── .keep
│ │ └── stylesheets/
│ │ └── .keep
│ ├── rails4_with_engines/
│ │ ├── README.rdoc
│ │ ├── Rakefile
│ │ ├── alt_engines/
│ │ │ └── admin_stuff/
│ │ │ └── app/
│ │ │ ├── controllers/
│ │ │ │ └── admin_controller.rb
│ │ │ ├── helpers/
│ │ │ │ └── application_helper.rb
│ │ │ └── views/
│ │ │ └── admin/
│ │ │ └── debug.html.erb
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── javascripts/
│ │ │ │ │ └── application.js
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ └── concerns/
│ │ │ │ └── .keep
│ │ │ ├── helpers/
│ │ │ │ └── application_helper.rb
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ ├── .keep
│ │ │ │ └── concerns/
│ │ │ │ └── .keep
│ │ │ └── views/
│ │ │ └── layouts/
│ │ │ └── application.html.erb
│ │ ├── bin/
│ │ │ ├── rails
│ │ │ └── rake
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── brakeman.yml
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── nested_attributes_bypass_fix.rb
│ │ │ │ ├── secret_token.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ └── routes.rb
│ │ ├── config.ru
│ │ ├── db/
│ │ │ └── seeds.rb
│ │ ├── engines/
│ │ │ └── user_removal/
│ │ │ ├── app/
│ │ │ │ ├── assets/
│ │ │ │ │ ├── javascripts/
│ │ │ │ │ │ └── users.js.coffee
│ │ │ │ │ └── stylesheets/
│ │ │ │ │ └── users.css.scss
│ │ │ │ ├── controllers/
│ │ │ │ │ ├── base_controller.rb
│ │ │ │ │ ├── removal_controller.rb
│ │ │ │ │ └── users_controller.rb
│ │ │ │ ├── helpers/
│ │ │ │ │ ├── application_helper.rb
│ │ │ │ │ └── users_helper.rb
│ │ │ │ ├── models/
│ │ │ │ │ ├── .gitkeep
│ │ │ │ │ ├── account.rb
│ │ │ │ │ ├── no_protection.rb
│ │ │ │ │ └── user.rb
│ │ │ │ └── views/
│ │ │ │ ├── removal/
│ │ │ │ │ ├── _partial.html.erb
│ │ │ │ │ ├── controller_removed.html.erb
│ │ │ │ │ └── implicit_render.html.erb
│ │ │ │ └── users/
│ │ │ │ ├── _form.html.erb
│ │ │ │ ├── _slimmer.html.slim
│ │ │ │ ├── edit.html.erb
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── mixed_in.html.erb
│ │ │ │ ├── new.html.erb
│ │ │ │ ├── sanitized.html.erb
│ │ │ │ ├── show.html.erb
│ │ │ │ └── slimming.html.slim
│ │ │ ├── config/
│ │ │ │ └── routes.rb
│ │ │ └── lib/
│ │ │ └── user_removal.rb
│ │ ├── gems.rb
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ └── tasks/
│ │ │ └── .keep
│ │ ├── log/
│ │ │ └── .keep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ └── robots.txt
│ │ ├── script/
│ │ │ └── .keep
│ │ ├── test/
│ │ │ ├── controllers/
│ │ │ │ └── .keep
│ │ │ ├── fixtures/
│ │ │ │ └── .keep
│ │ │ ├── helpers/
│ │ │ │ └── .keep
│ │ │ ├── integration/
│ │ │ │ └── .keep
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ └── .keep
│ │ │ └── test_helper.rb
│ │ └── vendor/
│ │ └── assets/
│ │ ├── javascripts/
│ │ │ └── .keep
│ │ └── stylesheets/
│ │ └── .keep
│ ├── rails5/
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ ├── README.md
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── config/
│ │ │ │ │ └── manifest.js
│ │ │ │ ├── images/
│ │ │ │ │ └── .keep
│ │ │ │ ├── javascripts/
│ │ │ │ │ ├── application.js
│ │ │ │ │ ├── cable.coffee
│ │ │ │ │ ├── channels/
│ │ │ │ │ │ └── .keep
│ │ │ │ │ └── users.coffee
│ │ │ │ └── stylesheets/
│ │ │ │ ├── application.css
│ │ │ │ ├── scaffold.css
│ │ │ │ └── users.css
│ │ │ ├── channels/
│ │ │ │ └── application_cable/
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ ├── .keep
│ │ │ │ │ ├── concerning.rb
│ │ │ │ │ └── forgery_protection.rb
│ │ │ │ ├── file_controller.rb
│ │ │ │ ├── mixed_controller.rb
│ │ │ │ ├── users_controller.rb
│ │ │ │ └── widget_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── jobs/
│ │ │ │ └── application_job.rb
│ │ │ ├── mailers/
│ │ │ │ └── application_mailer.rb
│ │ │ ├── models/
│ │ │ │ ├── application_record.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── thing.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── layouts/
│ │ │ │ ├── application.html.erb
│ │ │ │ ├── mailer.html.erb
│ │ │ │ ├── mailer.text.erb
│ │ │ │ └── users.html.erb
│ │ │ ├── users/
│ │ │ │ ├── _form.html.erb
│ │ │ │ ├── edit.html.erb
│ │ │ │ ├── find_and_preserve.html.haml
│ │ │ │ ├── if_thing.html.haml
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── index.json.jbuilder
│ │ │ │ ├── new.html.erb
│ │ │ │ ├── safe_call_params.html.haml
│ │ │ │ ├── sanitizing.html.erb
│ │ │ │ ├── show.html.erb
│ │ │ │ └── show.json.jbuilder
│ │ │ └── widget/
│ │ │ ├── attributes.html.haml
│ │ │ ├── content_tag.html.erb
│ │ │ ├── graphql.html.erb
│ │ │ ├── haml_test.html.haml
│ │ │ ├── no_html.haml
│ │ │ └── show.html.erb
│ │ ├── bin/
│ │ │ ├── rails
│ │ │ ├── rake
│ │ │ ├── setup
│ │ │ ├── spring
│ │ │ └── update
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── brakeman.yml
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── active_record_belongs_to_required_by_default.rb
│ │ │ │ ├── application_controller_renderer.rb
│ │ │ │ ├── assets.rb
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── callback_terminator.rb
│ │ │ │ ├── cookies_serializer.rb
│ │ │ │ ├── cors.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── request_forgery_protection.rb
│ │ │ │ ├── secrets.rb
│ │ │ │ ├── session_store.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── redis/
│ │ │ │ └── cable.yml
│ │ │ ├── routes.rb
│ │ │ └── secrets.yml
│ │ ├── config.ru
│ │ ├── db/
│ │ │ ├── migrate/
│ │ │ │ └── 20160127223106_create_users.rb
│ │ │ └── seeds.rb
│ │ ├── external_checks/
│ │ │ └── check_external_check_test.rb
│ │ ├── lib/
│ │ │ ├── a_lib.rb
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ ├── lib.rb
│ │ │ └── tasks/
│ │ │ └── .keep
│ │ ├── log/
│ │ │ └── .keep
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ └── robots.txt
│ │ ├── test/
│ │ │ ├── controllers/
│ │ │ │ ├── .keep
│ │ │ │ └── users_controller_test.rb
│ │ │ ├── fixtures/
│ │ │ │ ├── .keep
│ │ │ │ ├── files/
│ │ │ │ │ └── .keep
│ │ │ │ └── users.yml
│ │ │ ├── helpers/
│ │ │ │ └── .keep
│ │ │ ├── integration/
│ │ │ │ └── .keep
│ │ │ ├── mailers/
│ │ │ │ └── .keep
│ │ │ ├── models/
│ │ │ │ ├── .keep
│ │ │ │ └── user_test.rb
│ │ │ └── test_helper.rb
│ │ ├── tmp/
│ │ │ └── .keep
│ │ └── vendor/
│ │ └── assets/
│ │ ├── javascripts/
│ │ │ └── .keep
│ │ └── stylesheets/
│ │ └── .keep
│ ├── rails5.2/
│ │ ├── .ruby-version
│ │ ├── Gemfile
│ │ ├── README.md
│ │ ├── Rakefile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── config/
│ │ │ │ │ └── manifest.js
│ │ │ │ ├── images/
│ │ │ │ │ └── .keep
│ │ │ │ ├── javascripts/
│ │ │ │ │ ├── application.js
│ │ │ │ │ ├── cable.js
│ │ │ │ │ └── channels/
│ │ │ │ │ └── .keep
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── channels/
│ │ │ │ └── application_cable/
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── jobs/
│ │ │ │ ├── application_job.rb
│ │ │ │ └── delete_stuff_job.rb
│ │ │ ├── mailers/
│ │ │ │ └── application_mailer.rb
│ │ │ ├── models/
│ │ │ │ ├── application_record.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── home/
│ │ │ │ └── index.html.erb
│ │ │ ├── layouts/
│ │ │ │ ├── application.html.erb
│ │ │ │ ├── mailer.html.erb
│ │ │ │ └── mailer.text.erb
│ │ │ └── users/
│ │ │ ├── _empty_partial_name.html.erb
│ │ │ ├── _foo.html.haml
│ │ │ ├── _foo2.html.haml
│ │ │ ├── kwsplat.html.haml
│ │ │ ├── link.html.erb
│ │ │ ├── not_not.html.erb
│ │ │ ├── one.html.haml
│ │ │ ├── smart.html.slim
│ │ │ ├── test_empty_partial_name.html.erb
│ │ │ └── two.html.slim
│ │ ├── bin/
│ │ │ ├── rails
│ │ │ ├── rake
│ │ │ ├── setup
│ │ │ ├── spring
│ │ │ ├── update
│ │ │ └── yarn
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── cable.yml
│ │ │ ├── credentials.yml.enc
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── application_controller_renderer.rb
│ │ │ │ ├── assets.rb
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── content_security_policy.rb
│ │ │ │ ├── cookies_serializer.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ ├── oj.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── puma.rb
│ │ │ ├── routes.rb
│ │ │ ├── secrets.yml
│ │ │ ├── spring.rb
│ │ │ └── storage.yml
│ │ ├── config.ru
│ │ ├── db/
│ │ │ ├── migrate/
│ │ │ │ └── 20171208205700_create_active_storage_tables.active_storage.rb
│ │ │ └── seeds.rb
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ ├── factory_bot.rb
│ │ │ ├── initthing.rb
│ │ │ ├── shell.rb
│ │ │ └── tasks/
│ │ │ └── .keep
│ │ ├── log/
│ │ │ └── .keep
│ │ ├── package.json
│ │ ├── public/
│ │ │ ├── 404.html
│ │ │ ├── 422.html
│ │ │ ├── 500.html
│ │ │ └── robots.txt
│ │ └── vendor/
│ │ ├── .keep
│ │ └── vendored_thing.rb
│ ├── rails6/
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ ├── Rakefile
│ │ ├── another_lib_dir/
│ │ │ └── some_lib.rb
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── config/
│ │ │ │ │ └── manifest.js
│ │ │ │ ├── images/
│ │ │ │ │ └── .keep
│ │ │ │ └── stylesheets/
│ │ │ │ ├── application.css
│ │ │ │ ├── scaffolds.scss
│ │ │ │ └── users.scss
│ │ │ ├── channels/
│ │ │ │ └── application_cable/
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ │ ├── components/
│ │ │ │ ├── base_component.rb
│ │ │ │ ├── test_component.rb
│ │ │ │ ├── test_view_component.rb
│ │ │ │ ├── test_view_component_contrib.rb
│ │ │ │ ├── test_view_component_fully_qualified_ancestor.rb
│ │ │ │ └── text_phlex_component.rb
│ │ │ ├── controllers/
│ │ │ │ ├── accounts_controller.rb
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── groups_controller.rb
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── javascript/
│ │ │ │ ├── channels/
│ │ │ │ │ ├── consumer.js
│ │ │ │ │ └── index.js
│ │ │ │ └── packs/
│ │ │ │ └── application.js
│ │ │ ├── jobs/
│ │ │ │ └── application_job.rb
│ │ │ ├── mailers/
│ │ │ │ └── application_mailer.rb
│ │ │ ├── models/
│ │ │ │ ├── application_record.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── group.rb
│ │ │ │ └── user.rb
│ │ │ ├── views/
│ │ │ │ ├── layouts/
│ │ │ │ │ ├── application.html.erb
│ │ │ │ │ ├── mailer.html.erb
│ │ │ │ │ └── mailer.text.erb
│ │ │ │ └── users/
│ │ │ │ ├── _form.html.erb
│ │ │ │ ├── _user.json.jbuilder
│ │ │ │ ├── edit.html.erb
│ │ │ │ ├── index.html.erb
│ │ │ │ ├── index.json.jbuilder
│ │ │ │ ├── new.html.erb
│ │ │ │ ├── show.html.erb
│ │ │ │ └── show.json.jbuilder
│ │ │ └── widgets/
│ │ │ └── widget.rb
│ │ ├── babel.config.js
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── cable.yml
│ │ │ ├── credentials.yml.enc
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── initializers/
│ │ │ │ ├── allow_all_parameters.rb
│ │ │ │ ├── application_controller_renderer.rb
│ │ │ │ ├── assets.rb
│ │ │ │ ├── backtrace_silencers.rb
│ │ │ │ ├── content_security_policy.rb
│ │ │ │ ├── cookies_serializer.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── json_escape.rb
│ │ │ │ ├── mime_types.rb
│ │ │ │ └── wrap_parameters.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── puma.rb
│ │ │ ├── routes.rb
│ │ │ ├── spring.rb
│ │ │ ├── storage.yml
│ │ │ ├── webpack/
│ │ │ │ ├── development.js
│ │ │ │ ├── environment.js
│ │ │ │ ├── production.js
│ │ │ │ └── test.js
│ │ │ └── webpacker.yml
│ │ ├── config.ru
│ │ ├── lib/
│ │ │ ├── assets/
│ │ │ │ └── .keep
│ │ │ ├── run_stuff.rb
│ │ │ ├── tasks/
│ │ │ │ └── .keep
│ │ │ └── view_component/
│ │ │ └── base.rb
│ │ ├── package.json
│ │ └── postcss.config.js
│ ├── rails7/
│ │ ├── MyGemfile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ ├── config/
│ │ │ │ │ └── manifest.js
│ │ │ │ ├── images/
│ │ │ │ │ └── .keep
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── channels/
│ │ │ │ └── application_cable/
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ │ ├── controllers/
│ │ │ │ ├── admin_controller.rb
│ │ │ │ ├── application_controller.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ └── application_helper.rb
│ │ │ ├── javascript/
│ │ │ │ ├── application.js
│ │ │ │ └── controllers/
│ │ │ │ ├── application.js
│ │ │ │ ├── hello_controller.js
│ │ │ │ └── index.js
│ │ │ ├── jobs/
│ │ │ │ └── application_job.rb
│ │ │ ├── mailers/
│ │ │ │ └── application_mailer.rb
│ │ │ ├── models/
│ │ │ │ ├── application_record.rb
│ │ │ │ ├── book.rb
│ │ │ │ ├── concerns/
│ │ │ │ │ └── .keep
│ │ │ │ ├── thing.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ └── layouts/
│ │ │ ├── application.html.erb
│ │ │ ├── mailer.html.erb
│ │ │ └── mailer.text.erb
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── cable.yml
│ │ │ ├── credentials.yml.enc
│ │ │ ├── database.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── importmap.rb
│ │ │ ├── initializers/
│ │ │ │ ├── assets.rb
│ │ │ │ ├── content_security_policy.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ ├── permissions_policy.rb
│ │ │ │ └── sanitizers.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── master.key
│ │ │ ├── puma.rb
│ │ │ ├── routes.rb
│ │ │ └── storage.yml
│ │ └── lib/
│ │ ├── assets/
│ │ │ └── .keep
│ │ ├── some_lib.rb
│ │ └── tasks/
│ │ └── .keep
│ ├── rails8/
│ │ ├── Gemfile
│ │ ├── app/
│ │ │ ├── assets/
│ │ │ │ └── stylesheets/
│ │ │ │ └── application.css
│ │ │ ├── channels/
│ │ │ │ └── application_cable/
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ │ ├── controllers/
│ │ │ │ ├── application_controller.rb
│ │ │ │ └── users_controller.rb
│ │ │ ├── helpers/
│ │ │ │ ├── application_helper.rb
│ │ │ │ └── users_helper.rb
│ │ │ ├── javascript/
│ │ │ │ ├── application.js
│ │ │ │ └── controllers/
│ │ │ │ ├── application.js
│ │ │ │ ├── hello_controller.js
│ │ │ │ └── index.js
│ │ │ ├── jobs/
│ │ │ │ └── application_job.rb
│ │ │ ├── mailers/
│ │ │ │ └── application_mailer.rb
│ │ │ ├── models/
│ │ │ │ ├── application_record.rb
│ │ │ │ ├── thing.rb
│ │ │ │ └── user.rb
│ │ │ └── views/
│ │ │ ├── layouts/
│ │ │ │ ├── application.html.erb
│ │ │ │ ├── mailer.html.erb
│ │ │ │ └── mailer.text.erb
│ │ │ ├── pwa/
│ │ │ │ ├── manifest.json.erb
│ │ │ │ └── service-worker.js
│ │ │ ├── things/
│ │ │ │ ├── _thing.html.erb
│ │ │ │ └── index.html.erb
│ │ │ └── users/
│ │ │ ├── _form.html.erb
│ │ │ ├── _user.html.erb
│ │ │ ├── _user.json.jbuilder
│ │ │ ├── dom_id.haml
│ │ │ ├── edit.html.erb
│ │ │ ├── index.html.erb
│ │ │ ├── index.json.jbuilder
│ │ │ ├── new.html.erb
│ │ │ ├── show.html.erb
│ │ │ └── show.json.jbuilder
│ │ ├── bin/
│ │ │ ├── brakeman
│ │ │ ├── importmap
│ │ │ ├── kamal
│ │ │ ├── rails
│ │ │ ├── rake
│ │ │ ├── rubocop
│ │ │ └── setup
│ │ ├── config/
│ │ │ ├── application.rb
│ │ │ ├── boot.rb
│ │ │ ├── cable.yml
│ │ │ ├── credentials.yml.enc
│ │ │ ├── database.yml
│ │ │ ├── deploy.yml
│ │ │ ├── environment.rb
│ │ │ ├── environments/
│ │ │ │ ├── development.rb
│ │ │ │ ├── production.rb
│ │ │ │ └── test.rb
│ │ │ ├── importmap.rb
│ │ │ ├── initializers/
│ │ │ │ ├── assets.rb
│ │ │ │ ├── content_security_policy.rb
│ │ │ │ ├── filter_parameter_logging.rb
│ │ │ │ ├── inflections.rb
│ │ │ │ └── permissions_policy.rb
│ │ │ ├── locales/
│ │ │ │ └── en.yml
│ │ │ ├── master.key
│ │ │ ├── puma.rb
│ │ │ ├── routes.rb
│ │ │ └── storage.yml
│ │ ├── config.ru
│ │ └── lib/
│ │ ├── evals.rb
│ │ └── masgn.rb
│ └── rails_with_xss_plugin/
│ ├── Gemfile
│ ├── README
│ ├── Rakefile
│ ├── app/
│ │ ├── controllers/
│ │ │ ├── application_controller.rb
│ │ │ ├── posts_controller.rb
│ │ │ └── users_controller.rb
│ │ ├── helpers/
│ │ │ ├── application_helper.rb
│ │ │ ├── posts_helper.rb
│ │ │ └── users_helper.rb
│ │ ├── models/
│ │ │ ├── post.rb
│ │ │ └── user.rb
│ │ └── views/
│ │ ├── layouts/
│ │ │ ├── posts.html.erb
│ │ │ └── users.html.erb
│ │ ├── posts/
│ │ │ ├── _show.html.erb
│ │ │ ├── edit.html.erb
│ │ │ ├── index.html.erb
│ │ │ ├── new.html.erb
│ │ │ ├── show.html.erb
│ │ │ └── show_topic.html.erb
│ │ └── users/
│ │ ├── _user.html.erb
│ │ ├── edit.html.erb
│ │ ├── index.html.erb
│ │ ├── login.html.erb
│ │ ├── new.html.erb
│ │ ├── results.html.erb
│ │ ├── search.html.erb
│ │ ├── show.html.erb
│ │ ├── test_sanitize.html.erb
│ │ └── to_json.html.erb
│ ├── config/
│ │ ├── boot.rb
│ │ ├── database.yml
│ │ ├── environment.rb
│ │ ├── environments/
│ │ │ ├── development.rb
│ │ │ ├── production.rb
│ │ │ └── test.rb
│ │ ├── initializers/
│ │ │ ├── backtrace_silencers.rb
│ │ │ ├── cookie_verification_secret.rb
│ │ │ ├── inflections.rb
│ │ │ ├── json_parsing.rb
│ │ │ ├── mime_types.rb
│ │ │ ├── new_rails_defaults.rb
│ │ │ ├── session_store.rb
│ │ │ ├── single_quote_workaround.rb
│ │ │ └── yaml_parsing.rb
│ │ ├── locales/
│ │ │ └── en.yml
│ │ └── routes.rb
│ ├── db/
│ │ ├── migrate/
│ │ │ ├── 20120312064721_create_users.rb
│ │ │ └── 20120312065023_create_posts.rb
│ │ ├── schema.rb
│ │ └── seeds.rb
│ ├── doc/
│ │ └── README_FOR_APP
│ ├── public/
│ │ ├── 404.html
│ │ ├── 422.html
│ │ ├── 500.html
│ │ ├── javascripts/
│ │ │ ├── application.js
│ │ │ ├── controls.js
│ │ │ ├── dragdrop.js
│ │ │ ├── effects.js
│ │ │ └── prototype.js
│ │ ├── robots.txt
│ │ └── stylesheets/
│ │ └── scaffold.css
│ ├── script/
│ │ ├── about
│ │ ├── console
│ │ ├── dbconsole
│ │ ├── destroy
│ │ ├── generate
│ │ ├── performance/
│ │ │ ├── benchmarker
│ │ │ └── profiler
│ │ ├── plugin
│ │ ├── runner
│ │ └── server
│ ├── test/
│ │ ├── fixtures/
│ │ │ ├── posts.yml
│ │ │ └── users.yml
│ │ ├── functional/
│ │ │ ├── posts_controller_test.rb
│ │ │ └── users_controller_test.rb
│ │ ├── performance/
│ │ │ └── browsing_test.rb
│ │ ├── test_helper.rb
│ │ └── unit/
│ │ ├── helpers/
│ │ │ ├── posts_helper_test.rb
│ │ │ └── users_helper_test.rb
│ │ ├── post_test.rb
│ │ └── user_test.rb
│ └── vendor/
│ └── plugins/
│ └── rails_xss/
│ └── README
├── test.rb
├── tests/
│ ├── active_record_only.rb
│ ├── alias_processor.rb
│ ├── app_tree.rb
│ ├── brakeman.rb
│ ├── call_index.rb
│ ├── checks.rb
│ ├── codeclimate_engine_configuration.rb
│ ├── codeclimate_output.rb
│ ├── commandline.rb
│ ├── config.rb
│ ├── constants.rb
│ ├── cves.rb
│ ├── differ.rb
│ ├── file_cache.rb
│ ├── file_parser.rb
│ ├── file_path.rb
│ ├── find_return_value.rb
│ ├── github_output.rb
│ ├── ignore.rb
│ ├── json_compare.rb
│ ├── json_output.rb
│ ├── junit_output.rb
│ ├── logger.rb
│ ├── markdown_output.rb
│ ├── mass_assign_disable.rb
│ ├── oj.rb
│ ├── only_files_option.rb
│ ├── options.rb
│ ├── output_processor.rb
│ ├── pager.rb
│ ├── parser_timeout.rb
│ ├── rails2.rb
│ ├── rails3.rb
│ ├── rails31.rb
│ ├── rails32.rb
│ ├── rails4.rb
│ ├── rails4_with_engines.rb
│ ├── rails5.rb
│ ├── rails52.rb
│ ├── rails52_csrf.rb
│ ├── rails6.rb
│ ├── rails7.rb
│ ├── rails7_redirect.rb
│ ├── rails8.rb
│ ├── rails_61_sql.rb
│ ├── rails_lts.rb
│ ├── rails_with_xss_plugin.rb
│ ├── render_path.rb
│ ├── report_generation.rb
│ ├── rescanner.rb
│ ├── routes_error.rb
│ ├── sarif_output.rb
│ ├── sexp.rb
│ ├── sonar_output.rb
│ ├── tabs_output.rb
│ ├── tracker.rb
│ └── warning.rb
└── to_test.rb
Showing preview only (362K chars total). Download the full file or copy to clipboard to get everything.
SYMBOL INDEX (4611 symbols across 488 files)
FILE: gem_common.rb
type Brakeman (line 1) | module Brakeman
type GemDependencies (line 2) | module GemDependencies
function dev_dependencies (line 3) | def self.dev_dependencies spec
function base_dependencies (line 10) | def self.base_dependencies spec
function extended_dependencies (line 18) | def self.extended_dependencies spec
FILE: lib/brakeman.rb
type Brakeman (line 5) | module Brakeman
function run (line 81) | def self.run options
function logger (line 110) | def self.logger
function logger= (line 114) | def self.logger= log
function set_default_logger (line 118) | def self.set_default_logger(options = {})
function cleanup (line 122) | def self.cleanup(newline = true)
function set_options (line 127) | def self.set_options options
function load_options (line 168) | def self.load_options line_options
function config_file (line 218) | def self.config_file custom_location, app_path
function default_options (line 225) | def self.default_options
function get_output_formats (line 256) | def self.get_output_formats options
function get_formats_from_output_format (line 275) | def self.get_formats_from_output_format output_format
function get_formats_from_output_files (line 309) | def self.get_formats_from_output_files output_files
function get_github_url (line 345) | def self.get_github_url options
function list_checks (line 362) | def self.list_checks options
function dump_config (line 384) | def self.dump_config options
function ensure_latest (line 422) | def self.ensure_latest(days_old: 0)
function scan (line 442) | def self.scan options
function write_report_to_files (line 482) | def self.write_report_to_files tracker, output_files
function write_report_to_formats (line 501) | def self.write_report_to_formats tracker, output_formats
function rescan (line 529) | def self.rescan tracker, files, options = {}
function announce (line 540) | def self.announce message
function alert (line 544) | def self.alert message
function debug (line 548) | def self.debug message
function compare (line 553) | def self.compare options
function load_brakeman_dependency (line 576) | def self.load_brakeman_dependency name, allow_fail = false
function ignore_file_entries_with_empty_notes (line 604) | def self.ignore_file_entries_with_empty_notes file
function filter_warnings (line 614) | def self.filter_warnings tracker, options
function add_external_checks (line 644) | def self.add_external_checks options
function check_for_missing_checks (line 650) | def self.check_for_missing_checks included_checks, excluded_checks, en...
function debug= (line 660) | def self.debug= val
function quiet= (line 664) | def self.quiet= val
function process_step (line 668) | def self.process_step(description, &)
class DependencyError (line 672) | class DependencyError < RuntimeError; end
class NoBrakemanError (line 673) | class NoBrakemanError < RuntimeError; end
class NoApplication (line 674) | class NoApplication < RuntimeError; end
class MissingChecksError (line 675) | class MissingChecksError < RuntimeError; end
FILE: lib/brakeman/app_tree.rb
type Brakeman (line 4) | module Brakeman
class AppTree (line 5) | class AppTree
method from_options (line 10) | def self.from_options(options)
method regex_for_paths (line 37) | def self.regex_for_paths(paths)
method initialize (line 60) | def initialize(root, init_options = {})
method file_path (line 76) | def file_path(path)
method expand_path (line 82) | def expand_path(path)
method relative_path (line 88) | def relative_path(path)
method exists? (line 97) | def exists?(path)
method ruby_file_paths (line 105) | def ruby_file_paths
method initializer_paths (line 109) | def initializer_paths
method controller_paths (line 113) | def controller_paths
method model_paths (line 117) | def model_paths
method template_paths (line 121) | def template_paths
method layout_exists? (line 126) | def layout_exists?(name)
method lib_paths (line 130) | def lib_paths
method gemspec (line 137) | def gemspec
method marshallable (line 151) | def marshallable
method find_helper_paths (line 162) | def find_helper_paths
method find_job_paths (line 166) | def find_job_paths
method find_additional_lib_paths (line 170) | def find_additional_lib_paths
method find_paths (line 174) | def find_paths(directory, extensions = ".rb")
method glob_files (line 178) | def glob_files(directory, name, extensions = ".rb")
method select_files (line 206) | def select_files(paths)
method reject_directories (line 215) | def reject_directories(paths)
method select_only_files (line 222) | def select_only_files(paths)
method reject_skipped_files (line 231) | def reject_skipped_files(paths)
method reject_global_excludes (line 250) | def reject_global_excludes(paths)
method in_engine_paths? (line 262) | def in_engine_paths?(path)
method in_add_libs_paths? (line 266) | def in_add_libs_paths?(path)
method match_path (line 270) | def match_path files, path
method top_directories_pattern (line 297) | def top_directories_pattern
method root_search_pattern (line 312) | def root_search_pattern
method search_pattern (line 317) | def search_pattern(root_dir)
method prioritize_concerns (line 326) | def prioritize_concerns paths
method convert_to_file_paths (line 330) | def convert_to_file_paths paths
FILE: lib/brakeman/call_index.rb
class Brakeman::CallIndex (line 4) | class Brakeman::CallIndex
method initialize (line 7) | def initialize calls
method find_calls (line 22) | def find_calls options
method remove_template_indexes (line 74) | def remove_template_indexes template_name = nil
method remove_indexes_by_class (line 84) | def remove_indexes_by_class classes
method remove_indexes_by_file (line 94) | def remove_indexes_by_file file
method index_calls (line 104) | def index_calls calls
method find_chain (line 123) | def find_chain options
method calls_by_target (line 134) | def calls_by_target target
method calls_by_targets (line 145) | def calls_by_targets targets
method calls_by_targets_regex (line 155) | def calls_by_targets_regex targets_regex
method calls_by_method (line 168) | def calls_by_method method
method calls_by_methods (line 179) | def calls_by_methods methods
method calls_by_methods_regex (line 190) | def calls_by_methods_regex methods_regex
method filter (line 200) | def filter calls, key, value
method filter_by_method (line 222) | def filter_by_method calls, method
method filter_by_target (line 226) | def filter_by_target calls, target
method filter_nested (line 230) | def filter_nested calls
method filter_by_chain (line 234) | def filter_by_chain calls, target
method from_template (line 256) | def from_template call, template_name
FILE: lib/brakeman/checks.rb
class Brakeman::Checks (line 9) | class Brakeman::Checks
method add (line 16) | def self.add klass
method add_optional (line 21) | def self.add_optional klass
method checks (line 25) | def self.checks
method optional_checks (line 29) | def self.optional_checks
method initialize_checks (line 33) | def self.initialize_checks check_directory = ""
method missing_checks (line 40) | def self.missing_checks check_args
method initialize (line 58) | def initialize options = { }
method add_warning (line 77) | def add_warning warning
method diff (line 99) | def diff other_checks
method all_warnings (line 106) | def all_warnings
method run_checks (line 112) | def self.run_checks(tracker)
method actually_run_checks (line 118) | def self.actually_run_checks(checks, check_runner, tracker)
method get_check_name (line 170) | def self.get_check_name check_class
method checks_to_run (line 174) | def self.checks_to_run tracker
method filter_checks (line 192) | def self.filter_checks checks, tracker
method run_a_check (line 205) | def self.run_a_check klass, mutex, tracker
FILE: lib/brakeman/checks/base_check.rb
class Brakeman::BaseCheck (line 8) | class Brakeman::BaseCheck < Brakeman::SexpProcessor
method inherited (line 24) | def inherited(subclass)
method initialize (line 30) | def initialize(tracker)
method add_result (line 48) | def add_result result
method process_default (line 57) | def process_default exp
method process_call (line 66) | def process_call exp
method process_if (line 89) | def process_if exp
method process_params (line 102) | def process_params exp
method process_cookies (line 108) | def process_cookies exp
method process_array (line 113) | def process_array exp
method process_dstr (line 121) | def process_dstr exp
method array_interp? (line 138) | def array_interp? exp
method always_safe_method? (line 145) | def always_safe_method? meth
method boolean_method? (line 150) | def boolean_method? method
method temp_file_path? (line 159) | def temp_file_path? exp
method warn (line 164) | def warn options
method format_output (line 175) | def format_output exp
method mass_assign_disabled? (line 180) | def mass_assign_disabled?
method original? (line 250) | def original? result
method duplicate? (line 258) | def duplicate? result, location = nil
method get_location (line 274) | def get_location result
method include_user_input? (line 299) | def include_user_input? exp
method has_immediate_user_input? (line 311) | def has_immediate_user_input? exp
method has_immediate_model? (line 378) | def has_immediate_model? exp, out = nil
method model_name? (line 443) | def model_name? exp
method include_target? (line 458) | def include_target? exp, target
method lts_version? (line 468) | def lts_version? version
method version_between? (line 473) | def version_between? low_version, high_version, current_version = nil
method gemfile_or_environment (line 477) | def gemfile_or_environment gem_name = :rails
method description (line 489) | def self.description
method active_record_models (line 493) | def active_record_models
method string_building? (line 510) | def string_building? exp
method locale_call? (line 521) | def locale_call? exp
FILE: lib/brakeman/checks/check_basic_auth.rb
class Brakeman::CheckBasicAuth (line 7) | class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
method run_check (line 12) | def run_check
method check_basic_auth_filter (line 19) | def check_basic_auth_filter
method check_basic_auth_request (line 46) | def check_basic_auth_request
method include_password_literal? (line 61) | def include_password_literal? result
method process_call (line 71) | def process_call exp
method get_password (line 85) | def get_password call
FILE: lib/brakeman/checks/check_basic_auth_timing_attack.rb
class Brakeman::CheckBasicAuthTimingAttack (line 3) | class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_basic_auth_call (line 23) | def check_basic_auth_call
FILE: lib/brakeman/checks/check_content_tag.rb
class Brakeman::CheckContentTag (line 16) | class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
method run_check (line 21) | def run_check
method process_result (line 45) | def process_result result
method check_argument (line 104) | def check_argument result, exp
method process_call (line 164) | def process_call exp
method check_cve_2016_6316 (line 176) | def check_cve_2016_6316
method raw? (line 209) | def raw? exp
method cve_2016_6316? (line 213) | def cve_2016_6316?
FILE: lib/brakeman/checks/check_cookie_serialization.rb
class Brakeman::CheckCookieSerialization (line 3) | class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
method run_check (line 8) | def run_check
FILE: lib/brakeman/checks/check_create_with.rb
class Brakeman::CheckCreateWith (line 3) | class Brakeman::CheckCreateWith < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method process_result (line 28) | def process_result result
method danger_level (line 49) | def danger_level exp
method generic_warning (line 67) | def generic_warning
FILE: lib/brakeman/checks/check_cross_site_scripting.rb
class Brakeman::CheckCrossSiteScripting (line 14) | class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
method initialize (line 36) | def initialize *args
method run_check (line 42) | def run_check
method check_for_immediate_xss (line 60) | def check_for_immediate_xss exp
method likely_model_attribute? (line 130) | def likely_model_attribute? exp
method process_output (line 143) | def process_output exp
method process_escaped_output (line 149) | def process_escaped_output exp
method process_call (line 168) | def process_call exp
method actually_process_call (line 216) | def actually_process_call exp
method process_params (line 240) | def process_params exp
method process_cookies (line 246) | def process_cookies exp
method process_render (line 252) | def process_render exp
method process_dstr (line 257) | def process_dstr exp
method process_format (line 262) | def process_format exp
method process_format_escaped (line 267) | def process_format_escaped exp
method process_if (line 272) | def process_if exp
method process_case (line 278) | def process_case exp
method setup (line 291) | def setup
method raw_call? (line 340) | def raw_call? exp
method html_safe_call? (line 344) | def html_safe_call? exp
method ignore_call? (line 348) | def ignore_call? target, method
method ignored_model_method? (line 359) | def ignored_model_method? target, method
method ignored_method? (line 365) | def ignored_method? target, method
method cgi_escaped? (line 369) | def cgi_escaped? target, method
method haml_escaped? (line 374) | def haml_escaped? target, method
method xml_escaped? (line 378) | def xml_escaped? target, method
method form_builder_method? (line 382) | def form_builder_method? target, method
method safe_input_attribute? (line 386) | def safe_input_attribute? target, method
FILE: lib/brakeman/checks/check_csrf_token_forgery_cve.rb
class Brakeman::CheckCSRFTokenForgeryCVE (line 3) | class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
method run_check (line 8) | def run_check
FILE: lib/brakeman/checks/check_default_routes.rb
class Brakeman::CheckDefaultRoutes (line 4) | class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
method initialize (line 9) | def initialize *args
method run_check (line 16) | def run_check
method check_for_default_routes (line 22) | def check_for_default_routes
method check_for_action_globs (line 35) | def check_for_action_globs
method check_for_cve_2014_0130 (line 59) | def check_for_cve_2014_0130
method allow_all_actions? (line 91) | def allow_all_actions?
FILE: lib/brakeman/checks/check_deserialize.rb
class Brakeman::CheckDeserialize (line 3) | class Brakeman::CheckDeserialize < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_yaml (line 15) | def check_yaml
method check_csv (line 35) | def check_csv
method check_marshal (line 39) | def check_marshal
method check_oj (line 43) | def check_oj
method check_methods (line 63) | def check_methods target, *methods
method check_deserialize (line 69) | def check_deserialize result, target, arg = nil
method oj_safe_default? (line 100) | def oj_safe_default?
method oj_safe_mode? (line 116) | def oj_safe_mode? options
method uses_safe_yaml? (line 126) | def uses_safe_yaml?
FILE: lib/brakeman/checks/check_detailed_exceptions.rb
class Brakeman::CheckDetailedExceptions (line 4) | class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
method run_check (line 11) | def run_check
method check_local_request_config (line 16) | def check_local_request_config
method check_detailed_exceptions (line 27) | def check_detailed_exceptions
method safe? (line 53) | def safe? body
FILE: lib/brakeman/checks/check_digest_dos.rb
class Brakeman::CheckDigestDoS (line 3) | class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method with_http_digest? (line 36) | def with_http_digest?
FILE: lib/brakeman/checks/check_divide_by_zero.rb
class Brakeman::CheckDivideByZero (line 3) | class Brakeman::CheckDivideByZero < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_division (line 14) | def check_division result
FILE: lib/brakeman/checks/check_dynamic_finders.rb
class Brakeman::CheckDynamicFinders (line 4) | class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
method run_check (line 9) | def run_check
method process_result (line 17) | def process_result result
method safe_call? (line 39) | def safe_call? arg
method potentially_dangerous? (line 46) | def potentially_dangerous? method_name
FILE: lib/brakeman/checks/check_eol_rails.rb
class Brakeman::CheckEOLRails (line 3) | class Brakeman::CheckEOLRails < Brakeman::EOLCheck
method run_check (line 8) | def run_check
FILE: lib/brakeman/checks/check_eol_ruby.rb
class Brakeman::CheckEOLRuby (line 3) | class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
method run_check (line 8) | def run_check
FILE: lib/brakeman/checks/check_escape_function.rb
class Brakeman::CheckEscapeFunction (line 5) | class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
method run_check (line 10) | def run_check
FILE: lib/brakeman/checks/check_evaluation.rb
class Brakeman::CheckEvaluation (line 5) | class Brakeman::CheckEvaluation < Brakeman::BaseCheck
method run_check (line 11) | def run_check
method process_result (line 22) | def process_result result
method string_evaluation? (line 51) | def string_evaluation? exp
method safe_value? (line 56) | def safe_value? exp
FILE: lib/brakeman/checks/check_execute.rb
class Brakeman::CheckExecute (line 11) | class Brakeman::CheckExecute < Brakeman::BaseCheck
method run_check (line 31) | def run_check
method process_result (line 52) | def process_result result
method dash_c_shell_command? (line 155) | def dash_c_shell_command?(first_arg, second_arg)
method check_open_calls (line 162) | def check_open_calls
method include_user_input? (line 176) | def include_user_input? exp
method dangerous_open_arg? (line 194) | def dangerous_open_arg? exp
method check_for_backticks (line 208) | def check_for_backticks tracker
method process_backticks (line 215) | def process_backticks result
method dangerous? (line 239) | def dangerous? exp
method dangerous_interp? (line 268) | def dangerous_interp? exp
method include_interp? (line 285) | def include_interp? exp
method dangerous_string_building? (line 291) | def dangerous_string_building? exp
method shell_escape? (line 299) | def shell_escape? exp
FILE: lib/brakeman/checks/check_file_access.rb
class Brakeman::CheckFileAccess (line 5) | class Brakeman::CheckFileAccess < Brakeman::BaseCheck
method run_check (line 10) | def run_check
method process_result (line 29) | def process_result result
method called_on_tempfile? (line 71) | def called_on_tempfile? file_name
method sanitized? (line 75) | def sanitized? file
method temp_file_method? (line 81) | def temp_file_method? exp
FILE: lib/brakeman/checks/check_file_disclosure.rb
class Brakeman::CheckFileDisclosure (line 3) | class Brakeman::CheckFileDisclosure < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method serves_static_assets? (line 33) | def serves_static_assets?
FILE: lib/brakeman/checks/check_filter_skipping.rb
class Brakeman::CheckFilterSkipping (line 5) | class Brakeman::CheckFilterSkipping < Brakeman::BaseCheck
method run_check (line 10) | def run_check
method uses_arbitrary_actions? (line 23) | def uses_arbitrary_actions?
FILE: lib/brakeman/checks/check_force_ssl.rb
class Brakeman::CheckForceSSL (line 1) | class Brakeman::CheckForceSSL < Brakeman::BaseCheck
method run_check (line 6) | def run_check
FILE: lib/brakeman/checks/check_forgery_setting.rb
class Brakeman::CheckForgerySetting (line 7) | class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
method run_check (line 12) | def run_check
method csrf_warning (line 51) | def csrf_warning opts
method check_cve_2011_0447 (line 62) | def check_cve_2011_0447
FILE: lib/brakeman/checks/check_header_dos.rb
class Brakeman::CheckHeaderDoS (line 3) | class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method has_workaround? (line 28) | def has_workaround?
FILE: lib/brakeman/checks/check_i18n_xss.rb
class Brakeman::CheckI18nXSS (line 3) | class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method version_before (line 31) | def version_before gem_version, target
method has_workaround? (line 44) | def has_workaround?
FILE: lib/brakeman/checks/check_jruby_xml.rb
class Brakeman::CheckJRubyXML (line 3) | class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
method run_check (line 8) | def run_check
FILE: lib/brakeman/checks/check_json_encoding.rb
class Brakeman::CheckJSONEncoding (line 3) | class Brakeman::CheckJSONEncoding < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method has_workaround? (line 34) | def has_workaround?
FILE: lib/brakeman/checks/check_json_entity_escape.rb
class Brakeman::CheckJSONEntityEscape (line 3) | class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_config_setting (line 13) | def check_config_setting
method check_manual_disable (line 25) | def check_manual_disable
FILE: lib/brakeman/checks/check_json_parsing.rb
class Brakeman::CheckJSONParsing (line 3) | class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
method initialize (line 8) | def initialize *args
method run_check (line 13) | def run_check
method check_cve_2013_0333 (line 18) | def check_cve_2013_0333
method uses_yajl? (line 42) | def uses_yajl?
method uses_gem_backend? (line 47) | def uses_gem_backend?
method check_cve_2013_0269 (line 63) | def check_cve_2013_0269
method check_json_version (line 70) | def check_json_version name, version
method uses_json_parse? (line 106) | def uses_json_parse?
FILE: lib/brakeman/checks/check_link_to.rb
class Brakeman::CheckLinkTo (line 7) | class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
method run_check (line 12) | def run_check
method process_result (line 32) | def process_result result
method check_argument (line 61) | def check_argument result, exp
method check_user_input (line 67) | def check_user_input(result, argument)
method check_method (line 77) | def check_method(result, argument)
method check_matched (line 90) | def check_matched(result, matched = nil)
method warn_xss (line 100) | def warn_xss(result, message, user_input, confidence)
method process_call (line 114) | def process_call exp
method actually_process_call (line 120) | def actually_process_call exp
FILE: lib/brakeman/checks/check_link_to_href.rb
class Brakeman::CheckLinkToHref (line 9) | class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
method run_check (line 14) | def run_check
method process_result (line 32) | def process_result result
method check_argument? (line 81) | def check_argument? url_arg
method ignore_model_call? (line 91) | def ignore_model_call? url_arg, exp
method ignore_interpolation? (line 108) | def ignore_interpolation? arg, suspect
method ignore_call? (line 124) | def ignore_call? target, method
method decorated_model? (line 128) | def decorated_model? method
method ignored_method? (line 133) | def ignored_method? target, method
method model_find_call? (line 139) | def model_find_call? exp
method call_on_params? (line 146) | def call_on_params? exp
FILE: lib/brakeman/checks/check_mail_to.rb
class Brakeman::CheckMailTo (line 7) | class Brakeman::CheckMailTo < Brakeman::BaseCheck
method run_check (line 12) | def run_check
method mail_to_javascript? (line 35) | def mail_to_javascript?
FILE: lib/brakeman/checks/check_mass_assignment.rb
class Brakeman::CheckMassAssignment (line 7) | class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
method initialize (line 12) | def initialize(*)
method run_check (line 17) | def run_check
method find_mass_assign_calls (line 23) | def find_mass_assign_calls
method check_mass_assignment (line 54) | def check_mass_assignment
method process_result (line 64) | def process_result res
method check_call (line 110) | def check_call call
method all_literal_args? (line 132) | def all_literal_args? exp
method literal? (line 147) | def literal? exp
method check_permit! (line 160) | def check_permit!
method inside_safe_method? (line 171) | def inside_safe_method? result
method calls_slice? (line 178) | def calls_slice? result
method subsequent_mass_assignment? (line 186) | def subsequent_mass_assignment? result
method warn_on_permit! (line 196) | def warn_on_permit! result
method check_permit_all_parameters (line 213) | def check_permit_all_parameters
FILE: lib/brakeman/checks/check_mime_type_dos.rb
class Brakeman::CheckMimeTypeDoS (line 3) | class Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method has_workaround? (line 33) | def has_workaround?
FILE: lib/brakeman/checks/check_model_attr_accessible.rb
class Brakeman::CheckModelAttrAccessible (line 8) | class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
method run_check (line 21) | def run_check
method role_limited? (line 44) | def role_limited? model, attribute
method check_models (line 50) | def check_models
FILE: lib/brakeman/checks/check_model_attributes.rb
class Brakeman::CheckModelAttributes (line 5) | class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
method run_check (line 10) | def run_check
method check_models (line 49) | def check_models
method check_for_attr_protected_bypass (line 57) | def check_for_attr_protected_bypass
FILE: lib/brakeman/checks/check_model_serialize.rb
class Brakeman::CheckModelSerialize (line 3) | class Brakeman::CheckModelSerialize < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_for_serialize (line 27) | def check_for_serialize model
FILE: lib/brakeman/checks/check_nested_attributes.rb
class Brakeman::CheckNestedAttributes (line 5) | class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
method run_check (line 10) | def run_check
method uses_nested_attributes? (line 32) | def uses_nested_attributes?
FILE: lib/brakeman/checks/check_nested_attributes_bypass.rb
class Brakeman::CheckNestedAttributesBypass (line 4) | class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
method run_check (line 9) | def run_check
method check_nested_attributes (line 20) | def check_nested_attributes
method warn_about_nested_attributes (line 32) | def warn_about_nested_attributes model, args
method allow_destroy? (line 46) | def allow_destroy? arg
method reject_if? (line 51) | def reject_if? arg
method workaround? (line 56) | def workaround?
FILE: lib/brakeman/checks/check_number_to_currency.rb
class Brakeman::CheckNumberToCurrency (line 3) | class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
method initialize (line 8) | def initialize(*)
method run_check (line 13) | def run_check
method generic_warning (line 25) | def generic_warning
method check_number_helper_usage (line 43) | def check_number_helper_usage
method check_helper_option (line 57) | def check_helper_option result, exp
method warn_on_number_helper (line 66) | def warn_on_number_helper result, match
FILE: lib/brakeman/checks/check_page_caching_cve.rb
class Brakeman::CheckPageCachingCVE (line 3) | class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method uses_caches_page? (line 33) | def uses_caches_page?
FILE: lib/brakeman/checks/check_pathname.rb
class Brakeman::CheckPathname (line 3) | class Brakeman::CheckPathname < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_rails_root_join (line 14) | def check_rails_root_join
method check_pathname_join (line 20) | def check_pathname_join
method check_result (line 33) | def check_result result
FILE: lib/brakeman/checks/check_permit_attributes.rb
class Brakeman::CheckPermitAttributes (line 3) | class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
method run_check (line 15) | def run_check
method check_permit (line 21) | def check_permit result
method warn_on_permit_key (line 35) | def warn_on_permit_key result, key, confidence = nil
FILE: lib/brakeman/checks/check_quote_table_name.rb
class Brakeman::CheckQuoteTableName (line 5) | class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
method run_check (line 10) | def run_check
method uses_quote_table_name? (line 36) | def uses_quote_table_name?
FILE: lib/brakeman/checks/check_ransack.rb
class Brakeman::CheckRansack (line 3) | class Brakeman::CheckRansack < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_ransack_calls (line 13) | def check_ransack_calls
method ransackable_allow_list? (line 49) | def ransackable_allow_list? class_name
FILE: lib/brakeman/checks/check_redirect.rb
class Brakeman::CheckRedirect (line 8) | class Brakeman::CheckRedirect < Brakeman::BaseCheck
method run_check (line 13) | def run_check
method process_result (line 35) | def process_result result
method include_user_input? (line 81) | def include_user_input? opt, immediate = :immediate
method only_path? (line 124) | def only_path? call
method use_unsafe_hash_method? (line 138) | def use_unsafe_hash_method? arg
method call_has_param (line 142) | def call_has_param arg, key
method has_only_path? (line 153) | def has_only_path? arg
method explicit_host? (line 161) | def explicit_host? arg
method check_url_for (line 183) | def check_url_for call
method model_instance? (line 196) | def model_instance? exp
method model_target? (line 209) | def model_target? exp
method friendly_model? (line 218) | def friendly_model? exp
method decorated_model? (line 224) | def decorated_model? exp
method association? (line 237) | def association? model_name, meth
method slice_call? (line 251) | def slice_call? exp
method safe_permit? (line 258) | def safe_permit? exp
method protected_by_raise? (line 272) | def protected_by_raise? call
method raise_on_redirects? (line 277) | def raise_on_redirects?
method allow_other_host? (line 281) | def allow_other_host? call
method disallow_other_host? (line 287) | def disallow_other_host? call
FILE: lib/brakeman/checks/check_regex_dos.rb
class Brakeman::CheckRegexDoS (line 4) | class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
method run_check (line 17) | def run_check
method process_result (line 28) | def process_result result
method process_call (line 60) | def process_call(exp)
FILE: lib/brakeman/checks/check_render.rb
class Brakeman::CheckRender (line 4) | class Brakeman::CheckRender < Brakeman::BaseCheck
method run_check (line 9) | def run_check
method process_render_result (line 15) | def process_render_result result
method check_for_dynamic_path (line 31) | def check_for_dynamic_path result
method safe_param? (line 62) | def safe_param? exp
method renderable? (line 75) | def renderable? exp
method known_renderable_class? (line 87) | def known_renderable_class? class_name
FILE: lib/brakeman/checks/check_render_dos.rb
class Brakeman::CheckRenderDoS (line 3) | class Brakeman::CheckRenderDoS < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method text_render? (line 22) | def text_render? result
method warn_about_text_render (line 27) | def warn_about_text_render
FILE: lib/brakeman/checks/check_render_inline.rb
class Brakeman::CheckRenderInline (line 1) | class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting
method run_check (line 6) | def run_check
method check_render (line 14) | def check_render result
method content_type_set? (line 48) | def content_type_set? opts
FILE: lib/brakeman/checks/check_render_rce.rb
class Brakeman::CheckRenderRCE (line 3) | class Brakeman::CheckRenderRCE < Brakeman::CheckRender
method run_check (line 8) | def run_check
method process_render_result (line 14) | def process_render_result result
method check_for_rce (line 23) | def check_for_rce result
FILE: lib/brakeman/checks/check_response_splitting.rb
class Brakeman::CheckResponseSplitting (line 5) | class Brakeman::CheckResponseSplitting < Brakeman::BaseCheck
method run_check (line 10) | def run_check
FILE: lib/brakeman/checks/check_reverse_tabnabbing.rb
class Brakeman::CheckReverseTabnabbing (line 3) | class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method process_result (line 15) | def process_result result
FILE: lib/brakeman/checks/check_route_dos.rb
class Brakeman::CheckRouteDoS (line 3) | class Brakeman::CheckRouteDoS < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method controller_wildcards? (line 31) | def controller_wildcards?
FILE: lib/brakeman/checks/check_safe_buffer_manipulation.rb
class Brakeman::CheckSafeBufferManipulation (line 6) | class Brakeman::CheckSafeBufferManipulation < Brakeman::BaseCheck
method run_check (line 11) | def run_check
FILE: lib/brakeman/checks/check_sanitize_config_cve.rb
class Brakeman::CheckSanitizeConfigCve (line 3) | class Brakeman::CheckSanitizeConfigCve < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method cve_warning (line 24) | def cve_warning confidence: :weak, result: nil
method check_config (line 52) | def check_config
method check_sanitize_calls (line 65) | def check_sanitize_calls
method check_safe_list_allowed_tags (line 77) | def check_safe_list_allowed_tags
method check_tags_option (line 85) | def check_tags_option result
method check_result (line 93) | def check_result result, arg
method include_both_tags? (line 100) | def include_both_tags? exp
method has_tag? (line 107) | def has_tag? exp, tag
FILE: lib/brakeman/checks/check_sanitize_methods.rb
class Brakeman::CheckSanitizeMethods (line 5) | class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
method run_check (line 10) | def run_check
method check_cve_2013_1855 (line 34) | def check_cve_2013_1855
method check_cve_2013_1857 (line 38) | def check_cve_2013_1857
method check_for_cve (line 42) | def check_for_cve method, code, link
method check_rails_html_sanitizer (line 59) | def check_rails_html_sanitizer
method check_cve_2018_8048 (line 72) | def check_cve_2018_8048
method loofah_vulnerable_cve_2018_8048? (line 92) | def loofah_vulnerable_cve_2018_8048?
method warn_sanitizer_cve (line 99) | def warn_sanitizer_cve cve, link, upgrade_version
FILE: lib/brakeman/checks/check_secrets.rb
class Brakeman::CheckSecrets (line 3) | class Brakeman::CheckSecrets < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_constants (line 12) | def check_constants
method looks_like_secret? (line 37) | def looks_like_secret? name
FILE: lib/brakeman/checks/check_select_tag.rb
class Brakeman::CheckSelectTag (line 5) | class Brakeman::CheckSelectTag < Brakeman::BaseCheck
method run_check (line 10) | def run_check
method process_result (line 36) | def process_result result
FILE: lib/brakeman/checks/check_select_vulnerability.rb
class Brakeman::CheckSelectVulnerability (line 5) | class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
method run_check (line 10) | def run_check
method process_result (line 37) | def process_result result
FILE: lib/brakeman/checks/check_send.rb
class Brakeman::CheckSend (line 4) | class Brakeman::CheckSend < Brakeman::BaseCheck
method run_check (line 9) | def run_check
method process_result (line 19) | def process_result result
method get_send (line 38) | def get_send exp
FILE: lib/brakeman/checks/check_send_file.rb
class Brakeman::CheckSendFile (line 5) | class Brakeman::CheckSendFile < Brakeman::CheckFileAccess
method run_check (line 10) | def run_check
FILE: lib/brakeman/checks/check_session_manipulation.rb
class Brakeman::CheckSessionManipulation (line 3) | class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method process_result (line 14) | def process_result result
FILE: lib/brakeman/checks/check_session_settings.rb
class Brakeman::CheckSessionSettings (line 4) | class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
method initialize (line 9) | def initialize *args
method run_check (line 19) | def run_check
method process_attrasgn (line 46) | def process_attrasgn exp
method process_call (line 62) | def process_call exp
method settings_target? (line 72) | def settings_target? exp
method check_for_issues (line 79) | def check_for_issues settings, file
method check_for_rails3_issues (line 98) | def check_for_rails3_issues settings, file
method check_secrets_yaml (line 114) | def check_secrets_yaml
method warn_about_http_only (line 138) | def warn_about_http_only line, file
method warn_about_secret_token (line 149) | def warn_about_secret_token line, file
method warn_about_secure_only (line 159) | def warn_about_secure_only line, file
method ignored? (line 169) | def ignored? file
FILE: lib/brakeman/checks/check_simple_format.rb
class Brakeman::CheckSimpleFormat (line 3) | class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
method initialize (line 8) | def initialize *args
method run_check (line 13) | def run_check
method generic_warning (line 23) | def generic_warning
method check_simple_format_usage (line 35) | def check_simple_format_usage
method process_call (line 45) | def process_call exp
method warn_on_simple_format (line 51) | def warn_on_simple_format result, match
FILE: lib/brakeman/checks/check_single_quotes.rb
class Brakeman::CheckSingleQuotes (line 5) | class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
method initialize (line 11) | def initialize *args
method run_check (line 16) | def run_check
method uses_rack_escape? (line 47) | def uses_rack_escape?
method process_class (line 58) | def process_class exp
method process_module (line 71) | def process_module exp
method process_defn (line 84) | def process_defn exp
method process_call (line 97) | def process_call exp
FILE: lib/brakeman/checks/check_skip_before_filter.rb
class Brakeman::CheckSkipBeforeFilter (line 10) | class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
method run_check (line 15) | def run_check
method process_skip_filter (line 23) | def process_skip_filter filter, controller
method skip_except_value (line 48) | def skip_except_value filter
FILE: lib/brakeman/checks/check_sprockets_path_traversal.rb
class Brakeman::CheckSprocketsPathTraversal (line 1) | class Brakeman::CheckSprocketsPathTraversal < Brakeman::BaseCheck
method run_check (line 6) | def run_check
method has_workaround? (line 37) | def has_workaround?
FILE: lib/brakeman/checks/check_sql.rb
class Brakeman::CheckSQL (line 11) | class Brakeman::CheckSQL < Brakeman::BaseCheck
method run_check (line 16) | def run_check
method find_scope_calls (line 83) | def find_scope_calls
method ar_scope_calls (line 111) | def ar_scope_calls(symbol_name, &block)
method scope_call_hash (line 122) | def scope_call_hash(call, model, method)
method process_scope_with_block (line 127) | def process_scope_with_block model, args
method process_result (line 173) | def process_result result
method check_find_arguments (line 288) | def check_find_arguments arg
method check_scope_arguments (line 294) | def check_scope_arguments call
method check_query_arguments (line 300) | def check_query_arguments arg
method check_order_arguments (line 335) | def check_order_arguments args
method check_by_sql_arguments (line 347) | def check_by_sql_arguments arg
method check_joins_arguments (line 357) | def check_joins_arguments arg
method check_update_all_arguments (line 372) | def check_update_all_arguments args
method check_lock_arguments (line 384) | def check_lock_arguments arg
method check_hash_keys (line 394) | def check_hash_keys exp
method check_string_interp (line 409) | def check_string_interp arg
method unsafe_string_interp? (line 423) | def unsafe_string_interp? exp
method unsafe_sql? (line 460) | def unsafe_sql? exp, ignore_hash = false
method find_dangerous_value (line 468) | def find_dangerous_value exp, ignore_hash
method check_hash_values (line 527) | def check_hash_values exp
method check_for_string_building (line 552) | def check_for_string_building exp
method check_str_target_or_arg (line 569) | def check_str_target_or_arg target, arg
method check_interp_target_or_arg (line 577) | def check_interp_target_or_arg target, arg
method check_string_arg (line 584) | def check_string_arg exp
method ignore_methods_in_sql (line 607) | def ignore_methods_in_sql
method safe_value? (line 611) | def safe_value? exp
method ignore_call? (line 636) | def ignore_call? exp
method quote_call? (line 650) | def quote_call? exp
method arel? (line 662) | def arel? exp
method check_call (line 667) | def check_call exp
method check_exists (line 680) | def check_exists arg
method check_for_limit_or_offset_vulnerability (line 692) | def check_for_limit_or_offset_vulnerability options
method constantize_call? (line 714) | def constantize_call? result
method connect_call? (line 721) | def connect_call? result
method number_target? (line 737) | def number_target? exp
method date_target? (line 751) | def date_target? exp
FILE: lib/brakeman/checks/check_sql_cves.rb
class Brakeman::CheckSQLCVEs (line 3) | class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_rails_versions_against_cve_issues (line 13) | def check_rails_versions_against_cve_issues
method cve_warning_for (line 73) | def cve_warning_for versions, cve, link
method upgrade_version? (line 88) | def upgrade_version? versions
method check_cve_2014_0080 (line 96) | def check_cve_2014_0080
FILE: lib/brakeman/checks/check_ssl_verify.rb
class Brakeman::CheckSSLVerify (line 5) | class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
method run_check (line 12) | def run_check
method check_open_ssl_verify_none (line 17) | def check_open_ssl_verify_none
method process_verify_mode_result (line 21) | def process_verify_mode_result result
method check_http_start (line 27) | def check_http_start
method process_http_start_result (line 31) | def process_http_start_result result
method warn_about_ssl_verification_bypass (line 39) | def warn_about_ssl_verification_bypass result
FILE: lib/brakeman/checks/check_strip_tags.rb
class Brakeman::CheckStripTags (line 11) | class Brakeman::CheckStripTags < Brakeman::BaseCheck
method run_check (line 16) | def run_check
method cve_2011_2931 (line 25) | def cve_2011_2931
method cve_2012_3465 (line 43) | def cve_2012_3465
method cve_2015_7579 (line 68) | def cve_2015_7579
method uses_strip_tags? (line 89) | def uses_strip_tags?
FILE: lib/brakeman/checks/check_symbol_dos.rb
class Brakeman::CheckSymbolDoS (line 3) | class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
method run_check (line 10) | def run_check
method check_unsafe_symbol_creation (line 19) | def check_unsafe_symbol_creation result
method safe_parameter? (line 53) | def safe_parameter? input
method symbolizing_attributes? (line 67) | def symbolizing_attributes? input
FILE: lib/brakeman/checks/check_symbol_dos_cve.rb
class Brakeman::CheckSymbolDoSCVE (line 3) | class Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck
method run_check (line 8) | def run_check
FILE: lib/brakeman/checks/check_template_injection.rb
class Brakeman::CheckTemplateInjection (line 3) | class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
method run_check (line 9) | def run_check
method process_result (line 20) | def process_result result
FILE: lib/brakeman/checks/check_translate_bug.rb
class Brakeman::CheckTranslateBug (line 4) | class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
method run_check (line 9) | def run_check
method uses_translate? (line 41) | def uses_translate?
FILE: lib/brakeman/checks/check_unsafe_reflection.rb
class Brakeman::CheckUnsafeReflection (line 7) | class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
method run_check (line 12) | def run_check
method check_unsafe_reflection (line 20) | def check_unsafe_reflection result
FILE: lib/brakeman/checks/check_unsafe_reflection_methods.rb
class Brakeman::CheckUnsafeReflectionMethods (line 3) | class Brakeman::CheckUnsafeReflectionMethods < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_method (line 14) | def check_method
method check_tap (line 24) | def check_tap
method check_to_proc (line 39) | def check_to_proc
method warn_unsafe_reflection (line 49) | def warn_unsafe_reflection result, input
FILE: lib/brakeman/checks/check_unscoped_find.rb
class Brakeman::CheckUnscopedFind (line 4) | class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
method run_check (line 9) | def run_check
method process_result (line 36) | def process_result result
method optional_belongs_to? (line 55) | def optional_belongs_to? exp
FILE: lib/brakeman/checks/check_validation_regex.rb
class Brakeman::CheckValidationRegex (line 10) | class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
method run_check (line 18) | def run_check
method process_validates_format_of (line 40) | def process_validates_format_of validator
method process_validates (line 47) | def process_validates validator
method check_regex (line 84) | def check_regex value, validator
method get_name (line 100) | def get_name validator
method secure_regex? (line 112) | def secure_regex?(regex)
FILE: lib/brakeman/checks/check_verb_confusion.rb
class Brakeman::CheckVerbConfusion (line 3) | class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
method run_check (line 9) | def run_check
method process_result (line 17) | def process_result result
method process_if (line 38) | def process_if exp
method warn_about_result (line 53) | def warn_about_result result, code
FILE: lib/brakeman/checks/check_weak_hash.rb
class Brakeman::CheckWeakHash (line 3) | class Brakeman::CheckWeakHash < Brakeman::BaseCheck
method run_check (line 10) | def run_check
method process_hash_result (line 24) | def process_hash_result result
method process_hmac_result (line 60) | def process_hmac_result result
method process_openssl_result (line 82) | def process_openssl_result result
method user_input_as_arg? (line 101) | def user_input_as_arg? call
method hashing_password? (line 111) | def hashing_password? call
method process_call (line 125) | def process_call exp
method process_ivar (line 135) | def process_ivar exp
method process_lvar (line 143) | def process_lvar exp
FILE: lib/brakeman/checks/check_weak_rsa_key.rb
class Brakeman::CheckWeakRSAKey (line 3) | class Brakeman::CheckWeakRSAKey < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method check_rsa_key_creation (line 13) | def check_rsa_key_creation
method check_rsa_operations (line 33) | def check_rsa_operations
method check_key_size (line 53) | def check_key_size result, key_size_arg
method check_padding (line 85) | def check_padding result, padding_arg
FILE: lib/brakeman/checks/check_without_protection.rb
class Brakeman::CheckWithoutProtection (line 7) | class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
method run_check (line 12) | def run_check
method process_result (line 34) | def process_result res
method all_literals? (line 66) | def all_literals? call
FILE: lib/brakeman/checks/check_xml_dos.rb
class Brakeman::CheckXMLDoS (line 3) | class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method has_workaround? (line 37) | def has_workaround?
FILE: lib/brakeman/checks/check_yaml_parsing.rb
class Brakeman::CheckYAMLParsing (line 3) | class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
method run_check (line 8) | def run_check
method disabled_xml_parser? (line 50) | def disabled_xml_parser?
method enabled_yaml_parser? (line 74) | def enabled_yaml_parser?
method disabled_xml_dangerous_types? (line 91) | def disabled_xml_dangerous_types?
FILE: lib/brakeman/checks/eol_check.rb
class Brakeman::EOLCheck (line 5) | class Brakeman::EOLCheck < Brakeman::BaseCheck
method check_eol_version (line 6) | def check_eol_version library, eol_dates
method warn_about_soon_unsupported_version (line 32) | def warn_about_soon_unsupported_version library, eol_date, version, co...
method warn_about_unsupported_version (line 41) | def warn_about_unsupported_version library, eol_date, version
FILE: lib/brakeman/codeclimate/engine_configuration.rb
type Brakeman (line 3) | module Brakeman
type Codeclimate (line 4) | module Codeclimate
class EngineConfiguration (line 5) | class EngineConfiguration
method initialize (line 7) | def initialize(engine_config = {})
method options (line 11) | def options
method default_options (line 19) | def default_options
method configured_options (line 32) | def configured_options
method brakeman_configuration (line 52) | def brakeman_configuration
method active_include_paths (line 60) | def active_include_paths
method stripped_include_paths (line 69) | def stripped_include_paths(prefix)
method path_subprefixes (line 77) | def path_subprefixes(path)
method stripped_include_path (line 88) | def stripped_include_path(prefix, subprefixes, path)
FILE: lib/brakeman/commandline.rb
type Brakeman (line 3) | module Brakeman
class Commandline (line 6) | class Commandline
method start (line 14) | def start options = nil, app_path = "."
method run (line 30) | def run options, default_app_path = "."
method check_latest (line 44) | def check_latest(days_old = 0)
method compare_results (line 55) | def compare_results options
method early_exit_options (line 77) | def early_exit_options options
method parse_options (line 99) | def parse_options argv
method quit (line 127) | def quit exit_code = 0, message = nil
method regular_report (line 134) | def regular_report options
method run_brakeman (line 171) | def run_brakeman options
method run_report (line 176) | def run_report options
method set_interrupt_handler (line 191) | def set_interrupt_handler options
method set_options (line 207) | def set_options options, default_app_path = "."
FILE: lib/brakeman/differ.rb
class Brakeman::Differ (line 3) | class Brakeman::Differ
method initialize (line 6) | def initialize new_warnings, old_warnings
method diff (line 11) | def diff
method second_pass (line 22) | def second_pass(warnings)
method fingerprint (line 42) | def fingerprint(warning)
FILE: lib/brakeman/file_parser.rb
type Brakeman (line 3) | module Brakeman
class FileParser (line 7) | class FileParser
method initialize (line 10) | def initialize app_tree, timeout, parallel = true, use_prism = false
method parse_files (line 30) | def parse_files list
method read_files (line 67) | def read_files list
method parse_ruby (line 84) | def parse_ruby input, path
method parse_with_prism (line 106) | def parse_with_prism input, path
method parse_with_ruby_parser (line 110) | def parse_with_ruby_parser input, path
FILE: lib/brakeman/file_path.rb
type Brakeman (line 3) | module Brakeman
class FilePath (line 7) | class FilePath
method from_app_tree (line 18) | def self.from_app_tree app_tree, path
method initialize (line 33) | def initialize absolute_path, relative_path
method basename (line 39) | def basename
method read (line 44) | def read
method exists? (line 49) | def exists?
method <=> (line 54) | def <=> rhs
method == (line 60) | def == rhs
method to_str (line 67) | def to_str
method to_s (line 76) | def to_s
method hash (line 80) | def hash
method eql? (line 84) | def eql? rhs
FILE: lib/brakeman/logger.rb
type Brakeman (line 1) | module Brakeman
type Logger (line 2) | module Logger
function get_logger (line 3) | def self.get_logger options, dest = $stderr
class Base (line 18) | class Base
method initialize (line 19) | def initialize(options, log_destination = $stderr)
method log (line 26) | def log(message, newline: true)
method announce (line 35) | def announce(message); end
method alert (line 38) | def alert(message); end
method debug (line 41) | def debug(message); end
method context (line 44) | def context(description, &)
method single_context (line 49) | def single_context(description, &)
method update_progress (line 54) | def update_progress(current, total, type = 'files'); end
method spin (line 57) | def spin; end
method cleanup (line 60) | def cleanup(newline = true); end
method show_timing? (line 62) | def show_timing? = @show_timing
method color (line 65) | def color(message, *)
method color? (line 73) | def color?
method load_highline (line 79) | def load_highline(output_color)
class Plain (line 90) | class Plain < Base
method initialize (line 91) | def initialize(options, *)
method announce (line 97) | def announce(message)
method alert (line 101) | def alert(message)
method context (line 105) | def context(description, &)
method time_step (line 115) | def time_step(description, &)
class Quiet (line 124) | class Quiet < Base
method initialize (line 125) | def initialize(*)
class Debug (line 130) | class Debug < Plain
method debug (line 131) | def debug(message)
method context (line 135) | def context(description, &)
method single_context (line 141) | def single_context(description, &)
class Console (line 153) | class Console < Base
method initialize (line 156) | def initialize(options, *)
method announce (line 175) | def announce message
method alert (line 181) | def alert message
method context (line 187) | def context(description, &)
method time_step (line 195) | def time_step(description, &)
method update_progress (line 208) | def update_progress current, total, type = 'files'
method write_prefix (line 218) | def write_prefix pref
method rewrite_prefix (line 224) | def rewrite_prefix
method write_after (line 229) | def write_after message
method set_prefix (line 235) | def set_prefix message
method clear_prefix (line 240) | def clear_prefix
method clear_line (line 246) | def clear_line
method spin (line 251) | def spin
method cleanup (line 259) | def cleanup(newline = true)
FILE: lib/brakeman/messages.rb
type Brakeman (line 1) | module Brakeman
type Messages (line 2) | module Messages
function msg (line 5) | def msg *args
function msg_code (line 18) | def msg_code code
function msg_cve (line 23) | def msg_cve cve
function msg_file (line 28) | def msg_file str
function msg_input (line 34) | def msg_input input
function msg_lit (line 39) | def msg_lit str
function msg_plain (line 44) | def msg_plain str
function msg_version (line 49) | def msg_version version, lib = "Rails"
class Brakeman::Messages::Message (line 56) | class Brakeman::Messages::Message
method initialize (line 57) | def initialize *args
method << (line 68) | def << msg
method to_s (line 76) | def to_s
method to_html (line 88) | def to_html
class Brakeman::Messages::Code (line 103) | class Brakeman::Messages::Code
method initialize (line 104) | def initialize code
method to_s (line 108) | def to_s
method to_html (line 112) | def to_html
class Brakeman::Messages::CVE (line 117) | class Brakeman::Messages::CVE
method initialize (line 118) | def initialize cve
method to_s (line 122) | def to_s
method to_html (line 126) | def to_html
class Brakeman::Messages::FileName (line 131) | class Brakeman::Messages::FileName
method initialize (line 132) | def initialize file
method to_s (line 136) | def to_s
method to_html (line 140) | def to_html
class Brakeman::Messages::Input (line 145) | class Brakeman::Messages::Input
method initialize (line 146) | def initialize input
method friendly_type_of (line 151) | def friendly_type_of input_type
method to_s (line 170) | def to_s
method to_html (line 174) | def to_html
class Brakeman::Messages::Literal (line 179) | class Brakeman::Messages::Literal
method initialize (line 180) | def initialize value
method to_s (line 184) | def to_s
method to_html (line 188) | def to_html
class Brakeman::Messages::Plain (line 193) | class Brakeman::Messages::Plain
method initialize (line 194) | def initialize string
method to_s (line 198) | def to_s
method to_html (line 202) | def to_html
class Brakeman::Messages::Version (line 207) | class Brakeman::Messages::Version
method initialize (line 208) | def initialize version, lib
method to_s (line 213) | def to_s
method to_html (line 217) | def to_html
FILE: lib/brakeman/options.rb
type Brakeman::Options (line 5) | module Brakeman::Options
function parse (line 10) | def parse args
function parse! (line 15) | def parse! args
function get_options (line 20) | def get_options args, destructive = false
function create_option_parser (line 38) | def create_option_parser options
FILE: lib/brakeman/parsers/haml_embedded.rb
type Brakeman (line 1) | module Brakeman
type FakeHamlFilter (line 2) | module FakeHamlFilter
function compile (line 4) | def compile(compiler, text)
type Haml::Filters::Coffee (line 29) | module Haml::Filters::Coffee
type Haml::Filters::Markdown (line 35) | module Haml::Filters::Markdown
type Haml::Filters::Sass (line 41) | module Haml::Filters::Sass
FILE: lib/brakeman/parsers/rails_erubi.rb
type Brakeman (line 7) | module Brakeman
class Erubi (line 8) | class Erubi < ::Erubi::Engine
method initialize (line 10) | def initialize(input, properties = {})
method add_text (line 30) | def add_text(text)
method add_expression (line 47) | def add_expression(indicator, code)
method add_code (line 65) | def add_code(code)
method add_postamble (line 70) | def add_postamble(_)
method flush_newline_if_pending (line 75) | def flush_newline_if_pending(src)
FILE: lib/brakeman/parsers/slim_embedded.rb
type Slim (line 2) | module Slim
class Embedded (line 3) | class Embedded
class TiltEngine (line 4) | class TiltEngine
method on_slim_embedded (line 6) | def on_slim_embedded(engine, body, attrs)
class SassEngine (line 23) | class SassEngine
method tilt_render (line 27) | def tilt_render(tilt_engine, tilt_options, text)
class CoffeeEngine (line 33) | class CoffeeEngine < TiltEngine
method tilt_render (line 36) | def tilt_render(tilt_engine, tilt_options, text)
FILE: lib/brakeman/parsers/template_parser.rb
type Brakeman (line 1) | module Brakeman
class TemplateParser (line 2) | class TemplateParser
method initialize (line 9) | def initialize tracker, file_parser
method parse_template (line 15) | def parse_template path, text
method parse_erb (line 48) | def parse_erb path, text
method erubi? (line 64) | def erubi?
method parse_haml (line 69) | def parse_haml path, text
method haml6? (line 94) | def haml6?
method parse_slim (line 107) | def parse_slim path, text
method load_slim_smart? (line 124) | def load_slim_smart?
method parse_inline_erb (line 139) | def self.parse_inline_erb tracker, text
FILE: lib/brakeman/processor.rb
type Brakeman (line 7) | module Brakeman
class Processor (line 12) | class Processor
method initialize (line 15) | def initialize(app_tree, options)
method tracked_events (line 19) | def tracked_events
method process_config (line 24) | def process_config src, file_name
method process_gems (line 29) | def process_gems gem_files
method process_routes (line 34) | def process_routes src
method process_controller (line 39) | def process_controller src, file_name
method process_controller_alias (line 49) | def process_controller_alias name, src, only_method = nil, file = nil
method process_model (line 54) | def process_model src, file_name
method process_template (line 60) | def process_template name, src, type, called_from = nil, file_name =...
method process_template_alias (line 87) | def process_template_alias template
method process_initializer (line 92) | def process_initializer file_name, src
method process_lib (line 99) | def process_lib src, file_name
FILE: lib/brakeman/processors/alias_processor.rb
class Brakeman::AliasProcessor (line 10) | class Brakeman::AliasProcessor < Brakeman::SexpProcessor
method initialize (line 23) | def initialize tracker = nil, current_file = nil
method process_safely (line 47) | def process_safely src, set_env = nil, current_file = @current_file
method process_default (line 57) | def process_default exp
method replace (line 83) | def replace exp, int = 0
method process_bracket_call (line 99) | def process_bracket_call exp
method process_call (line 173) | def process_call exp
method process_array_join (line 356) | def process_array_join array, join_str
method join_item (line 421) | def join_item item, join_value
method temp_file_open? (line 433) | def temp_file_open? exp
method temp_file_create? (line 439) | def temp_file_create? exp
method temp_file_new (line 445) | def temp_file_new line
method splat_array? (line 449) | def splat_array? exp
method process_iter (line 454) | def process_iter exp
method process_scope (line 513) | def process_scope exp
method process_block (line 521) | def process_block exp
method process_defn (line 528) | def process_defn exp
method meth_env (line 535) | def meth_env
method process_defs (line 548) | def process_defs exp
method get_rhs (line 556) | def get_rhs exp
method process_lasgn (line 566) | def process_lasgn exp
method process_iasgn (line 585) | def process_iasgn exp
method process_gasgn (line 605) | def process_gasgn exp
method process_cvdecl (line 621) | def process_cvdecl exp
method process_attrasgn (line 635) | def process_attrasgn exp
method process_masgn (line 673) | def process_masgn exp
method process_hash (line 737) | def process_hash exp
method process_hash_merge! (line 781) | def process_hash_merge! hash, args
method process_hash_merge (line 794) | def process_hash_merge hash, args
method process_op_asgn1 (line 804) | def process_op_asgn1 exp
method process_op_asgn2 (line 832) | def process_op_asgn2 exp
method process_svalue (line 850) | def process_svalue exp
method process_cdecl (line 856) | def process_cdecl exp
method hash_or_array_include_all_literals? (line 881) | def hash_or_array_include_all_literals? exp
method array_include_all_literals? (line 898) | def array_include_all_literals? exp
method array_detect_all_literals? (line 904) | def array_detect_all_literals? exp
method in_array_all_literals? (line 916) | def in_array_all_literals? exp
method hash_include_all_literals? (line 926) | def hash_include_all_literals? exp
method process_if (line 933) | def process_if exp
method process_branch_with_value (line 1015) | def process_branch_with_value var, value, branch, branch_index
method early_return? (line 1023) | def early_return? exp
method equality_check? (line 1035) | def equality_check? exp
method simple_when? (line 1042) | def simple_when? exp
method all_literals_when? (line 1055) | def all_literals_when? exp
method process_case (line 1063) | def process_case exp
method process_if_branch (line 1135) | def process_if_branch exp
method merge_if_branch (line 1145) | def merge_if_branch branch_env
method too_deep? (line 1166) | def too_deep? exp
method collapse_send_call (line 1174) | def collapse_send_call exp, first_arg
method only_ivars (line 1191) | def only_ivars include_request_vars = false, lenv = nil
method only_request_vars (line 1214) | def only_request_vars
method get_call_value (line 1226) | def get_call_value call
method process_helper_method (line 1245) | def process_helper_method method_exp, args
method assign_args (line 1311) | def assign_args method_exp, args, meth_env = SexpProcessor::Environmen...
method find_push_target (line 1326) | def find_push_target exp
method duplicate? (line 1334) | def duplicate? exp
method find_method (line 1342) | def find_method *args
method same_value? (line 1348) | def same_value? lhs, rhs
method self_assign? (line 1358) | def self_assign? var, value
method self_assign_var? (line 1363) | def self_assign_var? var, value
method self_assign_target? (line 1371) | def self_assign_target? var, value
method top_target (line 1382) | def top_target exp, last = nil
method value_from_if (line 1392) | def value_from_if exp
method value_from_case (line 1414) | def value_from_case exp
method raise? (line 1440) | def raise? exp
method new_string? (line 1447) | def new_string? exp
method set_value (line 1455) | def set_value var, value
method process_or_simple_operation (line 1489) | def process_or_simple_operation exp
method process_or_target (line 1510) | def process_or_target value, copy
FILE: lib/brakeman/processors/base_processor.rb
class Brakeman::BaseProcessor (line 6) | class Brakeman::BaseProcessor < Brakeman::SexpProcessor
method initialize (line 14) | def initialize tracker
method process_file (line 22) | def process_file exp, current_file
method ignore (line 27) | def ignore
method process_scope (line 32) | def process_scope exp
method process_default (line 37) | def process_default exp
method process_if (line 48) | def process_if exp
method process_iter (line 69) | def process_iter exp
method process_dstr (line 86) | def process_dstr exp
method process_block (line 106) | def process_block exp
method process_evstr (line 120) | def process_evstr exp
method process_hash (line 130) | def process_hash exp
method process_arglist (line 145) | def process_arglist exp
method process_lasgn (line 156) | def process_lasgn exp
method process_iasgn (line 165) | def process_iasgn exp
method process_attrasgn (line 172) | def process_attrasgn exp
method process_ignore (line 180) | def process_ignore exp
method process_cdecl (line 184) | def process_cdecl exp
method make_render_in_view (line 198) | def make_render_in_view exp
method make_render (line 203) | def make_render exp, in_view = false
method find_render_type (line 219) | def find_render_type call, in_view = false
method make_inline_render (line 281) | def make_inline_render value, options
FILE: lib/brakeman/processors/config_processor.rb
class Brakeman::ConfigProcessor (line 7) | class Brakeman::ConfigProcessor
method new (line 8) | def self.new tracker
FILE: lib/brakeman/processors/controller_alias_processor.rb
class Brakeman::ControllerAliasProcessor (line 8) | class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
method initialize (line 14) | def initialize tracker, only_method = nil
method process_controller (line 23) | def process_controller name, src, current_file
method process_mixins (line 38) | def process_mixins
method process_class (line 73) | def process_class exp
method process_defn (line 79) | def process_defn exp
method process_call (line 112) | def process_call exp
method process_iter (line 132) | def process_iter exp
method process_before_filter (line 145) | def process_before_filter name
method process_default_render (line 174) | def process_default_render exp
method process_template (line 180) | def process_template name, args, _, line
method template_name (line 198) | def template_name name = nil
method layout_name (line 211) | def layout_name
method route? (line 225) | def route? method
method before_filter_list (line 235) | def before_filter_list method, klass
FILE: lib/brakeman/processors/controller_processor.rb
class Brakeman::ControllerProcessor (line 6) | class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
method initialize (line 11) | def initialize tracker, current_file = nil
method process_controller (line 19) | def process_controller src, current_file = @current_file
method process_class (line 25) | def process_class exp
method process_module (line 57) | def process_module exp, parent = nil
method process_concern (line 61) | def process_concern concern_name
method process_call (line 73) | def process_call exp
method process_iter (line 157) | def process_iter exp
method set_layout_name (line 172) | def set_layout_name
method add_fake_filter (line 187) | def add_fake_filter exp
method add_lambda_filter (line 225) | def add_lambda_filter exp
FILE: lib/brakeman/processors/erb_template_processor.rb
class Brakeman::ErbTemplateProcessor (line 5) | class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
method process_call (line 8) | def process_call exp
method process_block (line 49) | def process_block exp
FILE: lib/brakeman/processors/erubi_template_procesor.rb
class Brakeman::ErubiTemplateProcessor (line 4) | class Brakeman::ErubiTemplateProcessor < Brakeman::TemplateProcessor
method process_call (line 7) | def process_call exp
method process_block (line 43) | def process_block exp
method process_attrasgn (line 63) | def process_attrasgn exp
method append_method? (line 85) | def append_method?(method)
method safe_append_method? (line 89) | def safe_append_method?(method)
FILE: lib/brakeman/processors/gem_processor.rb
class Brakeman::GemProcessor (line 4) | class Brakeman::GemProcessor < Brakeman::BasicProcessor
method initialize (line 6) | def initialize *args
method process_gems (line 12) | def process_gems gem_files
method process_call (line 41) | def process_call exp
method process_iter (line 73) | def process_iter exp
method process_gem_lock (line 86) | def process_gem_lock
method set_gem_version_and_file (line 96) | def set_gem_version_and_file line, file, line_num
FILE: lib/brakeman/processors/haml6_template_processor.rb
class Brakeman::Haml6TemplateProcessor (line 3) | class Brakeman::Haml6TemplateProcessor < Brakeman::HamlTemplateProcessor
method initialize (line 12) | def initialize(*)
method buffer_append? (line 31) | def buffer_append? exp
method process_lasgn (line 37) | def process_lasgn exp
method process_lvar (line 46) | def process_lvar exp
method is_escaped? (line 54) | def is_escaped? exp
method javascript_escaped? (line 61) | def javascript_escaped? call
method html_escaped? (line 68) | def html_escaped? call
method output_buffer? (line 73) | def output_buffer? exp
method normalize_output (line 78) | def normalize_output arg
method embedded_filter? (line 89) | def embedded_filter? arg
FILE: lib/brakeman/processors/haml_template_processor.rb
class Brakeman::HamlTemplateProcessor (line 4) | class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
method initialize (line 13) | def initialize *args
method process_call (line 19) | def process_call exp
method buffer_append? (line 31) | def buffer_append? exp
method find_and_preserve? (line 39) | def find_and_preserve? exp
method process_block (line 46) | def process_block exp
method build_output_from_push_text (line 64) | def build_output_from_push_text exp, default = :output
method is_escaped? (line 87) | def is_escaped? exp
method get_pushed_value (line 93) | def get_pushed_value exp, default = :output
method haml_helpers? (line 153) | def haml_helpers? exp
method hamlout_attributes? (line 160) | def hamlout_attributes? exp
method haml_attribute_builder? (line 166) | def haml_attribute_builder? exp
method escaped_builder_method? (line 172) | def escaped_builder_method? exp
method fix_textareas? (line 181) | def fix_textareas? exp
method raw? (line 187) | def raw? exp
FILE: lib/brakeman/processors/lib/basic_processor.rb
class Brakeman::BasicProcessor (line 5) | class Brakeman::BasicProcessor < Brakeman::SexpProcessor
method initialize (line 10) | def initialize tracker
method process_default (line 16) | def process_default exp
method process_if (line 20) | def process_if exp
FILE: lib/brakeman/processors/lib/call_conversion_helper.rb
type Brakeman (line 1) | module Brakeman
type CallConversionHelper (line 2) | module CallConversionHelper
function join_arrays (line 4) | def join_arrays lhs, rhs, original_exp = nil
function join_strings (line 19) | def join_strings lhs, rhs, original_exp = nil
function math_op (line 44) | def math_op op, lhs, rhs, original_exp = nil
function process_array_access (line 67) | def process_array_access array, args, original_exp = nil
function process_hash_access (line 82) | def process_hash_access hash, index, original_exp = nil
function hash_values_at (line 94) | def hash_values_at hash, keys
FILE: lib/brakeman/processors/lib/file_type_detector.rb
type Brakeman (line 1) | module Brakeman
class FileTypeDetector (line 2) | class FileTypeDetector < BaseProcessor
method initialize (line 3) | def initialize
method detect_type (line 8) | def detect_type(file)
method process_class (line 24) | def process_class exp
method guess_from_path (line 39) | def guess_from_path path
method reset (line 62) | def reset
FILE: lib/brakeman/processors/lib/find_all_calls.rb
class Brakeman::FindAllCalls (line 3) | class Brakeman::FindAllCalls < Brakeman::BasicProcessor
method initialize (line 6) | def initialize tracker
method process_source (line 17) | def process_source exp, opts
method process_all_source (line 31) | def process_all_source exp, opts
method process_defn (line 39) | def process_defn exp
method process_rlist (line 59) | def process_rlist exp
method process_call (line 63) | def process_call exp
method process_iter (line 68) | def process_iter exp
method process_render (line 92) | def process_render exp
method process_dxstr (line 102) | def process_dxstr exp
method process_dsym (line 111) | def process_dsym exp
method process_dregx (line 120) | def process_dregx exp
method process_attrasgn (line 129) | def process_attrasgn exp
method add_simple_call (line 135) | def add_simple_call method_name, exp
method get_target (line 147) | def get_target exp, include_calls = false
method get_chain (line 185) | def get_chain call
method make_location (line 195) | def make_location
method create_call_hash (line 217) | def create_call_hash exp
FILE: lib/brakeman/processors/lib/find_call.rb
class Brakeman::FindCall (line 34) | class Brakeman::FindCall < Brakeman::BasicProcessor
method initialize (line 36) | def initialize targets, methods, tracker
method matches (line 50) | def matches
method process_source (line 58) | def process_source exp
method process_defn (line 63) | def process_defn exp
method process_call (line 70) | def process_call exp
method process_attrasgn (line 84) | def process_attrasgn exp
method get_target (line 92) | def get_target exp
method match (line 108) | def match search_terms, item
FILE: lib/brakeman/processors/lib/find_return_value.rb
class Brakeman::FindReturnValue (line 8) | class Brakeman::FindReturnValue
method return_value (line 14) | def self.return_value exp, env = nil
method initialize (line 18) | def initialize
method uses_ivars? (line 23) | def uses_ivars?
method get_return_value (line 28) | def get_return_value exp, env = nil
method process_method (line 36) | def process_method exp, env = nil
method find_explicit_return_values (line 59) | def find_explicit_return_values exp
method last_value (line 76) | def last_value exp
method make_or (line 142) | def make_or lhs, rhs
method make_return_value (line 152) | def make_return_value
FILE: lib/brakeman/processors/lib/module_helper.rb
type Brakeman::ModuleHelper (line 1) | module Brakeman::ModuleHelper
function handle_module (line 2) | def handle_module exp, tracker_class, parent = nil
function handle_class (line 33) | def handle_class exp, collection, tracker_class
function process_defs (line 67) | def process_defs exp
function process_defn (line 98) | def process_defn exp
function process_sclass (line 122) | def process_sclass exp
function make_defs (line 132) | def make_defs exp
FILE: lib/brakeman/processors/lib/processor_helper.rb
type Brakeman::ProcessorHelper (line 2) | module Brakeman::ProcessorHelper
function process_all (line 3) | def process_all exp
function process_all! (line 10) | def process_all! exp
function process_call_args (line 25) | def process_call_args exp
function process_class (line 33) | def process_class exp
function process_module (line 42) | def process_module exp
function process_call_defn? (line 64) | def process_call_defn? exp
function current_file (line 76) | def current_file
FILE: lib/brakeman/processors/lib/rails2_config_processor.rb
class Brakeman::Rails2ConfigProcessor (line 17) | class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
method initialize (line 25) | def initialize *args
method process_config (line 30) | def process_config src, current_file
method process_call (line 38) | def process_call exp
method process_attrasgn (line 51) | def process_attrasgn exp
method process_cdecl (line 76) | def process_cdecl exp
method include_rails_config? (line 86) | def include_rails_config? exp
method get_rails_config (line 108) | def get_rails_config exp
class Brakeman::ConfigAliasProcessor (line 125) | class Brakeman::ConfigAliasProcessor < Brakeman::AliasProcessor
method process_iter (line 136) | def process_iter exp
FILE: lib/brakeman/processors/lib/rails2_route_processor.rb
class Brakeman::Rails2RoutesProcessor (line 7) | class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
method initialize (line 12) | def initialize tracker
method process_routes (line 26) | def process_routes exp
method process_call (line 31) | def process_call exp
method process_map (line 45) | def process_map exp
method process_iter (line 64) | def process_iter exp
method process_resources (line 87) | def process_resources exp
method process_resource_options (line 105) | def process_resource_options exp
method process_option_only (line 140) | def process_option_only exp
method process_option_except (line 154) | def process_option_except exp
method process_resource (line 164) | def process_resource exp
method process_connect (line 182) | def process_connect exp
method process_with_options (line 218) | def process_with_options exp
method process_namespace (line 234) | def process_namespace exp
method process_named_route (line 251) | def process_named_route exp
method process_collection (line 257) | def process_collection exp
method check_for_controller_name (line 272) | def check_for_controller_name args
class Brakeman::RouteAliasProcessor (line 285) | class Brakeman::RouteAliasProcessor < Brakeman::AliasProcessor
method process_call (line 291) | def process_call exp
method get_keys (line 305) | def get_keys hash
FILE: lib/brakeman/processors/lib/rails3_config_processor.rb
class Brakeman::Rails3ConfigProcessor (line 18) | class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
method initialize (line 22) | def initialize *args
method process_config (line 28) | def process_config src, current_file
method process_iter (line 35) | def process_iter exp
method process_class (line 51) | def process_class exp
method application_class? (line 61) | def application_class? exp
method process_call (line 73) | def process_call exp
method process_attrasgn (line 84) | def process_attrasgn exp
method include_rails_config? (line 105) | def include_rails_config? exp
method get_rails_config (line 127) | def get_rails_config exp
FILE: lib/brakeman/processors/lib/rails3_route_processor.rb
class Brakeman::Rails3RoutesProcessor (line 7) | class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
method initialize (line 12) | def initialize tracker
method process_routes (line 23) | def process_routes exp
method process_call (line 27) | def process_call exp
method process_iter (line 46) | def process_iter exp
method process_namespace (line 63) | def process_namespace exp
method process_root (line 80) | def process_root exp
method process_match (line 92) | def process_match exp
method add_route_from_string (line 145) | def add_route_from_string value
method process_verb (line 157) | def process_verb exp
method process_resources (line 204) | def process_resources exp
method process_resource (line 225) | def process_resource exp
method process_resources_block (line 241) | def process_resources_block exp
method process_resource_block (line 251) | def process_resource_block exp
method process_scope_block (line 261) | def process_scope_block exp
method process_controller_block (line 267) | def process_controller_block exp
method extract_action (line 281) | def extract_action str
method in_controller_block? (line 285) | def in_controller_block?
method in_controller_block (line 289) | def in_controller_block
method action_route? (line 296) | def action_route? arg
method loose_action (line 304) | def loose_action controller_name, verb = "any"
FILE: lib/brakeman/processors/lib/rails4_config_processor.rb
class Brakeman::Rails4ConfigProcessor (line 3) | class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
method process_iter (line 8) | def process_iter exp
FILE: lib/brakeman/processors/lib/render_helper.rb
type Brakeman::RenderHelper (line 4) | module Brakeman::RenderHelper
function process_render (line 7) | def process_render exp
function process_layout (line 34) | def process_layout name = nil
function process_partial (line 45) | def process_partial name, args, line
function process_action (line 56) | def process_action name, args, line
function process_model_action (line 67) | def process_model_action action, args
function process_template (line 94) | def process_template name, args, called_from = nil, *_
function template_name (line 195) | def template_name name
function get_options (line 200) | def get_options args
function get_class_target (line 213) | def get_class_target sexp
FILE: lib/brakeman/processors/lib/render_path.rb
type Brakeman (line 1) | module Brakeman
class RenderPath (line 2) | class RenderPath
method initialize (line 5) | def initialize
method add_controller_render (line 9) | def add_controller_render controller_name, method_name, line, file
method add_template_render (line 22) | def add_template_render template_name, line, file
method last_template= (line 32) | def last_template= template
method include_template? (line 43) | def include_template? name
method include_controller? (line 51) | def include_controller? klass
method include_any_method? (line 59) | def include_any_method? method_names
method rendered_from_controller? (line 67) | def rendered_from_controller?
method each (line 73) | def each &block
method join (line 77) | def join *args
method length (line 81) | def length
method map (line 85) | def map &block
method to_a (line 89) | def to_a
method last (line 100) | def last
method to_s (line 104) | def to_s
method to_sym (line 108) | def to_sym
method to_json (line 112) | def to_json *args
method with_relative_paths (line 117) | def with_relative_paths
method initialize_copy (line 134) | def initialize_copy original
FILE: lib/brakeman/processors/lib/route_helper.rb
type Brakeman::RouteHelper (line 1) | module Brakeman::RouteHelper
function prefix (line 5) | def prefix
function current_controller= (line 19) | def current_controller= name
function add_route (line 27) | def add_route route, controller = nil
function add_resources_routes (line 52) | def add_resources_routes
function add_resource_routes (line 61) | def add_resource_routes
FILE: lib/brakeman/processors/lib/safe_call_helper.rb
type Brakeman (line 1) | module Brakeman
type SafeCallHelper (line 2) | module SafeCallHelper
FILE: lib/brakeman/processors/library_processor.rb
class Brakeman::LibraryProcessor (line 7) | class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
method initialize (line 10) | def initialize tracker
method process_library (line 19) | def process_library src, current_file = @current_file
method process_class (line 24) | def process_class exp
method process_module (line 28) | def process_module exp
method process_defn (line 32) | def process_defn exp
method process_call (line 61) | def process_call exp
method process_iter (line 78) | def process_iter exp
FILE: lib/brakeman/processors/model_processor.rb
class Brakeman::ModelProcessor (line 6) | class Brakeman::ModelProcessor < Brakeman::BaseProcessor
method initialize (line 9) | def initialize tracker
method process_model (line 19) | def process_model src, current_file = @current_file
method process_class (line 25) | def process_class exp
method process_module (line 38) | def process_module exp
method process_call (line 44) | def process_call exp
method add_enum_method (line 93) | def add_enum_method call
FILE: lib/brakeman/processors/output_processor.rb
class Brakeman::OutputProcessor (line 8) | class Brakeman::OutputProcessor < Ruby2Ruby
method initialize (line 11) | def initialize *args
method format (line 17) | def format exp, user_input = nil, &block
method process (line 25) | def process exp
method process_ignore (line 37) | def process_ignore exp
method process_params (line 41) | def process_params exp
method process_session (line 45) | def process_session exp
method process_cookies (line 49) | def process_cookies exp
method process_rlist (line 53) | def process_rlist exp
method process_defn (line 66) | def process_defn exp
method process_iter (line 89) | def process_iter exp
method process_output (line 97) | def process_output exp
method process_escaped_output (line 101) | def process_escaped_output exp
method process_format (line 106) | def process_format exp
method process_format_escaped (line 110) | def process_format_escaped exp
method output_format (line 114) | def output_format exp, tag
method process_const (line 130) | def process_const exp
method process_render (line 139) | def process_render exp
FILE: lib/brakeman/processors/route_processor.rb
class Brakeman::RoutesProcessor (line 9) | class Brakeman::RoutesProcessor
method new (line 10) | def self.new tracker
FILE: lib/brakeman/processors/slim_template_processor.rb
class Brakeman::SlimTemplateProcessor (line 4) | class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
method process_call (line 13) | def process_call exp
method normalize_output (line 48) | def normalize_output arg
method embedded_filter? (line 59) | def embedded_filter? arg
method process_inside_interp (line 65) | def process_inside_interp exp
method process_interp_output (line 78) | def process_interp_output exp
method add_escaped_output (line 97) | def add_escaped_output exp
method is_escaped? (line 105) | def is_escaped? exp
method internal_variable? (line 111) | def internal_variable? exp
method render? (line 116) | def render? exp
method process_render (line 122) | def process_render exp
FILE: lib/brakeman/processors/template_alias_processor.rb
class Brakeman::TemplateAliasProcessor (line 9) | class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
method initialize (line 14) | def initialize tracker, template, called_from = nil
method process_template (line 22) | def process_template name, args, _, line = nil
method process_lasgn (line 40) | def process_lasgn exp
method haml_capture? (line 62) | def haml_capture? exp
method template_name (line 69) | def template_name name
method process_iter (line 80) | def process_iter exp
method get_model_target (line 117) | def get_model_target exp
method find_push_target (line 135) | def find_push_target exp
FILE: lib/brakeman/processors/template_processor.rb
class Brakeman::TemplateProcessor (line 5) | class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
method initialize (line 8) | def initialize tracker, template_name, called_from = nil, current_file...
method process (line 23) | def process exp
method process_lasgn (line 34) | def process_lasgn exp
method process_output (line 46) | def process_output exp
method process_escaped_output (line 52) | def process_escaped_output exp
method normalize_output (line 57) | def normalize_output arg
method add_escaped_output (line 75) | def add_escaped_output output
method add_output (line 79) | def add_output output, type = :output
FILE: lib/brakeman/report.rb
class Brakeman::Report (line 6) | class Brakeman::Report
method initialize (line 11) | def initialize tracker
method format (line 16) | def format format
method method_missing (line 61) | def method_missing method, *args
method require_report (line 69) | def require_report type
method to_json (line 73) | def to_json
method to_sonar (line 78) | def to_sonar
method to_table (line 83) | def to_table
method to_markdown (line 88) | def to_markdown
method to_text (line 93) | def to_text
method to_sarif (line 101) | def to_sarif
method generate (line 106) | def generate reporter
FILE: lib/brakeman/report/ignore/config.rb
type Brakeman (line 4) | module Brakeman
class IgnoreConfig (line 5) | class IgnoreConfig
method initialize (line 9) | def initialize file, new_warnings
method filter_ignored (line 22) | def filter_ignored
method unignore (line 39) | def unignore warning
method ignored? (line 47) | def ignored? warning
method ignore (line 52) | def ignore warning
method add_note (line 58) | def add_note warning, note
method note_for (line 65) | def note_for warning
method obsolete_fingerprints (line 82) | def obsolete_fingerprints
method prune_obsolete (line 86) | def prune_obsolete
method already_ignored_entries_with_empty_notes (line 97) | def already_ignored_entries_with_empty_notes
method read_from_file (line 102) | def read_from_file file = @file
method save_to_file (line 121) | def save_to_file warnings, file = @file
method save_with_old (line 142) | def save_with_old
FILE: lib/brakeman/report/ignore/interactive.rb
type Brakeman (line 3) | module Brakeman
class InteractiveIgnorer (line 4) | class InteractiveIgnorer
method initialize (line 5) | def initialize file, warnings
method start (line 15) | def start
method file_menu (line 36) | def file_menu
method initial_menu (line 57) | def initial_menu
method warning_menu (line 82) | def warning_menu
method pre_show_help (line 103) | def pre_show_help
method show_help (line 109) | def show_help
method penultimate_menu (line 122) | def penultimate_menu
method prune_obsolete (line 144) | def prune_obsolete
method final_menu (line 152) | def final_menu
method save (line 170) | def save
method start_over (line 182) | def start_over
method reset_config (line 187) | def reset_config
method process_warnings (line 191) | def process_warnings
method ask_about (line 209) | def ask_about warning
method warning_action (line 214) | def warning_action action, warning
method ignore (line 237) | def ignore warning
method ignore_and_note (line 241) | def ignore_and_note warning
method unignore (line 247) | def unignore warning
method skip_rest (line 251) | def skip_rest warning
method ignore_rest (line 255) | def ignore_rest warning
method quit (line 260) | def quit
method pretty_display (line 267) | def pretty_display warning
method already_ignored? (line 301) | def already_ignored? warning
method skip_ignored? (line 305) | def skip_ignored? warning
method summarize_changes (line 309) | def summarize_changes
method label (line 316) | def label name
method show_confidence (line 320) | def show_confidence warning
method show_note (line 335) | def show_note warning
method say (line 344) | def say text, color = nil
method yes_or_no (line 354) | def yes_or_no message
FILE: lib/brakeman/report/pager.rb
type Brakeman (line 1) | module Brakeman
class Pager (line 2) | class Pager
method initialize (line 3) | def initialize tracker, pager = :less, output = $stdout
method page_report (line 10) | def page_report report, format
method page_output (line 24) | def page_output text
method no_pager (line 41) | def no_pager text
method page_via_highline (line 45) | def page_via_highline text
method page_via_less (line 52) | def page_via_less text
method in_ci? (line 71) | def in_ci?
method less_available? (line 77) | def less_available?
method less_options (line 83) | def less_options
method set_color (line 105) | def set_color
FILE: lib/brakeman/report/renderer.rb
class Brakeman::Report (line 3) | class Brakeman::Report
class Renderer (line 4) | class Renderer
method initialize (line 5) | def initialize(template_file, hash = {})
method render (line 20) | def render
FILE: lib/brakeman/report/report_base.rb
class Brakeman::Report::Base (line 9) | class Brakeman::Report::Base
method initialize (line 14) | def initialize tracker
method warnings_summary (line 24) | def warnings_summary
method controller_information (line 41) | def controller_information
method all_warnings (line 78) | def all_warnings
method filter_warnings (line 86) | def filter_warnings warnings
method generic_warnings (line 96) | def generic_warnings
method template_warnings (line 100) | def template_warnings
method model_warnings (line 104) | def model_warnings
method controller_warnings (line 108) | def controller_warnings
method ignored_warnings (line 112) | def ignored_warnings
method number_of_templates (line 120) | def number_of_templates tracker
method absolute_paths? (line 124) | def absolute_paths?
method warning_file (line 128) | def warning_file warning
method context_for (line 140) | def context_for warning
method rails_version (line 170) | def rails_version
method github_url (line 183) | def github_url file, line=nil
FILE: lib/brakeman/report/report_codeclimate.rb
class Brakeman::Report::CodeClimate (line 5) | class Brakeman::Report::CodeClimate < Brakeman::Report::Base
method generate_report (line 10) | def generate_report
method issue_json (line 16) | def issue_json(warning)
method severity_level_for (line 40) | def severity_level_for(confidence)
method remediation_points_for (line 48) | def remediation_points_for(warning_code)
method name_for (line 53) | def name_for(warning_code)
method content_for (line 58) | def content_for(warning_code, link)
method local_content_for (line 65) | def local_content_for(link)
method file_path (line 72) | def file_path(warning)
FILE: lib/brakeman/report/report_csv.rb
class Brakeman::Report::CSV (line 3) | class Brakeman::Report::CSV < Brakeman::Report::Base
method generate_report (line 4) | def generate_report
method generate_row (line 31) | def generate_row headers, warning
method warning_row (line 35) | def warning_row warning
FILE: lib/brakeman/report/report_github.rb
class Brakeman::Report::Github (line 3) | class Brakeman::Report::Github < Brakeman::Report::Base
method generate_report (line 4) | def generate_report
method warnings (line 9) | def warnings
method errors (line 14) | def errors
method clean_message (line 28) | def clean_message(msg)
FILE: lib/brakeman/report/report_hash.rb
class Brakeman::Report::Hash (line 2) | class Brakeman::Report::Hash < Brakeman::Report::Base
method generate_report (line 3) | def generate_report
FILE: lib/brakeman/report/report_html.rb
class Brakeman::Report::HTML (line 4) | class Brakeman::Report::HTML < Brakeman::Report::Table
method initialize (line 9) | def initialize *args
method generate_report (line 15) | def generate_report
method generate_overview (line 34) | def generate_overview
method generate_templates (line 47) | def generate_templates
method render_array (line 63) | def render_array template, headings, value_array, locals
method convert_warning (line 69) | def convert_warning warning, original
method with_link (line 76) | def with_link warning, message
method convert_template_warning (line 80) | def convert_template_warning warning, original
method convert_ignored_warning (line 87) | def convert_ignored_warning warning, original
method html_header (line 95) | def html_header
method with_context (line 114) | def with_context warning, message
method html_message (line 187) | def html_message warning, message
FILE: lib/brakeman/report/report_json.rb
class Brakeman::Report::JSON (line 1) | class Brakeman::Report::JSON < Brakeman::Report::Base
method generate_report (line 2) | def generate_report
method convert_to_hashes (line 38) | def convert_to_hashes warnings
FILE: lib/brakeman/report/report_junit.rb
class Brakeman::Report::JUnit (line 5) | class Brakeman::Report::JUnit < Brakeman::Report::Base
method generate_report (line 6) | def generate_report
FILE: lib/brakeman/report/report_markdown.rb
class Brakeman::Report::Markdown (line 3) | class Brakeman::Report::Markdown < Brakeman::Report::Table
class MarkdownTable (line 5) | class MarkdownTable < Terminal::Table
method initialize (line 7) | def initialize options = {}, &block
method render (line 17) | def render
method initialize (line 24) | def initialize *args
method generate_report (line 29) | def generate_report
method output_table (line 59) | def output_table title, result, output
method generate_metadata (line 65) | def generate_metadata
method generate_checks (line 80) | def generate_checks
method convert_warning (line 86) | def convert_warning warning, original
method markdown_message (line 93) | def markdown_message warning, message
FILE: lib/brakeman/report/report_sarif.rb
class Brakeman::Report::SARIF (line 3) | class Brakeman::Report::SARIF < Brakeman::Report::Base
method generate_report (line 4) | def generate_report
method runs (line 13) | def runs
method original_uri_base_ids (line 32) | def original_uri_base_ids
method rules (line 141) | def rules
method results (line 164) | def results
method check_descriptions (line 211) | def check_descriptions
method unique_warnings_by_warning_code (line 218) | def unique_warnings_by_warning_code
method render_id (line 222) | def render_id warning
method render_message (line 227) | def render_message message
method infer_level (line 238) | def infer_level warning
method file_uri (line 250) | def file_uri(path)
FILE: lib/brakeman/report/report_sonar.rb
class Brakeman::Report::Sonar (line 1) | class Brakeman::Report::Sonar < Brakeman::Report::Base
method generate_report (line 2) | def generate_report
method issue_json (line 11) | def issue_json(warning)
method severity_level_for (line 29) | def severity_level_for(confidence)
FILE: lib/brakeman/report/report_table.rb
class Brakeman::Report::Table (line 3) | class Brakeman::Report::Table < Brakeman::Report::Base
method initialize (line 4) | def initialize *args
method generate_report (line 9) | def generate_report
method output_table (line 46) | def output_table title, result, output
method generate_overview (line 52) | def generate_overview
method generate_warning_overview (line 66) | def generate_warning_overview
method generate_controllers (line 76) | def generate_controllers
method generate_errors (line 87) | def generate_errors
method generate_obsolete (line 92) | def generate_obsolete
method generate_warnings (line 97) | def generate_warnings
method generate_template_warnings (line 106) | def generate_template_warnings
method generate_model_warnings (line 116) | def generate_model_warnings
method generate_controller_warnings (line 125) | def generate_controller_warnings
method generate_ignored_warnings (line 133) | def generate_ignored_warnings
method render_warnings (line 141) | def render_warnings warnings, type, template, cols, sort_col
method generate_templates (line 156) | def generate_templates
method convert_to_rows (line 185) | def convert_to_rows warnings, type = :warning
method convert_ignored_warning (line 202) | def convert_ignored_warning warning, original
method convert_template_warning (line 206) | def convert_template_warning warning, original
method sort (line 210) | def sort rows, sort_col
method render_array (line 219) | def render_array template, headings, value_array, locals
method convert_warning (line 227) | def convert_warning warning, original
method text_message (line 234) | def text_message warning, message
method text_header (line 257) | def text_header
method truncate_table (line 271) | def truncate_table str
FILE: lib/brakeman/report/report_tabs.rb
class Brakeman::Report::Tabs (line 5) | class Brakeman::Report::Tabs < Brakeman::Report::Table
method generate_report (line 6) | def generate_report
FILE: lib/brakeman/report/report_text.rb
class Brakeman::Report::Text (line 3) | class Brakeman::Report::Text < Brakeman::Report::Base
method generate_report (line 4) | def generate_report
method add_chunk (line 29) | def add_chunk chunk, out = @output_string
method generate_controllers (line 39) | def generate_controllers
method generate_header (line 55) | def generate_header
method generate_overview (line 67) | def generate_overview
method generate_warning_overview (line 84) | def generate_warning_overview
method generate_warnings (line 93) | def generate_warnings
method generate_show_ignored_overview (line 107) | def generate_show_ignored_overview
method generate_errors (line 111) | def generate_errors
method generate_obsolete (line 131) | def generate_obsolete
method generate_templates (line 137) | def generate_templates
method output_warning (line 154) | def output_warning w
method format_line (line 163) | def format_line w, option
method double_space (line 198) | def double_space title, values
method format_code (line 203) | def format_code w
method confidence (line 213) | def confidence c
method label (line 224) | def label l, value, color = :green
method header (line 228) | def header text
method render_array (line 233) | def render_array name, cols, values, locals
FILE: lib/brakeman/rescanner.rb
class Brakeman::Rescanner (line 6) | class Brakeman::Rescanner < Brakeman::Scanner
method initialize (line 11) | def initialize options, processor, changed_files
method recheck (line 24) | def recheck
method rescan (line 38) | def rescan
method ignorable? (line 74) | def ignorable? path
class Brakeman::RescanReport (line 80) | class Brakeman::RescanReport
method initialize (line 84) | def initialize old_results, tracker
method any_warnings? (line 92) | def any_warnings?
method all_warnings (line 97) | def all_warnings
method fixed_warnings (line 103) | def fixed_warnings
method new_warnings (line 109) | def new_warnings
method warnings_changed? (line 114) | def warnings_changed?
method diff (line 119) | def diff
method existing_warnings (line 124) | def existing_warnings
method to_s (line 131) | def to_s
FILE: lib/brakeman/scanner.rb
class Brakeman::Scanner (line 18) | class Brakeman::Scanner
method initialize (line 22) | def initialize options, processor = nil
method tracker (line 37) | def tracker
method file_cache (line 41) | def file_cache
method process_step (line 45) | def process_step(description, &)
method process_step_file (line 49) | def process_step_file(description, &)
method process (line 54) | def process(ruby_paths: nil, template_paths: nil)
method parse_files (line 127) | def parse_files(ruby_paths:, template_paths:)
method detect_file_types (line 145) | def detect_file_types(astfiles)
method process_config (line 170) | def process_config
method process_config_file (line 198) | def process_config_file file
method process_gems (line 213) | def process_gems
method guess_rails_version (line 253) | def guess_rails_version
method process_initializers (line 274) | def process_initializers
method process_initializer (line 283) | def process_initializer init
method process_libs (line 290) | def process_libs
method process_lib (line 301) | def process_lib lib
method process_routes (line 308) | def process_routes
method process_controllers (line 325) | def process_controllers
method process_controller_data_flows (line 335) | def process_controller_data_flows
method process_controller (line 350) | def process_controller astfile
method process_templates (line 361) | def process_templates
method process_template (line 371) | def process_template template
method process_template_data_flows (line 375) | def process_template_data_flows
method process_models (line 388) | def process_models
method process_model (line 398) | def process_model astfile
method track_progress (line 402) | def track_progress list, type = "files"
method report_progress (line 412) | def report_progress(current, total)
method index_call_sites (line 417) | def index_call_sites
method parse_ruby_file (line 421) | def parse_ruby_file file
method support_rescanning? (line 429) | def support_rescanning?
type Haml (line 435) | module Haml; class Error < StandardError; end; end
class Error (line 435) | class Error < StandardError; end
FILE: lib/brakeman/tracker.rb
class Brakeman::Tracker (line 11) | class Brakeman::Tracker
method initialize (line 25) | def initialize(app_tree, processor = nil, options = {})
method reset_all (line 35) | def reset_all
method save_file_cache! (line 62) | def save_file_cache!
method error (line 68) | def error exception, backtrace = nil
method add_errors (line 84) | def add_errors exceptions
method run_checks (line 92) | def run_checks
method app_path (line 100) | def app_path
method each_method (line 105) | def each_method
method each_template (line 118) | def each_template
method each_class (line 133) | def each_class
method find_call (line 164) | def find_call options
method check_initializers (line 170) | def check_initializers target, method
method report (line 181) | def report
method warnings (line 185) | def warnings
method filtered_warnings (line 189) | def filtered_warnings
method unused_fingerprints (line 199) | def unused_fingerprints
method add_constant (line 204) | def add_constant name, value, context = nil
method constant_lookup (line 210) | def constant_lookup name
method find_class (line 214) | def find_class name
method find_method (line 224) | def find_method method_name, class_name, method_type = :instance
method index_call_sites (line 252) | def index_call_sites
method reindex_call_sites (line 280) | def reindex_call_sites locations
method reset_templates (line 350) | def reset_templates options = { :only_rendered => false }
method reset_template (line 364) | def reset_template name
method reset_model (line 373) | def reset_model path
method reset_lib (line 387) | def reset_lib path
method reset_controller (line 400) | def reset_controller path
method reset_routes (line 425) | def reset_routes
method reset_initializer (line 429) | def reset_initializer path
method marshallable (line 438) | def marshallable
FILE: lib/brakeman/tracker/collection.rb
type Brakeman (line 4) | module Brakeman
class Collection (line 5) | class Collection
method initialize (line 10) | def initialize name, parent, file_name, src, tracker
method ancestor? (line 25) | def ancestor? parent, seen={}
method add_file (line 37) | def add_file file_name, src
method add_include (line 42) | def add_include class_name
method add_option (line 46) | def add_option name, exp
method add_method (line 51) | def add_method visibility, name, src, file_name
method method_definition_receiver (line 64) | def method_definition_receiver(receiver)
method each_method (line 75) | def each_method
method get_method (line 83) | def get_method name, type = :instance
method get_instance_method (line 94) | def get_instance_method name
method get_class_method (line 104) | def get_class_method name
method file (line 108) | def file
method top_line (line 112) | def top_line
method methods_public (line 124) | def methods_public
method get_simple_method_return_value (line 128) | def get_simple_method_return_value type, name
method add_simple_method_maybe (line 134) | def add_simple_method_maybe meth_info
method add_simple_method (line 140) | def add_simple_method meth_info
FILE: lib/brakeman/tracker/config.rb
type Brakeman (line 3) | module Brakeman
class Config (line 4) | class Config
method initialize (line 10) | def initialize tracker
method default_protect_from_forgery? (line 21) | def default_protect_from_forgery?
method erubi? (line 31) | def erubi?
method escape_html? (line 35) | def escape_html?
method escape_html_entities_in_json? (line 39) | def escape_html_entities_in_json?
method escape_filter_interpolations? (line 44) | def escape_filter_interpolations?
method whitelist_attributes? (line 50) | def whitelist_attributes?
method gem_version (line 54) | def gem_version name
method add_gem (line 58) | def add_gem name, version, file, line
method has_gem? (line 67) | def has_gem? name
method get_gem (line 71) | def get_gem name
method set_rails_version (line 75) | def set_rails_version version = nil
method rails_version (line 132) | def rails_version
method set_ruby_version (line 138) | def set_ruby_version version, file, line
method extract_version (line 143) | def extract_version version
method version_between? (line 152) | def version_between? low_version, high_version, current_version = nil
method session_settings (line 163) | def session_settings
method set_rails_config (line 176) | def set_rails_config value:, path:, overwrite: false
method load_rails_defaults (line 199) | def load_rails_defaults
method notify_version (line 288) | def notify_version version
FILE: lib/brakeman/tracker/constants.rb
type Brakeman (line 4) | module Brakeman
class Constant (line 5) | class Constant
method initialize (line 10) | def initialize name, value, context = {}
method line (line 24) | def line
method set_name (line 30) | def set_name name, context
method match? (line 35) | def match? name
class Constants (line 51) | class Constants
method initialize (line 54) | def initialize
method size (line 58) | def size
method [] (line 62) | def [] exp
method find_constant (line 73) | def find_constant exp
method find_all (line 98) | def find_all exp
method add (line 103) | def add name, value, context = nil
method get_simple_value (line 116) | def get_simple_value name
method each (line 124) | def each
method constant_as_array (line 132) | def self.constant_as_array exp, context = nil
method get_constant_base_name (line 175) | def self.get_constant_base_name exp
FILE: lib/brakeman/tracker/controller.rb
type Brakeman (line 3) | module Brakeman
type ControllerMethods (line 4) | module ControllerMethods
function initialize_controller (line 7) | def initialize_controller
function protect_from_forgery? (line 15) | def protect_from_forgery?
function add_before_filter (line 19) | def add_before_filter exp
function prepend_before_filter (line 23) | def prepend_before_filter exp
function before_filters (line 27) | def before_filters
function skip_filter (line 31) | def skip_filter exp
function skip_filters (line 35) | def skip_filters
function before_filter_list (line 39) | def before_filter_list processor, method
function get_skipped_filters (line 53) | def get_skipped_filters processor, method
function remove_skipped_filters (line 73) | def remove_skipped_filters processor, filters, method
function get_before_filters (line 86) | def get_before_filters processor, method
function before_filter_to_hash (line 106) | def before_filter_to_hash processor, args
function filter_includes_method? (line 147) | def filter_includes_method? filter_rule, method_name
class Controller (line 156) | class Controller < Brakeman::Collection
method initialize (line 159) | def initialize name, parent, file_name, src, tracker
FILE: lib/brakeman/tracker/file_cache.rb
type Brakeman (line 1) | module Brakeman
class FileCache (line 2) | class FileCache
method initialize (line 3) | def initialize(file_list = nil)
method controllers (line 13) | def controllers
method initializers (line 17) | def initializers
method libs (line 21) | def libs
method models (line 25) | def models
method templates (line 29) | def templates
method add_file (line 33) | def add_file(astfile, type)
method valid_type? (line 38) | def valid_type?(type)
method cached? (line 42) | def cached? path
method delete (line 48) | def delete path
method diff (line 54) | def diff other
method dup (line 68) | def dup
FILE: lib/brakeman/tracker/library.rb
type Brakeman (line 5) | module Brakeman
class Library (line 6) | class Library < Brakeman::Collection
method initialize (line 10) | def initialize name, parent, file_name, src, tracker
FILE: lib/brakeman/tracker/method_info.rb
type Brakeman (line 3) | module Brakeman
class MethodInfo (line 4) | class MethodInfo
method initialize (line 9) | def initialize name, src, owner, file
method [] (line 27) | def [] attr
method very_simple_method? (line 31) | def very_simple_method?
method return_value (line 53) | def return_value env = nil
method first_body (line 61) | def first_body
FILE: lib/brakeman/tracker/model.rb
type Brakeman (line 3) | module Brakeman
type ModelMethods (line 4) | module ModelMethods
function initialize_model (line 7) | def initialize_model
function association? (line 13) | def association? method_name
function unprotected_model? (line 25) | def unprotected_model?
function parent_classes_protected? (line 30) | def parent_classes_protected? seen={}
function set_attr_accessible (line 42) | def set_attr_accessible exp = nil
function set_attr_protected (line 61) | def set_attr_protected exp
function attr_protected (line 65) | def attr_protected
class Model (line 70) | class Model < Brakeman::Collection
method initialize (line 75) | def initialize name, parent, file_name, src, tracker
method add_option (line 81) | def add_option name, exp
FILE: lib/brakeman/tracker/template.rb
type Brakeman (line 3) | module Brakeman
class Template (line 4) | class Template < Brakeman::Collection
method initialize (line 9) | def initialize name, called_from, file_name, tracker
method add_output (line 15) | def add_output exp
method each_output (line 19) | def each_output
method rendered_from_controller? (line 25) | def rendered_from_controller?
FILE: lib/brakeman/util.rb
type Brakeman::Util (line 5) | module Brakeman::Util
function camelize (line 36) | def camelize lower_case_and_underscored_word
function underscore (line 43) | def underscore camel_cased_word
function pluralize (line 52) | def pluralize word
function class_name (line 62) | def class_name exp
function hash_iterate (line 100) | def hash_iterate hash
function remove_kwsplat (line 108) | def remove_kwsplat exp
function hash_insert (line 117) | def hash_insert hash, key, value
function hash_access (line 135) | def hash_access hash, key
function hash_values (line 147) | def hash_values hash
function set_env_defaults (line 162) | def set_env_defaults
function hash? (line 170) | def hash? exp
function array? (line 178) | def array? exp
function string? (line 183) | def string? exp
function string_interp? (line 187) | def string_interp? exp
function symbol? (line 192) | def symbol? exp
function call? (line 197) | def call? exp
function regexp? (line 203) | def regexp? exp
function integer? (line 208) | def integer? exp
function number? (line 213) | def number? exp
function result? (line 218) | def result? exp
function true? (line 223) | def true? exp
function false? (line 230) | def false? exp
function block? (line 236) | def block? exp
function params? (line 242) | def params? exp
function cookies? (line 246) | def cookies? exp
function recurse_check? (line 250) | def recurse_check? exp, &check
function request_headers? (line 267) | def request_headers? exp
function request_value? (line 287) | def request_value? exp
function constant? (line 293) | def constant? exp
function kwsplat? (line 297) | def kwsplat? exp
function sexp? (line 305) | def sexp? exp
function node_type? (line 310) | def node_type? exp, *types
function simple_literal? (line 316) | def simple_literal? exp
function literal? (line 322) | def literal? exp
function all_literals? (line 326) | def all_literals? exp, expected_type = :array
function dir_glob? (line 335) | def dir_glob? exp
function contains_class? (line 345) | def contains_class? exp
function make_call (line 361) | def make_call target, method, *args
function safe_literal (line 377) | def safe_literal line = nil
function safe_literal? (line 381) | def safe_literal? exp
function safe_literal_target? (line 385) | def safe_literal_target? exp
function rails_version (line 393) | def rails_version
function template_path_to_name (line 400) | def template_path_to_name path
FILE: lib/brakeman/version.rb
type Brakeman (line 1) | module Brakeman
FILE: lib/brakeman/warning.rb
class Brakeman::Warning (line 7) | class Brakeman::Warning
method initialize (line 50) | def initialize options = {}
method hash (line 132) | def hash
method eql? (line 136) | def eql? other_warning
method confidence= (line 140) | def confidence= conf
method view_name (line 155) | def view_name(include_renderer = true)
method format_code (line 165) | def format_code strip = true
method format_user_input (line 171) | def format_user_input strip = true
method format_with_user_input (line 175) | def format_with_user_input strip = true, &block
method format_message (line 186) | def format_message
method link (line 202) | def link
method to_row (line 220) | def to_row type = :warning
method to_s (line 241) | def to_s
method fingerprint (line 250) | def fingerprint
method location (line 259) | def location include_renderer = true
method relative_path (line 276) | def relative_path
method check_name (line 280) | def check_name
method confidence_name (line 284) | def confidence_name
method to_hash (line 288) | def to_hash absolute_paths: true
method to_json (line 312) | def to_json
method format_ruby (line 318) | def format_ruby code, strip
FILE: lib/brakeman/warning_codes.rb
type Brakeman::WarningCodes (line 1) | module Brakeman::WarningCodes
function code (line 138) | def self.code name
FILE: lib/ruby_parser/bm_sexp.rb
class Sexp (line 4) | class Sexp
method method_missing (line 10) | def method_missing name, *args
method deep_clone (line 28) | def deep_clone line = nil
method paren (line 51) | def paren
method value (line 56) | def value
method value= (line 61) | def value= exp
method second (line 67) | def second
method to_sym (line 71) | def to_sym
method node_type= (line 75) | def node_type= type
method combine (line 83) | def combine exp, line = nil
method << (line 99) | def << arg
method hash (line 105) | def hash
method compact (line 113) | def compact
method find_and_replace_all (line 118) | def find_and_replace_all *args
method find_node (line 123) | def find_node *args
method expect (line 130) | def expect *types
method target (line 140) | def target
method target= (line 146) | def target= exp
method method (line 156) | def method
method method= (line 169) | def method= name
method num_args (line 176) | def num_args
method arglist= (line 190) | def arglist= exp
method set_args (line 204) | def set_args *exp
method arglist (line 214) | def arglist
method args (line 233) | def args
method each_arg (line 252) | def each_arg replace = false
method each_arg! (line 277) | def each_arg! &block
method first_arg (line 283) | def first_arg
method first_arg= (line 289) | def first_arg= exp
method second_arg (line 296) | def second_arg
method second_arg= (line 302) | def second_arg= exp
method third_arg (line 308) | def third_arg
method third_arg= (line 313) | def third_arg= exp
method last_arg (line 319) | def last_arg
method call_chain (line 329) | def call_chain
method condition (line 350) | def condition
method condition= (line 355) | def condition= exp
method then_clause (line 367) | def then_clause
method else_clause (line 379) | def else_clause
method block_call (line 390) | def block_call
method block (line 408) | def block delete = nil
method block_args (line 432) | def block_args
method first_param (line 441) | def first_param
method lhs (line 450) | def lhs
method lhs= (line 456) | def lhs= exp
method rhs (line 466) | def rhs
method rhs= (line 481) | def rhs= exp
method method_name (line 493) | def method_name
method formal_args (line 504) | def formal_args
method body= (line 517) | def body= exp
method body (line 545) | def body
method body_list (line 560) | def body_list
method method_length (line 567) | def method_length
method render_type (line 578) | def render_type
method class_name (line 583) | def class_name
method parent_name (line 590) | def parent_name
method call (line 596) | def call
method module (line 603) | def module
method result_class (line 610) | def result_class
method inspect (line 617) | def inspect seen = Set.new
class String (line 663) | class String
class WrongSexpError (line 673) | class WrongSexpError < RuntimeError; end
FILE: lib/ruby_parser/bm_sexp_processor.rb
class Brakeman::SexpProcessor (line 13) | class Brakeman::SexpProcessor
method processors (line 34) | def self.processors
method initialize (line 44) | def initialize
method process (line 64) | def process(exp)
method scope (line 106) | def scope &block
method in_context (line 110) | def in_context type
FILE: test/apps/active_record_only/app/models/book.rb
class Book (line 5) | class Book < ActiveRecord::Base
FILE: test/apps/rails2/app/controllers/application_controller.rb
class ApplicationController (line 4) | class ApplicationController < ActionController::Base
method funky_panda (line 12) | def funky_panda
method awesome (line 15) | def awesome
method decent (line 39) | def decent
FILE: test/apps/rails2/app/controllers/emails_controller.rb
class EmailsController (line 1) | class EmailsController < ApplicationController
method show (line 2) | def show
method show_email_1 (line 6) | def show_email_1
FILE: test/apps/rails2/app/controllers/home_controller.rb
class HomeController (line 1) | class HomeController < ApplicationController
method index (line 5) | def index; end
method test_params (line 7) | def test_params
method test_model (line 12) | def test_model
method test_cookie (line 16) | def test_cookie
method test_filter (line 20) | def test_filter
method test_file_access (line 23) | def test_file_access
method test_sql (line 27) | def test_sql some_var = "hello"
method test_command (line 33) | def test_command
method test_eval (line 39) | def test_eval
method test_redirect (line 43) | def test_redirect
method test_render (line 48) | def test_render
method test_mass_assignment (line 53) | def test_mass_assignment
method test_dynamic_render (line 57) | def test_dynamic_render
method test_load_params (line 62) | def test_load_params
method test_redirect_with_url_for (line 67) | def test_redirect_with_url_for
method test_sql_nested (line 72) | def test_sql_nested
method test_another_dynamic_render (line 76) | def test_another_dynamic_render
method test_send_first_param (line 81) | def test_send_first_param
method test_send_target (line 87) | def test_send_target # not that safe
method test_send_second_param (line 94) | def test_send_second_param
method test_send_second_param (line 100) | def test_send_second_param
method test_send_second_param (line 106) | def test_send_second_param
method test_sanitized_param (line 111) | def test_sanitized_param
method test_safe_find_by (line 115) | def test_safe_find_by
method test_user_input_on_multiline (line 119) | def test_user_input_on_multiline
method test_mass_assign_with_or_equals (line 126) | def test_mass_assign_with_or_equals
method test_xss_with_or (line 130) | def test_xss_with_or
method test_to_json (line 144) | def test_to_json
method test_content_tag (line 150) | def test_content_tag
method test_more_send_methods (line 154) | def test_more_send_methods
method filter_it (line 165) | def filter_it
method or_equals (line 169) | def or_equals
method test_safe_model_redirect (line 173) | def test_safe_model_redirect
method test_safe_mode_array_redirect (line 177) | def test_safe_mode_array_redirect
method test_model_attributes_badness (line 181) | def test_model_attributes_badness
FILE: test/apps/rails2/app/controllers/other_controller.rb
class OtherController (line 1) | class OtherController < ApplicationController
method test_locals (line 2) | def test_locals
method test_object (line 6) | def test_object
method test_collection (line 10) | def test_collection
method test_iteration (line 16) | def test_iteration
method test_send_file (line 20) | def test_send_file
method test_update_attribute (line 24) | def test_update_attribute
method test_render_template (line 29) | def test_render_template
method test_render_update (line 35) | def test_render_update
method test_to_i (line 41) | def test_to_i
method test_to_sym (line 46) | def test_to_sym
method test_xss_duplicates1 (line 57) | def test_xss_duplicates1
method test_xss_duplicates2 (line 63) | def test_xss_duplicates2
method test_haml_stuff (line 69) | def test_haml_stuff
method test_regex_dos (line 73) | def test_regex_dos
method test_escaped_regex (line 77) | def test_escaped_regex
method test_unescaped_regex (line 81) | def test_unescaped_regex
method test_intern (line 85) | def test_intern
FILE: test/apps/rails2/app/helpers/application_helper.rb
type ApplicationHelper (line 2) | module ApplicationHelper
FILE: test/apps/rails2/app/helpers/home_helper.rb
type HomeHelper (line 1) | module HomeHelper
FILE: test/apps/rails2/app/helpers/other_helper.rb
type OtherHelper (line 1) | module OtherHelper
FILE: test/apps/rails2/app/models/account.rb
class Account (line 1) | class Account < ActiveRecord::Base
FILE: test/apps/rails2/app/models/email.rb
class Email (line 1) | class Email < ActiveRecord::Base
FILE: test/apps/rails2/app/models/protected.rb
class Protected (line 1) | class Protected < ActiveRecord::Base
FILE: test/apps/rails2/app/models/unprotected.rb
class Unprotected (line 1) | class Unprotected < Protected
FILE: test/apps/rails2/app/models/user.rb
class User (line 1) | class User < ActiveRecord::Base
method get_something (line 14) | def get_something x
method test_merge_conditions (line 18) | def test_merge_conditions
method some_method (line 25) | def self.some_method(value)
method test_sanitized_sql (line 34) | def self.test_sanitized_sql input
method more_sanitized_sql (line 38) | def more_sanitized_sql
FILE: test/apps/rails2/config/boot.rb
type Rails (line 6) | module Rails
function boot! (line 8) | def boot!
function booted? (line 15) | def booted?
function pick_boot (line 19) | def pick_boot
function vendor_rails? (line 23) | def vendor_rails?
function preinitialize (line 27) | def preinitialize
function preinitializer_path (line 31) | def preinitializer_path
class Boot (line 36) | class Boot
method run (line 37) | def run
class VendorBoot (line 43) | class VendorBoot < Boot
method load_initializer (line 44) | def load_initializer
class GemBoot (line 51) | class GemBoot < Boot
method load_initializer (line 52) | def load_initializer
method load_rails_gem (line 58) | def load_rails_gem
method rubygems_version (line 74) | def rubygems_version
method gem_version (line 78) | def gem_version
method load_rubygems (line 88) | def load_rubygems
method parse_gem_version (line 101) | def parse_gem_version(text)
method read_environment_rb (line 106) | def read_environment_rb
FILE: test/apps/rails2/db/migrate/20110520193611_create_users.rb
class CreateUsers (line 1) | class CreateUsers < ActiveRecord::Migration
method up (line 2) | def self.up
method down (line 9) | def self.down
FILE: test/apps/rails2/db/migrate/20110523184125_create_accounts.rb
class CreateAccounts (line 1) | class CreateAccounts < ActiveRecord::Migration
method up (line 2) | def self.up
method down (line 9) | def self.down
FILE: test/apps/rails2/lib/generators/test_generator/templates/model.rb
class ActiveRecord::Base (line 1) | class <%= file_name.camelize %> < ActiveRecord::Base
FILE: test/apps/rails2/public/javascripts/controls.js
function addText (line 561) | function addText(mode, condition) {
function fallback (line 857) | function fallback(name, expr) {
FILE: test/apps/rails2/public/javascripts/effects.js
function codeForEvent (line 231) | function codeForEvent(options,eventName){
function dispatch (line 248) | function dispatch(effect, eventName) {
function parseColor (line 952) | function parseColor(color){
FILE: test/apps/rails2/public/javascripts/prototype.js
function klass (line 50) | function klass() {
function $A (line 812) | function $A(iterable) {
function $w (line 945) | function $w(string) {
function $H (line 993) | function $H(object) {
function toQueryPair (line 999) | function toQueryPair(key, value) {
function $ (line 1513) | function $(element) {
function stripAlpha (line 2289) | function stripAlpha(filter){
function extend (line 2627) | function extend(tagName) {
function copy (line 2634) | function copy(methods, destination, onlyIfAbsent) {
function findDOMClass (line 2644) | function findDOMClass(tagName) {
function $$ (line 3443) | function $$() {
function getEventID (line 3935) | function getEventID(element) {
function getDOMEventName (line 3941) | function getDOMEventName(eventName) {
function getCacheForID (line 3946) | function getCacheForID(id) {
function getWrappersForEventName (line 3950) | function getWrappersForEventName(id, eventName) {
function createWrapper (line 3955) | function createWrapper(element, eventName, handler) {
function findWrapper (line 3974) | function findWrapper(id, eventName, handler) {
function destroyWrapper (line 3979) | function destroyWrapper(id, eventName, handler) {
function destroyCache (line 3985) | function destroyCache() {
function fireContentLoadedEvent (line 4102) | function fireContentLoadedEvent() {
function iter (line 4251) | function iter(name) {
FILE: test/apps/rails2/test/functional/home_controller_test.rb
class HomeControllerTest (line 3) | class HomeControllerTest < ActionController::TestCase
FILE: test/apps/rails2/test/functional/other_controller_test.rb
class OtherControllerTest (line 3) | class OtherControllerTest < ActionController::TestCase
FILE: test/apps/rails2/test/performance/browsing_test.rb
class BrowsingTest (line 5) | class BrowsingTest < ActionController::PerformanceTest
method test_homepage (line 6) | def test_homepage
FILE: test/apps/rails2/test/test_helper.rb
class ActiveSupport::TestCase (line 5) | class ActiveSupport::TestCase
FILE: test/apps/rails2/test/unit/account_test.rb
class AccountTest (line 3) | class AccountTest < ActiveSupport::TestCase
FILE: test/apps/rails2/test/unit/helpers/home_helper_test.rb
class HomeHelperTest (line 3) | class HomeHelperTest < ActionView::TestCase
FILE: test/apps/rails2/test/unit/helpers/other_helper_test.rb
class OtherHelperTest (line 3) | class OtherHelperTest < ActionView::TestCase
FILE: test/apps/rails2/test/unit/user_test.rb
class UserTest (line 3) | class UserTest < ActiveSupport::TestCase
FILE: test/apps/rails3.1/app/controllers/admin_controller.rb
class AdminController (line 1) | class AdminController < ApplicationController
method constantize_some_stuff (line 8) | def constantize_some_stuff
method authenticate_user! (line 21) | def authenticate_user!
method show_detailed_exceptions? (line 29) | def show_detailed_exceptions?
method make_system_calls (line 33) | def make_system_calls
method use_lambda_filter (line 52) | def use_lambda_filter
method authenticate_token! (line 56) | def authenticate_token!
method authenticate_token_or_basic (line 62) | def authenticate_token_or_basic(&block)
FILE: test/apps/rails3.1/app/controllers/application_controller.rb
class ApplicationController (line 1) | class ApplicationController < ActionController::Base
FILE: test/apps/rails3.1/app/controllers/mixins/user_mixin.rb
type UserMixin (line 1) | module UserMixin
function mixin_action (line 3) | def mixin_action
function mixin_default (line 9) | def mixin_default
function assign_if (line 13) | def assign_if
FILE: test/apps/rails3.1/app/controllers/other_controller.rb
class OtherController (line 1) | class OtherController < ApplicationController
method a (line 2) | def a
method b (line 6) | def b
method c (line 10) | def c
method d (line 14) | def d
method e (line 18) | def e
method f (line 22) | def f
method g (line 26) | def g
method test_partial1 (line 30) | def test_partial1
method test_partial2 (line 35) | def test_partial2
method test_string_interp (line 40) | def test_string_interp
method test_arel_table_access (line 45) | def test_arel_table_access
method test_draper_redirect (line 49) | def test_draper_redirect
method test_model_redirect_in_or (line 53) | def test_model_redirect_in_or
method test_sanitized_medium (line 63) | def test_sanitized_medium
method test_deserialization (line 68) | def test_deserialization
method test_model_in_haml (line 76) | def test_model_in_haml
FILE: test/apps/rails3.1/app/controllers/users_controller.rb
class UsersController (line 1) | class UsersController < ApplicationController
method index (line 8) | def index
method show (line 19) | def show
method new (line 30) | def new
method edit (line 40) | def edit
method create (line 46) | def create
method update (line 62) | def update
method destroy (line 78) | def destroy
method circular_render (line 88) | def circular_render
method redirect_to_new_user (line 93) | def redirect_to_new_user
method redirect_to_user_url (line 97) | def redirect_to_user_url
method redirect_to_user_find_by (line 101) | def redirect_to_user_find_by
method test_file_access_params (line 105) | def test_file_access_params
method redirect_to_user_as_param (line 112) | def redirect_to_user_as_param
method redirect_to_association (line 116) | def redirect_to_association
method redirect_to_safe_second_param (line 120) | def redirect_to_safe_second_param
method test_simple_helper (line 124) | def test_simple_helper
method test_less_simple_helpers (line 128) | def test_less_simple_helpers
method test_assign_twice (line 134) | def test_assign_twice
method update_all_users (line 138) | def update_all_users
method test_assign_if (line 155) | def test_assign_if
method simple_helper (line 160) | def simple_helper
method less_simple_helper (line 164) | def less_simple_helper
method simple_helper_with_args (line 168) | def simple_helper_with_args arg
method assign_ivar (line 172) | def assign_ivar
method pluck_something (line 176) | def pluck_something
method redirect_merge (line 184) | def redirect_merge
method drape (line 188) | def drape
method mass_again (line 192) | def mass_again
method dynamic_finders (line 196) | def dynamic_finders
FILE: test/apps/rails3.1/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails3.1/app/helpers/users_helper.rb
type UsersHelper (line 1) | module UsersHelper
FILE: test/apps/rails3.1/app/models/account.rb
class Account (line 1) | class Account < ActiveRecord::Base
FILE: test/apps/rails3.1/app/models/product.rb
class Product (line 1) | class Product < ActiveRecord::Base
method test_find_order (line 2) | def test_find_order
method test_find_group (line 8) | def test_find_group
method test_find_having (line 14) | def test_find_having
method test_find_joins (line 29) | def test_find_joins
method test_find_select (line 43) | def test_find_select
method test_find_from (line 53) | def test_find_from
method test_find_lock (line 62) | def test_find_lock
method test_where (line 71) | def test_where
method test_constant_interpolation (line 86) | def test_constant_interpolation
method test_local_interpolation (line 91) | def test_local_interpolation
method test_conditional_args_in_sql (line 96) | def test_conditional_args_in_sql
method test_params_in_args (line 104) | def test_params_in_args
method test_params_to_i (line 109) | def test_params_to_i
method test_more_if_statements (line 114) | def test_more_if_statements
method test_calculations (line 137) | def test_calculations
method test_select (line 147) | def test_select
method test_conditional_in_options (line 155) | def test_conditional_in_options
method test_or_interpolation (line 164) | def test_or_interpolation
method test_params_to_f (line 169) | def test_params_to_f
method test_interpolation_in_first_arg (line 174) | def test_interpolation_in_first_arg
method test_to_sql_interpolation (line 178) | def test_to_sql_interpolation
FILE: test/apps/rails3.1/app/models/some_model.rb
class SomeModel (line 1) | class SomeModel < @some_variable
FILE: test/apps/rails3.1/app/models/user.rb
class User (line 1) | class User < ActiveRecord::Base
method sql_stuff (line 31) | def self.sql_stuff parent_id
method safe_sql_using_quoted_table_name (line 46) | def self.safe_sql_using_quoted_table_name
method more_safe_stuff (line 50) | def self.more_safe_stuff
FILE: test/apps/rails3.1/config/application.rb
type Rails31 (line 12) | module Rails31
class Application (line 13) | class Application < Rails::Application
FILE: test/apps/rails3.1/db/migrate/20110908172338_create_users.rb
class CreateUsers (line 1) | class CreateUsers < ActiveRecord::Migration
method change (line 2) | def change
FILE: test/apps/rails3.1/lib/alib.rb
class Alib (line 1) | class Alib < $SOME_CONSTANT
FILE: test/apps/rails3.1/lib/somelib.rb
class MyLib (line 1) | class MyLib
method test_negative_array_index (line 2) | def test_negative_array_index
FILE: test/apps/rails3.1/test/functional/users_controller_test.rb
class UsersControllerTest (line 3) | class UsersControllerTest < ActionController::TestCase
FILE: test/apps/rails3.1/test/performance/browsing_test.rb
class BrowsingTest (line 4) | class BrowsingTest < ActionDispatch::PerformanceTest
method test_homepage (line 9) | def test_homepage
FILE: test/apps/rails3.1/test/test_helper.rb
class ActiveSupport::TestCase (line 5) | class ActiveSupport::TestCase
FILE: test/apps/rails3.1/test/unit/helpers/users_helper_test.rb
class UsersHelperTest (line 3) | class UsersHelperTest < ActionView::TestCase
FILE: test/apps/rails3.1/test/unit/user_test.rb
class UserTest (line 3) | class UserTest < ActiveSupport::TestCase
FILE: test/apps/rails3.2/app/controllers/application_controller.rb
class ApplicationController (line 1) | class ApplicationController < ActionController::Base
FILE: test/apps/rails3.2/app/controllers/exec_controller.rb
class ExecController (line 1) | class ExecController < ApplicationController
method outer_exec (line 4) | def outer_exec
FILE: test/apps/rails3.2/app/controllers/exec_controller/command_dependency.rb
class ExecController (line 1) | class ExecController
method inner_exec (line 2) | def inner_exec
FILE: test/apps/rails3.2/app/controllers/removal_controller.rb
class RemovalController (line 1) | class RemovalController < ApplicationController
method change_lines (line 2) | def change_lines
method remove_this (line 13) | def remove_this
method remove_this_too (line 17) | def remove_this_too
method implicit_render (line 24) | def implicit_render
FILE: test/apps/rails3.2/app/controllers/users_controller.rb
class UsersController (line 1) | class UsersController < ApplicationController
method index (line 6) | def index
method show (line 17) | def show
method new (line 29) | def new
method edit (line 39) | def edit
method create (line 45) | def create
method update (line 61) | def update
method destroy (line 77) | def destroy
method slimming (line 87) | def slimming
method show_detailed_exceptions? (line 92) | def show_detailed_exceptions?
method render_text (line 96) | def render_text
method test_symbol_dos (line 100) | def test_symbol_dos
FILE: test/apps/rails3.2/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails3.2/app/helpers/users_helper.rb
type UsersHelper (line 1) | module UsersHelper
FILE: test/apps/rails3.2/app/models/account.rb
class Account (line 1) | class Account < ActiveRecord::Base
FILE: test/apps/rails3.2/app/models/multi_model.rb
type MultiModel (line 1) | module MultiModel
class Model1 (line 2) | class Model1 < ActiveRecord::Base
method model_exec (line 4) | def model_exec
class Model2 (line 10) | class Model2 < ActiveRecord::Base
method model_exec (line 12) | def model_exec
FILE: test/apps/rails3.2/app/models/no_protection.rb
class NoProtection (line 1) | class NoProtection < ActiveRecord::Base
FILE: test/apps/rails3.2/app/models/user.rb
class User (line 1) | class User < ActiveRecord::Base
FILE: test/apps/rails3.2/app/models/user/command_dependency.rb
class User (line 1) | class User
method inner_exec (line 2) | def inner_exec
FILE: test/apps/rails3.2/config/application.rb
type Rails32 (line 12) | module Rails32
class Application (line 13) | class Application < Rails::Application
FILE: test/apps/rails3.2/config/initializers/header_dos_protection.rb
function get (line 7) | def get(details)
FILE: test/apps/rails3.2/lib/user_controller_mixin.rb
type UserControllerMixin (line 1) | module UserControllerMixin
function mixed_in (line 2) | def mixed_in
function [] (line 6) | def [] index
FILE: test/apps/rails3/app/controllers/application_controller.rb
class ApplicationController (line 1) | class ApplicationController < ActionController::Base
FILE: test/apps/rails3/app/controllers/base_thing.rb
class BaseThing (line 1) | class BaseThing < ApplicationController
method action_in_parent (line 2) | def action_in_parent
FILE: test/apps/rails3/app/controllers/before_controller.rb
class BeforeController (line 1) | class BeforeController < ApplicationController
method use_filters12 (line 8) | def use_filters12
method use_filter123 (line 11) | def use_filter123
method use_filter12345 (line 14) | def use_filter12345
method filter1 (line 19) | def filter1
method filter2 (line 23) | def filter2
method filter3 (line 27) | def filter3
method filter4 (line 31) | def filter4
method filter5 (line 37) | def filter5
FILE: test/apps/rails3/app/controllers/child_controller.rb
class ChildController (line 1) | class ChildController < BaseThing
method action_in_child (line 2) | def action_in_child
FILE: test/apps/rails3/app/controllers/home_controller.rb
class HomeController (line 1) | class HomeController < ApplicationController
method index (line 4) | def index
method test_params (line 7) | def test_params
method test_model (line 12) | def test_model
method test_cookie (line 16) | def test_cookie
method test_filter (line 20) | def test_filter
method test_file_access (line 23) | def test_file_access
method test_sql (line 27) | def test_sql some_var = "hello"
method test_command (line 33) | def test_command
method test_eval (line 39) | def test_eval
method test_redirect (line 43) | def test_redirect
method test_render (line 48) | def test_render
method test_mass_assignment (line 53) | def test_mass_assignment
method test_mass_assignment_with_hash (line 57) | def test_mass_assignment_with_hash
method test_dynamic_render (line 61) | def test_dynamic_render
method test_load_params (line 66) | def test_load_params
method test_model_build (line 71) | def test_model_build
method test_only_path_wrong (line 76) | def test_only_path_wrong
method test_url_for_only_path (line 80) | def test_url_for_only_path
method test_render_a_method_call (line 86) | def test_render_a_method_call
method test_number_alias (line 91) | def test_number_alias
method test_only_path_correct (line 95) | def test_only_path_correct
method test_content_tag (line 100) | def test_content_tag
method test_yaml_file_access (line 104) | def test_yaml_file_access
method test_more_mass_assignment_methods (line 112) | def test_more_mass_assignment_methods
method test_yaml_load (line 122) | def test_yaml_load
method test_more_yaml_methods (line 129) | def test_more_yaml_methods
method parse_json (line 136) | def parse_json
method mass_assign_slice_only (line 140) | def mass_assign_slice_only
method test_more_ways_to_execute (line 145) | def test_more_ways_to_execute
method test_only_path_also_correct (line 157) | def test_only_path_also_correct
method test_more_uses_of_pipelines (line 161) | def test_more_uses_of_pipelines
method filter_it (line 170) | def filter_it
FILE: test/apps/rails3/app/controllers/nested_controller.rb
class Whatever (line 1) | class Whatever
type Wherever (line 2) | module Wherever
class NestedController (line 3) | class NestedController < ApplicationController
method so_nested (line 4) | def so_nested
FILE: test/apps/rails3/app/controllers/other_controller.rb
class OtherController (line 1) | class OtherController < ApplicationController
method test_locals (line 2) | def test_locals
method test_object (line 6) | def test_object
method test_collection (line 10) | def test_collection
method test_iteration (line 16) | def test_iteration
method test_send_file (line 20) | def test_send_file
method test_update_attribute (line 24) | def test_update_attribute
method test_sql_with_non_active_record_model (line 29) | def test_sql_with_non_active_record_model
method test_http_digest (line 33) | def test_http_digest
method test_render_with_nonsymbol_key (line 39) | def test_render_with_nonsymbol_key
method test_mail_to (line 43) | def test_mail_to
method test_command_injection_locals (line 47) | def test_command_injection_locals
method test_mass_assign_with_strong_params (line 52) | def test_mass_assign_with_strong_params
method test_sql_deletes (line 56) | def test_sql_deletes
method test_sql_to_s (line 61) | def test_sql_to_s status
FILE: test/apps/rails3/app/controllers/products_controller.rb
class ProductsController (line 1) | class ProductsController < ApplicationController
method index (line 4) | def index
method show (line 15) | def show
method new (line 26) | def new
method edit (line 36) | def edit
method create (line 42) | def create
method update (line 58) | def update
method destroy (line 74) | def destroy
method render_some_text (line 84) | def render_some_text
FILE: test/apps/rails3/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails3/app/helpers/home_helper.rb
type HomeHelper (line 1) | module HomeHelper
FILE: test/apps/rails3/app/helpers/other_helper.rb
type OtherHelper (line 1) | module OtherHelper
FILE: test/apps/rails3/app/helpers/products_helper.rb
type ProductsHelper (line 1) | module ProductsHelper
FILE: test/apps/rails3/app/models/account.rb
class Account (line 1) | class Account < ActiveRecord::Base
method mass_assign_it (line 8) | def mass_assign_it
method test_class_eval (line 12) | def test_class_eval
FILE: test/apps/rails3/app/models/bill.rb
class Bill (line 1) | class Bill < ActiveRecord::Base
FILE: test/apps/rails3/app/models/noticia.rb
class Noticia (line 1) | class Noticia
FILE: test/apps/rails3/app/models/notifier.rb
class Notifier (line 1) | class Notifier < ActionMailer::Base
method nsfree_deactivation_heroku (line 2) | def nsfree_deactivation_heroku(account, allowed, used)
FILE: test/apps/rails3/app/models/product.rb
class Product (line 1) | class Product < ActiveRecord::Base
FILE: test/apps/rails3/app/models/purchase.rb
class Purchase (line 1) | class Purchase < ActiveRecord::Base
FILE: test/apps/rails3/app/models/underline_model.rb
class Underline_Model (line 1) | class Underline_Model
method inject! (line 2) | def inject!(b)
FILE: test/apps/rails3/app/models/user.rb
class User (line 1) | class User < ActiveRecord::Base
method unused_sql (line 3) | def unused_sql
method sql_in_if_branches (line 25) | def sql_in_if_branches
method safe_sql (line 35) | def safe_sql
method sanitized_profile (line 39) | def sanitized_profile
FILE: test/apps/rails3/config/application.rb
type Rails3 (line 9) | module Rails3
class Application (line 10) | class Application < Rails::Application
FILE: test/apps/rails3/lib/controller_filter.rb
type ControllerFilter (line 1) | module ControllerFilter
function included (line 3) | def self.included somewhere
FILE: test/apps/rails3/public/javascripts/controls.js
function addText (line 563) | function addText(mode, condition) {
function fallback (line 859) | function fallback(name, expr) {
FILE: test/apps/rails3/public/javascripts/effects.js
function dispatch (line 243) | function dispatch(effect, eventName) {
function parseColor (line 947) | function parseColor(color){
FILE: test/apps/rails3/public/javascripts/prototype.js
function subclass (line 94) | function subclass() {}
function create (line 95) | function create() {
function addMethods (line 124) | function addMethods(source) {
function Type (line 178) | function Type(o) {
function extend (line 192) | function extend(destination, source) {
function inspect (line 198) | function inspect(object) {
function toJSON (line 209) | function toJSON(value) {
function Str (line 213) | function Str(key, holder, stack) {
function stringify (line 271) | function stringify(object) {
function toQueryString (line 275) | function toQueryString(object) {
function toHTML (line 279) | function toHTML(object) {
function keys (line 283) | function keys(object) {
function values (line 294) | function values(object) {
function clone (line 301) | function clone(object) {
function isElement (line 305) | function isElement(object) {
function isArray (line 309) | function isArray(object) {
function isHash (line 320) | function isHash(object) {
function isFunction (line 324) | function isFunction(object) {
function isString (line 328) | function isString(object) {
function isNumber (line 332) | function isNumber(object) {
function isUndefined (line 336) | function isUndefined(object) {
function update (line 361) | function update(array, args) {
function merge (line 367) | function merge(array, args) {
function argumentNames (line 372) | function argumentNames() {
function bind (line 379) | function bind(context) {
function bindAsEventListener (line 388) | function bindAsEventListener(context) {
function curry (line 396) | function curry() {
function delay (line 405) | function delay(timeout) {
function defer (line 413) | function defer() {
function wrap (line 418) | function wrap(wrapper) {
function methodize (line 426) | function methodize() {
function toISOString (line 452) | function toISOString() {
function toJSON (line 462) | function toJSON() {
function prepareReplacement (line 532) | function prepareReplacement(replacement) {
function gsub (line 538) | function gsub(pattern, replacement) {
function sub (line 562) | function sub(pattern, replacement, count) {
function scan (line 572) | function scan(pattern, iterator) {
function truncate (line 577) | function truncate(length, truncation) {
function strip (line 584) | function strip() {
function stripTags (line 588) | function stripTags() {
function stripScripts (line 592) | function stripScripts() {
function extractScripts (line 596) | function extractScripts() {
function evalScripts (line 604) | function evalScripts() {
function escapeHTML (line 608) | function escapeHTML() {
function unescapeHTML (line 612) | function unescapeHTML() {
function toQueryParams (line 617) | function toQueryParams(separator) {
function toArray (line 638) | function toArray() {
function succ (line 642) | function succ() {
function times (line 647) | function times(count) {
function camelize (line 651) | function camelize() {
function capitalize (line 657) | function capitalize() {
function underscore (line 661) | function underscore() {
function dasherize (line 669) | function dasherize() {
function inspect (line 673) | function inspect(useDoubleQuotes) {
function unfilterJSON (line 684) | function unfilterJSON(filter) {
function isJSON (line 688) | function isJSON() {
function evalJSON (line 697) | function evalJSON(sanitize) {
function parseJSON (line 711) | function parseJSON() {
function include (line 716) | function include(pattern) {
function startsWith (line 720) | function startsWith(pattern) {
function endsWith (line 724) | function endsWith(pattern) {
function empty (line 729) | function empty() {
function blank (line 733) | function blank() {
function interpolate (line 737) | function interpolate(object, pattern) {
function each (line 814) | function each(iterator, context) {
function eachSlice (line 826) | function eachSlice(number, iterator, context) {
function all (line 834) | function all(iterator, context) {
function any (line 844) | function any(iterator, context) {
function collect (line 854) | function collect(iterator, context) {
function detect (line 863) | function detect(iterator, context) {
function findAll (line 874) | function findAll(iterator, context) {
function grep (line 883) | function grep(filter, iterator, context) {
function include (line 897) | function include(object) {
function inGroupsOf (line 911) | function inGroupsOf(number, fillWith) {
function inject (line 919) | function inject(memo, iterator, context) {
function invoke (line 926) | function invoke(method) {
function max (line 933) | function max(iterator, context) {
function min (line 944) | function min(iterator, context) {
function partition (line 955) | function partition(iterator, context) {
function pluck (line 965) | function pluck(property) {
function reject (line 973) | function reject(iterator, context) {
function sortBy (line 982) | function sortBy(iterator, context) {
function toArray (line 994) | function toArray() {
function zip (line 998) | function zip() {
function size (line 1009) | function size() {
function inspect (line 1013) | function inspect() {
function $A (line 1059) | function $A(iterable) {
function $w (line 1068) | function $w(string) {
function each (line 1082) | function each(iterator) {
function clear (line 1088) | function clear() {
function first (line 1093) | function first() {
function last (line 1097) | function last() {
function compact (line 1101) | function compact() {
function flatten (line 1107) | function flatten() {
function without (line 1116) | function without() {
function reverse (line 1123) | function reverse(inline) {
function uniq (line 1127) | function uniq(sorted) {
function intersect (line 1135) | function intersect(array) {
function clone (line 1142) | function clone() {
function size (line 1146) | function size() {
function inspect (line 1150) | function inspect() {
function indexOf (line 1154) | function indexOf(item, i) {
function lastIndexOf (line 1163) | function lastIndexOf(item, i) {
function concat (line 1169) | function concat() {
function $H (line 1214) | function $H(object) {
function initialize (line 1219) | function initialize(object) {
function _each (line 1224) | function _each(iterator) {
function set (line 1233) | function set(key, value) {
function get (line 1237) | function get(key) {
function unset (line 1242) | function unset(key) {
function toObject (line 1248) | function toObject() {
function keys (line 1254) | function keys() {
function values (line 1258) | function values() {
function index (line 1262) | function index(value) {
function merge (line 1269) | function merge(object) {
function update (line 1273) | function update(object) {
function toQueryPair (line 1280) | function toQueryPair(key, value) {
function toQueryString (line 1285) | function toQueryString() {
function inspect (line 1297) | function inspect() {
function clone (line 1303) | function clone() {
function toColorPart (line 1329) | function toColorPart() {
function succ (line 1333) | function succ() {
function times (line 1337) | function times(iterator, context) {
function toPaddedString (line 1342) | function toPaddedString(length, radix) {
function abs (line 1347) | function abs() {
function round (line 1351) | function round() {
function ceil (line 1355) | function ceil() {
function floor (line 1359) | function floor() {
function $R (line 1375) | function $R(start, end, exclusive) {
function initialize (line 1380) | function initialize(start, end, exclusive) {
function _each (line 1386) | function _each(iterator) {
function include (line 1394) | function include(value) {
function $ (line 1806) | function $(element) {
function purgeElement (line 1886) | function purgeElement(element) {
function update (line 1965) | function update(element, content) {
function stripAlpha (line 2658) | function stripAlpha(filter){
function _descendants (line 2820) | function _descendants(element) {
function checkDeficiency (line 2989) | function checkDeficiency(tagName) {
function extendElementWith (line 3005) | function extendElementWith(element, methods) {
function extend (line 3095) | function extend(tagName) {
function copy (line 3102) | function copy(methods, destination, onlyIfAbsent) {
function findDOMClass (line 3112) | function findDOMClass(tagName) {
function getRootElement (line 3179) | function getRootElement() {
function define (line 3189) | function define(D) {
function toDecimal (line 3280) | function toDecimal(pctString) {
function getPixelValue (line 3286) | function getPixelValue(value, property) {
function toCSSPixels (line 3327) | function toCSSPixels(number) {
function isDisplayed (line 3334) | function isDisplayed(element) {
function cssNameFor (line 3356) | function cssNameFor(key) {
function getLayout (line 3715) | function getLayout(element, preCompute) {
function measure (line 3719) | function measure(element, property) {
function getDimensions (line 3723) | function getDimensions(element) {
function getOffsetParent (line 3731) | function getOffsetParent(element) {
function cumulativeOffset (line 3748) | function cumulativeOffset(element) {
function positionedOffset (line 3758) | function positionedOffset(element) {
function cumulativeScrollOffset (line 3779) | function cumulativeScrollOffset(element) {
function viewportOffset (line 3789) | function viewportOffset(forElement) {
function absolutize (line 3810) | function absolutize(element) {
function relativize (line 3842) | function relativize(element) {
function isBody (line 3868) | function isBody(element) {
function isDetached (line 3872) | function isDetached(element) {
function select (line 3920) | function select() {
function match (line 3924) | function match() {
function find (line 3928) | function find(elements, expression, index) {
function extendElements (line 3939) | function extendElements(elements) {
function dirNodeCheck (line 4823) | function dirNodeCheck( dir, cur, doneName, checkSet, nodeCheck, isXML ) {
function dirCheck (line 4859) | function dirCheck( dir, cur, doneName, checkSet, nodeCheck, isXML ) {
function select (line 4939) | function select(selector, scope) {
function match (line 4943) | function match(element, selector) {
function isLeftClick (line 5347) | function isLeftClick(event) { return _isButton(event, 0) }
function isMiddleClick (line 5349) | function isMiddleClick(event) { return _isButton(event, 1) }
function isRightClick (line 5351) | function isRightClick(event) { return _isButton(event, 2) }
function element (line 5353) | function element(event) {
function findElement (line 5372) | function findElement(event, expression) {
function pointer (line 5383) | function pointer(event) {
function pointerX (line 5387) | function pointerX(event) {
function pointerY (line 5396) | function pointerY(event) {
function stop (line 5406) | function stop(event) {
function _relatedTarget (line 5436) | function _relatedTarget(event) {
function _createResponder (line 5474) | function _createResponder(element, eventName, handler) {
function _destroyCache (line 5533) | function _destroyCache() {
function observe (line 5558) | function observe(element, eventName, handler) {
function stopObserving (line 5584) | function stopObserving(element, eventName, handler) {
function fire (line 5631) | function fire(element, eventName, memo, bubble) {
function on (line 5685) | function on(element, eventName, selector, callback) {
function fireContentLoadedEvent (line 5735) | function fireContentLoadedEvent() {
function checkReadyState (line 5742) | function checkReadyState() {
function pollDoScroll (line 5749) | function pollDoScroll() {
function iter (line 5879) | function iter(name) {
FILE: test/apps/rails3/public/javascripts/rails.js
function isEventSupported (line 4) | function isEventSupported(eventName) {
function isForm (line 16) | function isForm(element) {
function isInput (line 20) | function isInput(element) {
function handleRemote (line 74) | function handleRemote(element) {
function handleMethod (line 103) | function handleMethod(element) {
FILE: test/apps/rails3/test/functional/home_controller_test.rb
class HomeControllerTest (line 3) | class HomeControllerTest < ActionController::TestCase
FILE: test/apps/rails3/test/functional/other_controller_test.rb
class OtherControllerTest (line 3) | class OtherControllerTest < ActionController::TestCase
FILE: test/apps/rails3/test/performance/browsing_test.rb
class BrowsingTest (line 5) | class BrowsingTest < ActionDispatch::PerformanceTest
method test_homepage (line 6) | def test_homepage
FILE: test/apps/rails3/test/test_helper.rb
class ActiveSupport::TestCase (line 5) | class ActiveSupport::TestCase
FILE: test/apps/rails3/test/unit/helpers/home_helper_test.rb
class HomeHelperTest (line 3) | class HomeHelperTest < ActionView::TestCase
FILE: test/apps/rails3/test/unit/helpers/other_helper_test.rb
class OtherHelperTest (line 3) | class OtherHelperTest < ActionView::TestCase
FILE: test/apps/rails4/app/api/api.rb
type API (line 1) | module API
function insecure_command_execution (line 3) | def insecure_command_execution
FILE: test/apps/rails4/app/controllers/another_controller.rb
class AnotherController (line 1) | class AnotherController < ApplicationController
method overflow (line 2) | def overflow
method use_bad_thing (line 12) | def use_bad_thing
method also_use_bad_thing (line 17) | def also_use_bad_thing
method render_stuff (line 21) | def render_stuff
method use_params_in_regex (line 37) | def use_params_in_regex
method building_strings_for_sql (line 41) | def building_strings_for_sql
method safe_renders (line 59) | def safe_renders
FILE: test/apps/rails4/app/controllers/application_controller.rb
class ApplicationController (line 1) | class ApplicationController < ActionController::API
method show_detailed_exceptions? (line 6) | def show_detailed_exceptions?
method redirect_to_created_model (line 10) | def redirect_to_created_model
method bypass_ssl_check (line 22) | def bypass_ssl_check
method set_bad_thing (line 29) | def set_bad_thing
method wrong_redirect_only_path (line 33) | def wrong_redirect_only_path
method redirect_only_path_with_unsafe_hash (line 37) | def redirect_only_path_with_unsafe_hash
method redirect_only_path_with_unsafe_h (line 41) | def redirect_only_path_with_unsafe_h
FILE: test/apps/rails4/app/controllers/friendly_controller.rb
class FriendlyController (line 1) | class FriendlyController
method find (line 6) | def find
method some_user_thing (line 11) | def some_user_thing
method try_and_send (line 15) | def try_and_send
method mass_assign_user (line 20) | def mass_assign_user
method mass_assign_protected_model (line 26) | def mass_assign_protected_model
method permit_without_usage (line 32) | def permit_without_usage
method permit_after_usage (line 37) | def permit_after_usage
method sql_with_exec (line 43) | def sql_with_exec
method redirect_to_some_places (line 57) | def redirect_to_some_places
method select_some_stuff (line 67) | def select_some_stuff
method send_some_stuff (line 71) | def send_some_stuff
method private_some_stuff (line 75) | def private_some_stuff
method where_hashes (line 79) | def where_hashes
method whitelistit (line 84) | def whitelistit
FILE: test/apps/rails4/app/controllers/mixed_controller.rb
class MixedController (line 1) | class MixedController < ApplicationController
FILE: test/apps/rails4/app/controllers/mixed_in_proxy.rb
type ProxyThing (line 1) | module ProxyThing
class X (line 2) | class X; end
type Proxied (line 4) | module Proxied
function included (line 5) | def self.included(controller)
FILE: test/apps/rails4/app/controllers/users_controller.rb
class UsersController (line 1) | class UsersController < ApplicationController
method test_sql_sanitize (line 2) | def test_sql_sanitize
method test_before_action (line 13) | def test_before_action
method test_prepend_before_action (line 18) | def test_prepend_before_action
method test_append_before_action (line 23) | def test_append_before_action
method set_page (line 27) | def set_page
method safe_set_page (line 31) | def safe_set_page
method redirect_to_model (line 35) | def redirect_to_model
method find_by_stuff (line 46) | def find_by_stuff
method symbolize_safe_parameters (line 51) | def symbolize_safe_parameters
method mass_assignment_bypass (line 56) | def mass_assignment_bypass
method email_finds (line 65) | def email_finds
method case_statement (line 69) | def case_statement
method open_stuff (line 80) | def open_stuff
method eval_it (line 87) | def eval_it
method session_key (line 91) | def session_key
method hash_some_things (line 96) | def hash_some_things
method redirector (line 107) | def redirector
method more_haml (line 111) | def more_haml
method without (line 114) | def without
method permit_in_sql (line 118) | def permit_in_sql
method exists_with_to_s (line 124) | def exists_with_to_s
method find_and_create_em (line 128) | def find_and_create_em
method email_find_by (line 135) | def email_find_by
method haml_test (line 140) | def haml_test; end
FILE: test/apps/rails4/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails4/app/models/account.rb
class Account (line 1) | class Account < ActiveRecord::Base
method sql_it_up_yeah (line 4) | def sql_it_up_yeah
method more_sql_connection (line 11) | def self.more_sql_connection
method safe_sql_should_not_warn (line 15) | def safe_sql_should_not_warn
method lots_of_string_building_sql (line 21) | def lots_of_string_building_sql
method get_all_countries (line 37) | def self.get_all_countries(locale)
FILE: test/apps/rails4/app/models/email.rb
class Email (line 1) | class Email < ActiveRecord::Base
FILE: test/apps/rails4/app/models/phone.rb
class Phone (line 1) | class Phone < ActiveRecord::Base
FILE: test/apps/rails4/app/models/recursive/stack_level.rb
class Exception (line 1) | class Exception < Exception
class DescendentException (line 4) | class DescendentException < Exception
class ExceptionA (line 7) | class ExceptionA < ExceptionB
class ExceptionB (line 10) | class ExceptionB < ExceptionA
FILE: test/apps/rails4/app/models/user.rb
class User (line 1) | class User < ActiveRecord::Base
method test_sql_sanitize (line 2) | def test_sql_sanitize(x)
method arel_exists (line 8) | def arel_exists
method symbol_stuff (line 12) | def symbol_stuff
method much_arel (line 27) | def much_arel # None of these should warn
method encrypt_pass (line 41) | def self.encrypt_pass password
method more_symbol_stuff (line 47) | def more_symbol_stuff stuff
FILE: test/apps/rails4/config/application.rb
type Rails4 (line 8) | module Rails4
class Application (line 9) | class Application < Rails::Application
FILE: test/apps/rails4/config/initializers/i18n.rb
class HtmlSafeI18nExceptionHandler (line 4) | class HtmlSafeI18nExceptionHandler
method initialize (line 7) | def initialize(original_exception_handler)
method call (line 11) | def call(exception, locale, key, options)
FILE: test/apps/rails4/external_checks/check_external_check_test.rb
class Brakeman::CheckExternalCheckTest (line 4) | class Brakeman::CheckExternalCheckTest < Brakeman::BaseCheck
method run_check (line 9) | def run_check
FILE: test/apps/rails4/lib/sweet_lib.rb
class SweetLib (line 1) | class SweetLib
method do_some_cool_stuff (line 2) | def do_some_cool_stuff bad
method test_command_injection_in_lib (line 6) | def test_command_injection_in_lib
method test_net_http_start_ssl (line 11) | def test_net_http_start_ssl
method external_check_test (line 15) | def external_check_test
FILE: test/apps/rails4/lib/tasks/some_task.rb
class SomeTask (line 1) | class SomeTask
method some_task (line 2) | def some_task
FILE: test/apps/rails4/test/test_helper.rb
class ActiveSupport::TestCase (line 5) | class ActiveSupport::TestCase
FILE: test/apps/rails4_non_standard_structure/app/controllers/application_controller.rb
class ApplicationController (line 1) | class ApplicationController < ActionController::Base
FILE: test/apps/rails4_non_standard_structure/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails4_non_standard_structure/config/application.rb
type Rails4NonStandardStructure (line 9) | module Rails4NonStandardStructure
class Application (line 10) | class Application < Rails::Application
FILE: test/apps/rails4_non_standard_structure/test/test_helper.rb
class ActiveSupport::TestCase (line 5) | class ActiveSupport::TestCase
FILE: test/apps/rails4_with_engines/alt_engines/admin_stuff/app/controllers/admin_controller.rb
class AdminController (line 1) | class AdminController < ApplicationController
method debug (line 2) | def debug
FILE: test/apps/rails4_with_engines/alt_engines/admin_stuff/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails4_with_engines/app/controllers/application_controller.rb
class ApplicationController (line 1) | class ApplicationController < ActionController::Base
FILE: test/apps/rails4_with_engines/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails4_with_engines/config/application.rb
type Rails4 (line 8) | module Rails4
class Application (line 9) | class Application < Rails::Application
FILE: test/apps/rails4_with_engines/config/initializers/nested_attributes_bypass_fix.rb
type ActiveRecord (line 1) | module ActiveRecord
type NestedAttributes (line 2) | module NestedAttributes
function reject_new_record? (line 5) | def reject_new_record?(association_name, attributes)
function call_reject_if (line 9) | def call_reject_if(association_name, attributes)
function will_be_destroyed? (line 20) | def will_be_destroyed?(association_name, attributes)
function allow_destroy? (line 24) | def allow_destroy?(association_name)
FILE: test/apps/rails4_with_engines/engines/user_removal/app/controllers/base_controller.rb
class BaseController (line 1) | class BaseController < ActionController::Base
FILE: test/apps/rails4_with_engines/engines/user_removal/app/controllers/removal_controller.rb
class RemovalController (line 1) | class RemovalController < ApplicationController
method change_lines (line 2) | def change_lines
method remove_this (line 13) | def remove_this
method remove_this_too (line 17) | def remove_this_too
method implicit_render (line 24) | def implicit_render
FILE: test/apps/rails4_with_engines/engines/user_removal/app/controllers/users_controller.rb
class UsersController (line 1) | class UsersController < ApplicationController
method index (line 6) | def index
method show (line 17) | def show
method new (line 29) | def new
method edit (line 39) | def edit
method create (line 45) | def create
method update (line 61) | def update
method destroy (line 77) | def destroy
method slimming (line 87) | def slimming
FILE: test/apps/rails4_with_engines/engines/user_removal/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails4_with_engines/engines/user_removal/app/helpers/users_helper.rb
type UsersHelper (line 1) | module UsersHelper
FILE: test/apps/rails4_with_engines/engines/user_removal/app/models/account.rb
class Account (line 1) | class Account < ActiveRecord::Base
FILE: test/apps/rails4_with_engines/engines/user_removal/app/models/no_protection.rb
class NoProtection (line 1) | class NoProtection < ActiveRecord::Base
FILE: test/apps/rails4_with_engines/engines/user_removal/app/models/user.rb
class User (line 1) | class User < ActiveRecord::Base
FILE: test/apps/rails4_with_engines/engines/user_removal/lib/user_removal.rb
type UserRemoval (line 1) | module UserRemoval
class Engine (line 2) | class Engine < Rails::Engine
FILE: test/apps/rails4_with_engines/test/test_helper.rb
class ActiveSupport::TestCase (line 5) | class ActiveSupport::TestCase
FILE: test/apps/rails5.2/app/channels/application_cable/channel.rb
type ApplicationCable (line 1) | module ApplicationCable
class Channel (line 2) | class Channel < ActionCable::Channel::Base
FILE: test/apps/rails5.2/app/channels/application_cable/connection.rb
type ApplicationCable (line 1) | module ApplicationCable
class Connection (line 2) | class Connection < ActionCable::Connection::Base
FILE: test/apps/rails5.2/app/controllers/application_controller.rb
class ApplicationController (line 1) | class ApplicationController < ActionController::Base
FILE: test/apps/rails5.2/app/controllers/users_controller.rb
class UsersController (line 1) | class UsersController < ApplicationController
method index (line 2) | def index
method show (line 7) | def show
method delete (line 13) | def delete(foo)
method safe_one (line 21) | def safe_one(foo)
method better_user_input_reporting (line 27) | def better_user_input_reporting
method splat_args (line 34) | def splat_args
method splat_kwargs (line 38) | def splat_kwargs
method one (line 42) | def one
method two (line 46) | def two
method some_api (line 50) | def some_api
method not_not (line 57) | def not_not
method test_empty_partial_name (line 62) | def test_empty_partial_name
FILE: test/apps/rails5.2/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails5.2/app/helpers/users_helper.rb
type UsersHelper (line 1) | module UsersHelper
FILE: test/apps/rails5.2/app/jobs/application_job.rb
class ApplicationJob (line 1) | class ApplicationJob < ActiveJob::Base
FILE: test/apps/rails5.2/app/jobs/delete_stuff_job.rb
class DeleteStuffJob (line 1) | class DeleteStuffJob < ApplicationJob
method perform (line 2) | def perform file
FILE: test/apps/rails5.2/app/mailers/application_mailer.rb
class ApplicationMailer (line 1) | class ApplicationMailer < ActionMailer::Base
FILE: test/apps/rails5.2/app/models/application_record.rb
class ApplicationRecord (line 1) | class ApplicationRecord < ActiveRecord::Base
FILE: test/apps/rails5.2/app/models/user.rb
class User (line 1) | class User < ActiveRecord::Base
method not_something (line 2) | def not_something thing
method inner_query (line 8) | def inner_query
method singularize_safe_literal (line 14) | def singularize_safe_literal
method foreign_key_thing (line 20) | def foreign_key_thing
method polymorphic_name_joins (line 27) | def polymorphic_name_joins
FILE: test/apps/rails5.2/config/application.rb
type Rails52 (line 9) | module Rails52
class Application (line 10) | class Application < Rails::Application
FILE: test/apps/rails5.2/config/initializers/cookies_serializer.rb
type Custom (line 7) | module Custom
type Serializer (line 8) | module Serializer
FILE: test/apps/rails5.2/db/migrate/20171208205700_create_active_storage_tables.active_storage.rb
class CreateActiveStorageTables (line 2) | class CreateActiveStorageTables < ActiveRecord::Migration[5.2]
method change (line 3) | def change
FILE: test/apps/rails5.2/lib/initthing.rb
class InitThing (line 1) | class InitThing
method initialize (line 2) | def initialize
method use_it (line 6) | def use_it
FILE: test/apps/rails5.2/lib/shell.rb
class ShellStuff (line 1) | class ShellStuff
method initialize (line 2) | def initialize(one, two)
method run (line 7) | def run(ip)
method backticks_target (line 17) | def backticks_target(path)
method process_pid (line 21) | def process_pid
method nested_system_interp (line 26) | def nested_system_interp
method system_array_join (line 31) | def system_array_join
method system_as_target (line 36) | def system_as_target
method interpolated_conditional_safe (line 40) | def interpolated_conditional_safe
method interpolated_ternary_safe (line 44) | def interpolated_ternary_safe
method interpolated_conditional_dangerous (line 48) | def interpolated_conditional_dangerous
method interpolated_ternary_dangerous (line 52) | def interpolated_ternary_dangerous
method safe (line 59) | def safe(arg)
method perform_commands (line 71) | def perform_commands
method scopes (line 75) | def scopes(base_scope)
method shell_escape_model (line 79) | def shell_escape_model
method file_constant_use (line 88) | def file_constant_use
method interpolated_in_percent_W (line 93) | def interpolated_in_percent_W
method completely_external (line 98) | def completely_external
method string_concatenation (line 102) | def string_concatenation
method escaped_string_concatenation (line 106) | def escaped_string_concatenation
method safe_string_concatenation (line 110) | def safe_string_concatenation
method dash_c_dangerous_concatenation (line 114) | def dash_c_dangerous_concatenation
method dash_c_safe_concatenation (line 118) | def dash_c_safe_concatenation
method popen_dash_c (line 122) | def popen_dash_c
method popen_concatenation (line 126) | def popen_concatenation
method open3_capture_stdin_data (line 132) | def open3_capture_stdin_data
method tempfile_create (line 140) | def tempfile_create
FILE: test/apps/rails5.2/vendor/vendored_thing.rb
class Vendored (line 1) | class Vendored
method vendor (line 2) | def vendor
FILE: test/apps/rails5/app/channels/application_cable/channel.rb
type ApplicationCable (line 2) | module ApplicationCable
class Channel (line 3) | class Channel < ActionCable::Channel::Base
FILE: test/apps/rails5/app/channels/application_cable/connection.rb
type ApplicationCable (line 2) | module ApplicationCable
class Connection (line 3) | class Connection < ActionCable::Connection::Base
FILE: test/apps/rails5/app/controllers/application_controller.rb
class ApplicationController (line 1) | class ApplicationController < ActionController::Base
FILE: test/apps/rails5/app/controllers/concerns/concerning.rb
type Concerning (line 1) | module Concerning
FILE: test/apps/rails5/app/controllers/concerns/forgery_protection.rb
type ForgeryProtection (line 1) | module ForgeryProtection
FILE: test/apps/rails5/app/controllers/file_controller.rb
class FileController (line 1) | class FileController < ApplicationController
method download_tempfile_with_params (line 2) | def download_tempfile_with_params
method download_sanitized_with_params (line 6) | def download_sanitized_with_params
FILE: test/apps/rails5/app/controllers/mixed_controller.rb
class BaseController (line 1) | class BaseController < ActionController::Base
method another_early_return (line 8) | def another_early_return
method yet_another_early_return (line 19) | def yet_another_early_return
method redirect_to_strong_params (line 25) | def redirect_to_strong_params
FILE: test/apps/rails5/app/controllers/users_controller.rb
class UsersController (line 1) | class UsersController < ApplicationController
method index (line 6) | def index
method show (line 12) | def show
method new (line 16) | def new
method edit (line 21) | def edit
method create (line 26) | def create
method update (line 42) | def update
method destroy (line 56) | def destroy
method set_user (line 66) | def set_user
method user_params (line 71) | def user_params
method ruby_230 (line 75) | def ruby_230
method symbol (line 82) | def symbol
method slice_then_permit (line 86) | def slice_then_permit
method nested_sql_interp (line 92) | def nested_sql_interp
method arel_sql (line 96) | def arel_sql
FILE: test/apps/rails5/app/controllers/widget_controller.rb
class WidgetController (line 1) | class WidgetController < ApplicationController
method show (line 2) | def show
method dynamic_constant (line 5) | def dynamic_constant
method render_thing (line 10) | def render_thing
method render_inline (line 14) | def render_inline
method sql_with_case (line 18) | def sql_with_case
method sql_with_another_case (line 35) | def sql_with_another_case
method render_with_case (line 63) | def render_with_case
method no_html (line 73) | def no_html
method guard_with_return (line 77) | def guard_with_return
method render_cookies (line 85) | def render_cookies
method dangerous_permits (line 89) | def dangerous_permits
method redirect_to_path (line 94) | def redirect_to_path
method render_safely (line 106) | def render_safely
method attributes (line 111) | def attributes
method haml_test (line 114) | def haml_test
FILE: test/apps/rails5/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails5/app/helpers/users_helper.rb
type UsersHelper (line 1) | module UsersHelper
function bad_helper (line 2) | def bad_helper
FILE: test/apps/rails5/app/jobs/application_job.rb
class ApplicationJob (line 1) | class ApplicationJob < ActiveJob::Base
FILE: test/apps/rails5/app/mailers/application_mailer.rb
class ApplicationMailer (line 1) | class ApplicationMailer < ActionMailer::Base
FILE: test/apps/rails5/app/models/application_record.rb
class ApplicationRecord (line 1) | class ApplicationRecord < ActiveRecord::Base
FILE: test/apps/rails5/app/models/thing.rb
class Thing (line 1) | class Thing < ApplicationRecord
method self_and_descendants_for (line 2) | def self.self_and_descendants_for(id)
FILE: test/apps/rails5/app/models/user.rb
class User (line 1) | class User < ApplicationRecord
method render_user_input (line 2) | def self.render_user_input
method evaluate_user_input (line 6) | def self.evaluate_user_input
method evaluate_user_input (line 10) | def evaluate_user_input
method test_stuff (line 14) | def test_stuff
method all_that_jazz (line 23) | def self.all_that_jazz(user)
FILE: test/apps/rails5/config/application.rb
type Rails5 (line 9) | module Rails5
class Application (line 10) | class Application < Rails::Application
FILE: test/apps/rails5/db/migrate/20160127223106_create_users.rb
class CreateUsers (line 1) | class CreateUsers < ActiveRecord::Migration[5.0]
method change (line 2) | def change
FILE: test/apps/rails5/external_checks/check_external_check_test.rb
class Brakeman::CheckExternalCheckConfigTest (line 3) | class Brakeman::CheckExternalCheckConfigTest < Brakeman::BaseCheck
method run_check (line 8) | def run_check
FILE: test/apps/rails5/lib/a_lib.rb
class JustAClass (line 1) | class JustAClass
method do_sql_stuff (line 2) | def do_sql_stuff
method divide_by_zero (line 7) | def divide_by_zero
method tempfile (line 17) | def tempfile
FILE: test/apps/rails5/lib/lib.rb
class A (line 1) | class A
method b (line 2) | def b
FILE: test/apps/rails5/test/controllers/users_controller_test.rb
class UsersControllerTest (line 3) | class UsersControllerTest < ActionDispatch::IntegrationTest
FILE: test/apps/rails5/test/models/user_test.rb
class UserTest (line 3) | class UserTest < ActiveSupport::TestCase
FILE: test/apps/rails5/test/test_helper.rb
class ActiveSupport::TestCase (line 5) | class ActiveSupport::TestCase
FILE: test/apps/rails6/another_lib_dir/some_lib.rb
class A (line 1) | class A
method something (line 2) | def something(thing)
FILE: test/apps/rails6/app/channels/application_cable/channel.rb
type ApplicationCable (line 1) | module ApplicationCable
class Channel (line 2) | class Channel < ActionCable::Channel::Base
FILE: test/apps/rails6/app/channels/application_cable/connection.rb
type ApplicationCable (line 1) | module ApplicationCable
class Connection (line 2) | class Connection < ActionCable::Connection::Base
FILE: test/apps/rails6/app/components/base_component.rb
class BaseComponent (line 1) | class BaseComponent
method render_in (line 2) | def render_in
FILE: test/apps/rails6/app/components/test_component.rb
class TestComponent (line 1) | class TestComponent < BaseComponent
method initialize (line 2) | def initialize(prop)
FILE: test/apps/rails6/app/components/test_view_component.rb
class TestViewComponent (line 1) | class TestViewComponent < ViewComponent::Base
method initialize (line 2) | def initialize(prop)
FILE: test/apps/rails6/app/components/test_view_component_contrib.rb
class TestViewComponentContrib (line 1) | class TestViewComponentContrib < ViewComponentContrib::Base
method initialize (line 2) | def initialize(prop)
FILE: test/apps/rails6/app/components/test_view_component_fully_qualified_ancestor.rb
class TestViewComponentFullyQualifiedAncestor (line 1) | class TestViewComponentFullyQualifiedAncestor < ::ViewComponent::Base
method initialize (line 2) | def initialize(prop)
FILE: test/apps/rails6/app/components/text_phlex_component.rb
class TestPhlexComponent (line 1) | class TestPhlexComponent < Phlex::HTML
method initialize (line 2) | def initialize(prop)
FILE: test/apps/rails6/app/controllers/accounts_controller.rb
class AccountsController (line 1) | class AccountsController < ApplicationController
method login (line 2) | def login
method auth_something (line 11) | def auth_something
method eval_something (line 26) | def eval_something
method index (line 30) | def index
method tr_sql (line 34) | def tr_sql
FILE: test/apps/rails6/app/controllers/application_controller.rb
class ApplicationController (line 1) | class ApplicationController < ActionController::Base
FILE: test/apps/rails6/app/controllers/groups_controller.rb
class GroupsController (line 1) | class GroupsController < ApplicationController
method new_group (line 2) | def new_group
method render_commands (line 9) | def render_commands
method squish_sql (line 18) | def squish_sql
method show (line 23) | def show
method permit_bang_path (line 32) | def permit_bang_path
method permit_bang_slice (line 36) | def permit_bang_slice
method safeish_yaml_load (line 40) | def safeish_yaml_load
method dynamic_method_invocations (line 46) | def dynamic_method_invocations
method only_for_dev (line 53) | def only_for_dev
method scope_with_custom_sanitization (line 59) | def scope_with_custom_sanitization
method sanitize_s (line 63) | def sanitize_s(input)
method test_rails6_sqli (line 67) | def test_rails6_sqli
method enum_include_check (line 76) | def enum_include_check
method render_phlex_component (line 86) | def render_phlex_component
method render_view_component_contrib (line 90) | def render_view_component_contrib
method render_view_component_with_content (line 95) | def render_view_component_with_content
FILE: test/apps/rails6/app/controllers/users_controller.rb
class UsersController (line 1) | class UsersController < ApplicationController
method index (line 6) | def index
method show (line 12) | def show
method new (line 16) | def new
method edit (line 20) | def edit
method create (line 26) | def create
method update (line 42) | def update
method destroy (line 56) | def destroy
method destroy_them_all (line 64) | def destroy_them_all
method dangerous_system_call (line 69) | def dangerous_system_call
method dangerous_exec_call (line 73) | def dangerous_exec_call
method safe_system_call (line 79) | def safe_system_call
method safe_system_call_without_shell_dash_c (line 83) | def safe_system_call_without_shell_dash_c
method example_redirect_to_request_params (line 87) | def example_redirect_to_request_params
method permit_bang (line 91) | def permit_bang
method set_user (line 99) | def set_user
method user_params (line 104) | def user_params
FILE: test/apps/rails6/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE: test/apps/rails6/app/helpers/users_helper.rb
type UsersHelper (line 1) | module UsersHelper
FILE: test/apps/rails6/app/jobs/application_job.rb
class ApplicationJob (line 1) | class ApplicationJob < ActiveJob::Base
FILE: test/apps/rails6/app/mailers/application_mailer.rb
class ApplicationMailer (line 1) | class ApplicationMailer < ActionMailer::Base
FILE: test/apps/rails6/app/models/application_record.rb
class ApplicationRecord (line 1) | class ApplicationRecord < ActiveRecord::Base
FILE: test/apps/rails6/app/models/group.rb
class Group (line 1) | class Group < ApplicationRecord
method uuid_in_sql (line 2) | def uuid_in_sql
method date_in_sql (line 6) | def date_in_sql
method ar_sanitize_sql_like (line 11) | def ar_sanitize_sql_like(query)
method fetch_constant_hash_value (line 16) | def fetch_constant_hash_value(role_name)
method use_simple_method (line 22) | def use_simple_method
method simple_method (line 27) | def self.simple_method
method use_enum (line 33) | def use_enum
FILE: test/apps/rails6/app/models/user.rb
class User (line 1) | class User < ApplicationRecord
method scope_with_strip_heredoc (line 6) | def self.scope_with_strip_heredoc(name)
method render_user_input (line 14) | def self.render_user_input
method more_heredocs (line 18) | def self.more_heredocs
method recent_stuff (line 24) | def recent_stuff
method check_enum (line 30) | def check_enum
method locale (line 36) | def locale
FILE: test/apps/rails6/app/widgets/widget.rb
class Widget (line 1) | class Widget < ApplicationRecord
method spin (line 2) | def spin(direction)
FILE: test/apps/rails6/config/application.rb
type Rails6 (line 9) | module Rails6
class Application (line 10) | class Application < Rails::Application
FILE: test/apps/rails6/lib/run_stuff.rb
class RunStuff (line 1) | class RunStuff
method run (line 2) | def run
FILE: test/apps/rails6/lib/view_component/base.rb
type ViewComponent (line 1) | module ViewComponent
class Base (line 2) | class Base
FILE: test/apps/rails7/app/channels/application_cable/channel.rb
type ApplicationCable (line 1) | module ApplicationCable
class Channel (line 2) | class Channel < ActionCable::Channel::Base
FILE: test/apps/rails7/app/channels/application_cable/connection.rb
type ApplicationCable (line 1) | module ApplicationCable
class Connection (line 2) | class Connection < ActionCable::Connection::Base
FILE: test/apps/rails7/app/controllers/admin_controller.rb
class AdminController (line 1) | class AdminController < ApplicationController
method search_users (line 2) | def search_users
FILE: test/apps/rails7/app/controllers/application_controller.rb
class ApplicationController (line 1) | class ApplicationController < ActionController::Base
method anonymouns_arguments (line 2) | def anonymouns_arguments(*, **, &)
method hash_value_omission (line 6) | def hash_value_omission
method endless_method_definition (line 13) | def endless_method_definition(msg) = puts "#{Time.now}: #{msg}"
method pattern_matching_parenthesis_ommission (line 15) | def pattern_matching_parenthesis_ommission
method pattern_matching_non_local_variable_pin (line 22) | def pattern_matching_non_local_variable_pin
method pathname_stuff (line 26) | def pathname_stuff
FILE: test/apps/rails7/app/controllers/users_controller.rb
class UsersController (line 1) | class UsersController < ApplicationController
method redirect_to_last! (line 2) | def redirect_to_last!
method presence (line 6) | def presence
method redirect_param_with_fallback (line 12) | def redirect_param_with_fallback
method redirect_url_from_param_with_fallback (line 16) | def redirect_url_from_param_with_fallback
method redirect_with_allow_host (line 20) | def redirect_with_allow_host
method redirect_with_explicit_not_allow (line 24) | def redirect_with_explicit_not_allow
method redirect_back_with_fallback (line 28) | def redirect_back_with_fallback
method redirect_back_or_to_with_fallback (line 32) | def redirect_back_or_to_with_fallback
method redirect_back_or_to_with_fallback_disallow_host (line 36) | def redirect_back_or_to_with_fallback_disallow_host
method search (line 40) | def search
method search_books (line 44) | def search_books
method just_here_for_test_coverage_thanks (line 53) | def just_here_for_test_coverage_thanks
FILE: test/apps/rails7/app/helpers/application_helper.rb
type ApplicationHelper (line 1) | module ApplicationHelper
FILE
Condensed preview — 1364 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (2,886K chars).
[
{
"path": ".circleci/config.yml",
"chars": 1625,
"preview": "version: 2.1\norbs:\n qlty: qltysh/qlty-orb@0.1\njobs:\n default: &default\n docker:\n - image: cimg/ruby:4.0\n st"
},
{
"path": ".dockerignore",
"chars": 45,
"preview": "# ignore .git and .cache folders\n.git\n.cache\n"
},
{
"path": ".github/ISSUE_TEMPLATE/bug-report.md",
"chars": 315,
"preview": "---\nname: Bug Report\nabout: Create a report to help us improve\n\n---\n\n### Background\n\nBrakeman version: ?\nRails version: "
},
{
"path": ".github/ISSUE_TEMPLATE/feature-request.md",
"chars": 560,
"preview": "---\nname: Feature Request\nabout: Suggest an idea for this project\n\n---\n\n**Is your feature request related to a problem? "
},
{
"path": ".github/ISSUE_TEMPLATE/hanging-or-slow-scans.md",
"chars": 394,
"preview": "---\nname: Hanging or Slow Scans\nabout: Let us know if Brakeman is too slow\n\n---\n\n### Background\n\nBrakeman version: ?\nRai"
},
{
"path": ".github/ISSUE_TEMPLATE/parsing-error.md",
"chars": 401,
"preview": "---\nname: Parsing Error\nabout: Report a parse error\n\n---\n\n### Background\n\nBrakeman version: ?\nRails version: ?\nRuby vers"
},
{
"path": ".github/ISSUE_TEMPLATE/report-a-false-positive.md",
"chars": 344,
"preview": "---\nname: Report a False Positive\nabout: When Brakeman warns about something that may not be a vulnerability\n\n---\n\n### B"
},
{
"path": ".github/ISSUE_TEMPLATE/something-else.md",
"chars": 87,
"preview": "---\nname: Something Else\nabout: Something not covered by an existing issue type\n\n---\n\n\n"
},
{
"path": ".github/workflows/docker-hub-push.yml",
"chars": 833,
"preview": "name: docker-hub-push\non:\n push:\n tags:\n - '*'\njobs:\n docker:\n runs-on: ubuntu-latest\n steps:\n - na"
},
{
"path": ".gitignore",
"chars": 59,
"preview": "Gemfile.lock\ncoverage/\ntest/coverage/\n.bundle\nbundle\n*.gem\n"
},
{
"path": "CHANGES.md",
"chars": 54973,
"preview": "# 8.0.4 - 2026-02-26\n\n* Load 'date' library for `--ensure-latest`\n\n# 8.0.3 - 2026-02-26\n\n* Fix `polymorphic_name` SQLi f"
},
{
"path": "CODE_OF_CONDUCT.md",
"chars": 3217,
"preview": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nIn the interest of fostering an open and welcoming environment, w"
},
{
"path": "CONTRIBUTING.md",
"chars": 3534,
"preview": "## Copyright Assignment\n\nBy opening a pull request to https://github.com/presidentbeef/brakeman,\nyou agree to assign all"
},
{
"path": "COPYING.md",
"chars": 609,
"preview": "Code committed on or after June 15, 2018 is licensed under the [Brakeman Public Use License](https://github.com/presiden"
},
{
"path": "Dockerfile",
"chars": 627,
"preview": "FROM ruby:3.3-alpine\nLABEL maintainer=\"Justin Collins <gem@brakeman.org>\"\n\nWORKDIR /usr/src/app\n\nRUN apk --update add bu"
},
{
"path": "Dockerfile.codeclimate",
"chars": 729,
"preview": "FROM ruby:3.0-alpine\nLABEL maintainer=\"Justin Collins\"\n\nWORKDIR /usr/src/app\n\n# Create user named app with uid=9000, giv"
},
{
"path": "FEATURES",
"chars": 877,
"preview": "Can detect:\n-Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)\n-Bad string interpolation"
},
{
"path": "Gemfile",
"chars": 156,
"preview": "source \"https://rubygems.org\"\n\ngemspec :name => \"brakeman\"\n\nunless ENV['BM_PACKAGE']\n group :test do\n gem 'rake'\n "
},
{
"path": "LICENSE.md",
"chars": 8929,
"preview": "**LICENSE**\n\n# Brakeman Public Use License\n\nSynopsys, Inc. is willing to authorize use of the Software pursuant to the t"
},
{
"path": "MIT-LICENSE",
"chars": 1121,
"preview": "The MIT License\n\nCopyright (c) 2010-2012, YELLOWPAGES.COM, LLC\nCopyright (c) 2012, Twitter, Inc.\n\nPermission is hereby g"
},
{
"path": "OPTIONS.md",
"chars": 9299,
"preview": "This file may or may not be up-to-date. For best results but less information, run `brakeman --help`.\n\n## Scanning Optio"
},
{
"path": "README.md",
"chars": 6833,
"preview": "[](http://brakemanscanner.org/)\n\n[![Build Status](htt"
},
{
"path": "Rakefile",
"chars": 132,
"preview": "require 'bundler/setup'\nrequire 'rake/testtask'\n\nRake::TestTask.new do |t|\n t.pattern = 'test/tests/*.rb'\nend\n\ntask def"
},
{
"path": "SECURITY.md",
"chars": 458,
"preview": "# Security Policy\n\n## Supported Versions\n\nThe following versions are supported for security updates.\n\n| Version | Suppor"
},
{
"path": "bin/brakeman",
"chars": 258,
"preview": "#!/usr/bin/env ruby\n#Adjust path in case called directly and not through gem\n$:.unshift \"#{File.expand_path(File.dirname"
},
{
"path": "bin/codeclimate-brakeman",
"chars": 370,
"preview": "#!/usr/bin/env ruby\n$:.unshift \"#{File.expand_path(File.dirname(__FILE__))}/../lib\"\n\nrequire \"brakeman\"\nrequire \"json\"\nr"
},
{
"path": "brakeman-lib.gemspec",
"chars": 1378,
"preview": "require './lib/brakeman/version'\nrequire './gem_common'\n\nGem::Specification.new do |s|\n s.name = %q{brakeman-lib}\n s.v"
},
{
"path": "brakeman-min.gemspec",
"chars": 1377,
"preview": "require './lib/brakeman/version'\nrequire './gem_common'\n\nGem::Specification.new do |s|\n s.name = %q{brakeman-min}\n s.v"
},
{
"path": "brakeman-public_cert.pem",
"chars": 1289,
"preview": "-----BEGIN CERTIFICATE-----\nMIIDijCCAnKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQ8wDQYDVQQDDAZqdXN0\naW4xHTAbBgoJkiaJk/IsZAEZFg1"
},
{
"path": "brakeman.gemspec",
"chars": 1851,
"preview": "require './lib/brakeman/version'\nrequire './gem_common'\n\nGem::Specification.new do |s|\n s.name = %q{brakeman}\n s.versi"
},
{
"path": "build.rb",
"chars": 742,
"preview": "#!/usr/bin/env ruby\nrequire 'fileutils'\nbundle_exclude = %w[io-console prism racc strscan thor]\n\nputs 'Packaging Brakema"
},
{
"path": "docs/warning_types/CVE-2010-3933/index.markdown",
"chars": 331,
"preview": "Rails 2.3.9 and 3.0.0 are vulnerable to an attack on nested attributes wherein a malicious user could alter data in any "
},
{
"path": "docs/warning_types/CVE-2011-0446/index.markdown",
"chars": 333,
"preview": "Certain versions of Rails were vulnerable to a cross-site scripting vulnerability mail\\_to.\n\nVersions of Rails after 2.3"
},
{
"path": "docs/warning_types/CVE-2011-3186/index.markdown",
"chars": 623,
"preview": "Response splitting is a simple attack that can be used as part or a larger exploit chain. A malicious user sends data th"
},
{
"path": "docs/warning_types/attribute_restriction/index.markdown",
"chars": 608,
"preview": "This warning comes up if a model does not limit what attributes can be set through mass assignment.\n\nIn particular, this"
},
{
"path": "docs/warning_types/authentication/index.markdown",
"chars": 839,
"preview": "\"Authentication\" is the act of verifying that a user or client is who they say they are.\n\nRight now, the only Brakeman w"
},
{
"path": "docs/warning_types/authentication_whitelist/index.markdown",
"chars": 213,
"preview": "When skipping `before_filter`s with security implications, a \"whitelist\" approach using `only` should be used instead of"
},
{
"path": "docs/warning_types/basic_auth/index.markdown",
"chars": 508,
"preview": "In Rails 3.1, a new feature was added to simplify basic authentication.\n\nThe example provided in the official [Rails Gui"
},
{
"path": "docs/warning_types/command_injection/index.markdown",
"chars": 704,
"preview": "Injection is #1 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A1) web security risks. Command "
},
{
"path": "docs/warning_types/content_tag/index.markdown",
"chars": 1277,
"preview": "Cross-site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web secu"
},
{
"path": "docs/warning_types/cross-site_request_forgery/index.markdown",
"chars": 728,
"preview": "Cross-site request forgery is #5 on the [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A5). CSRF allows an "
},
{
"path": "docs/warning_types/cross_site_scripting/index.markdown",
"chars": 2340,
"preview": "Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Sit"
},
{
"path": "docs/warning_types/cross_site_scripting_to_json/index.markdown",
"chars": 2093,
"preview": "Cross-site scripting (or XSS) is #2 on the 2010 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A2) web secu"
},
{
"path": "docs/warning_types/dangerous_eval/index.markdown",
"chars": 176,
"preview": "User input in an `eval` statement is VERY dangerous, so this will always raise a warning. Brakeman looks for calls to `e"
},
{
"path": "docs/warning_types/dangerous_send/index.markdown",
"chars": 793,
"preview": "Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.\n\nIt is much safer to whiteli"
},
{
"path": "docs/warning_types/default_routes/index.markdown",
"chars": 525,
"preview": "The general default routes warning means there is a call to\n\n #Rails 2.x\n map.connect \":controller/:action/:id\"\n\no"
},
{
"path": "docs/warning_types/denial_of_service/index.markdown",
"chars": 1326,
"preview": "Denial of Service (DoS) is any attack which causes a service to become unavailable for legitimate clients.\n\nFor issues t"
},
{
"path": "docs/warning_types/dynamic_render_path/index.markdown",
"chars": 634,
"preview": "When a call to `render` uses a dynamically generated path, template name, file name, or action, there is the possibility"
},
{
"path": "docs/warning_types/file_access/index.markdown",
"chars": 608,
"preview": "Using user input when accessing files (local or remote) will raise a warning in Brakeman.\n\nFor example\n\n File.open(\"/"
},
{
"path": "docs/warning_types/format_validation/index.markdown",
"chars": 413,
"preview": "Calls to `validates_format_of ..., :with => //` which do not use `\\A` and `\\z` as anchors will cause this warning. Using"
},
{
"path": "docs/warning_types/information_disclosure/index.markdown",
"chars": 706,
"preview": "Also known as [information leakage](https://www.owasp.org/index.php/Information_Leakage) or [information exposure](http:"
},
{
"path": "docs/warning_types/link_to/index.markdown",
"chars": 257,
"preview": "In the 2.x versions of Rails, `link_to` would not escape the body of the HREF.\n\nFor example, this will popup an alert bo"
},
{
"path": "docs/warning_types/link_to_href/index.markdown",
"chars": 449,
"preview": "Even though Rails will escape the link provided to `link_to`, values starting with `javascript:` or `data:` are unescape"
},
{
"path": "docs/warning_types/mass_assignment/index.markdown",
"chars": 1227,
"preview": "Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.\n\nExample"
},
{
"path": "docs/warning_types/redirect/index.markdown",
"chars": 1385,
"preview": "Unvalidated redirects and forwards are #10 on the [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010-A10).\n\nRed"
},
{
"path": "docs/warning_types/remote_code_execution/index.markdown",
"chars": 389,
"preview": "Brakeman reports on several cases of remote code execution, in which a user is able to control and execute code in ways "
},
{
"path": "docs/warning_types/remote_code_execution_yaml_load/index.markdown",
"chars": 628,
"preview": "As seen in [CVE-2013-0156](https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion), calling `YAML"
},
{
"path": "docs/warning_types/session_manipulation/index.markdown",
"chars": 719,
"preview": "Session manipulation can occur when an application allows user-input in session keys.\nSince sessions are typically consi"
},
{
"path": "docs/warning_types/session_setting/index.markdown",
"chars": 555,
"preview": "Brakeman warns about several different session-related issues.\n\n### HTTP Only\n\nIt is recommended that session cookies be"
},
{
"path": "docs/warning_types/sql_injection/index.markdown",
"chars": 1493,
"preview": "Injection is #1 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A1-Injection) web security risks"
},
{
"path": "docs/warning_types/ssl_verification_bypass/index.markdown",
"chars": 1555,
"preview": "Simply using SSL isn't enough to ensure the data you are sending is secure. Man in the middle (MITM) attacks are well kn"
},
{
"path": "docs/warning_types/template_injection/index.markdown",
"chars": 194,
"preview": "User input passed into ruby templates that are evaluated is VERY dangerous, so this will always raise a warning. Brakema"
},
{
"path": "docs/warning_types/unsafe_deserialization/index.markdown",
"chars": 696,
"preview": "Objects in Ruby may be serialized to strings. The main method for doing so is the built-in `Marshal` class. The `YAML`, "
},
{
"path": "docs/warning_types/unscoped_find/index.markdown",
"chars": 615,
"preview": "Unscoped `find` (and related methods) are a form of [Direct Object Reference](https://www.owasp.org/index.php/Top_10_201"
},
{
"path": "gem_common.rb",
"chars": 1036,
"preview": "module Brakeman\n module GemDependencies\n def self.dev_dependencies spec\n spec.add_development_dependency \"minit"
},
{
"path": "lib/brakeman/app_tree.rb",
"chars": 10188,
"preview": "require 'pathname'\nrequire 'brakeman/file_path'\n\nmodule Brakeman\n class AppTree\n VIEW_EXTENSIONS = %w[html.erb html."
},
{
"path": "lib/brakeman/call_index.rb",
"chars": 6251,
"preview": "require 'set'\n\n#Stores call sites to look up later.\nclass Brakeman::CallIndex\n\n #Initialize index with calls from FindA"
},
{
"path": "lib/brakeman/checks/base_check.rb",
"chars": 14342,
"preview": "require 'brakeman/processors/output_processor'\nrequire 'brakeman/processors/lib/processor_helper'\nrequire 'brakeman/warn"
},
{
"path": "lib/brakeman/checks/check_basic_auth.rb",
"chars": 2530,
"preview": "require 'brakeman/checks/base_check'\n\n#Checks if password is stored in controller\n#when using http_basic_authenticate_wi"
},
{
"path": "lib/brakeman/checks/check_basic_auth_timing_attack.rb",
"chars": 1146,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck\n Brakeman::Check"
},
{
"path": "lib/brakeman/checks/check_content_tag.rb",
"chars": 6877,
"preview": "require 'brakeman/checks/check_cross_site_scripting'\n\n#Checks for unescaped values in `content_tag`\n#\n# content_tag :"
},
{
"path": "lib/brakeman/checks/check_cookie_serialization.rb",
"chars": 884,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckCookieSerialization < Brakeman::BaseCheck\n Brakeman::Checks."
},
{
"path": "lib/brakeman/checks/check_create_with.rb",
"chars": 1974,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckCreateWith < Brakeman::BaseCheck\n Brakeman::Checks.add self\n"
},
{
"path": "lib/brakeman/checks/check_cross_site_scripting.rb",
"chars": 10149,
"preview": "require 'brakeman/checks/base_check'\nrequire 'brakeman/processors/lib/find_call'\nrequire 'brakeman/processors/lib/proces"
},
{
"path": "lib/brakeman/checks/check_csrf_token_forgery_cve.rb",
"chars": 912,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck\n Brakeman::Checks."
},
{
"path": "lib/brakeman/checks/check_default_routes.rb",
"chars": 2989,
"preview": "require 'brakeman/checks/base_check'\n\n#Checks if default routes are allowed in routes.rb\nclass Brakeman::CheckDefaultRou"
},
{
"path": "lib/brakeman/checks/check_deserialize.rb",
"chars": 3158,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckDeserialize < Brakeman::BaseCheck\n Brakeman::Checks.add self"
},
{
"path": "lib/brakeman/checks/check_detailed_exceptions.rb",
"chars": 1729,
"preview": "require 'brakeman/checks/base_check'\n\n# Check for detailed exceptions enabled for production\nclass Brakeman::CheckDetail"
},
{
"path": "lib/brakeman/checks/check_digest_dos.rb",
"chars": 1174,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckDigestDoS < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n"
},
{
"path": "lib/brakeman/checks/check_divide_by_zero.rb",
"chars": 1020,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckDivideByZero < Brakeman::BaseCheck\n Brakeman::Checks.add_opt"
},
{
"path": "lib/brakeman/checks/check_dynamic_finders.rb",
"chars": 1293,
"preview": "require 'brakeman/checks/base_check'\n\n#This check looks for regexes that include user input.\nclass Brakeman::CheckDynami"
},
{
"path": "lib/brakeman/checks/check_eol_rails.rb",
"chars": 986,
"preview": "require_relative 'eol_check'\n\nclass Brakeman::CheckEOLRails < Brakeman::EOLCheck\n Brakeman::Checks.add self\n\n @descrip"
},
{
"path": "lib/brakeman/checks/check_eol_ruby.rb",
"chars": 1011,
"preview": "require_relative 'eol_check'\n\nclass Brakeman::CheckEOLRuby < Brakeman::EOLCheck\n Brakeman::Checks.add self\n\n @descript"
},
{
"path": "lib/brakeman/checks/check_escape_function.rb",
"chars": 932,
"preview": "require 'brakeman/checks/base_check'\n\n#Check for versions with vulnerable html escape method\n#http://groups.google.com/g"
},
{
"path": "lib/brakeman/checks/check_evaluation.rb",
"chars": 1810,
"preview": "require 'brakeman/checks/base_check'\n\n#This check looks for calls to +eval+, +instance_eval+, etc. which include\n#user i"
},
{
"path": "lib/brakeman/checks/check_execute.rb",
"chars": 9541,
"preview": "require 'brakeman/checks/base_check'\n\n#Checks for string interpolation and parameters in calls to\n#Kernel#system, Kernel"
},
{
"path": "lib/brakeman/checks/check_file_access.rb",
"chars": 2971,
"preview": "require 'brakeman/checks/base_check'\nrequire 'brakeman/processors/lib/processor_helper'\n\n#Checks for user input in metho"
},
{
"path": "lib/brakeman/checks/check_file_disclosure.rb",
"chars": 1153,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckFileDisclosure < Brakeman::BaseCheck\n Brakeman::Checks.add s"
},
{
"path": "lib/brakeman/checks/check_filter_skipping.rb",
"chars": 1053,
"preview": "require 'brakeman/checks/base_check'\n\n#Check for filter skipping vulnerability\n#http://groups.google.com/group/rubyonrai"
},
{
"path": "lib/brakeman/checks/check_force_ssl.rb",
"chars": 889,
"preview": "class Brakeman::CheckForceSSL < Brakeman::BaseCheck\n Brakeman::Checks.add_optional self\n\n @description = \"Check that f"
},
{
"path": "lib/brakeman/checks/check_forgery_setting.rb",
"chars": 2969,
"preview": "require 'brakeman/checks/base_check'\n\n#Checks that +protect_from_forgery+ is set in the ApplicationController.\n#\n#Also w"
},
{
"path": "lib/brakeman/checks/check_header_dos.rb",
"chars": 1121,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckHeaderDoS < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n"
},
{
"path": "lib/brakeman/checks/check_i18n_xss.rb",
"chars": 1633,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckI18nXSS < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n "
},
{
"path": "lib/brakeman/checks/check_jruby_xml.rb",
"chars": 1165,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckJRubyXML < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n "
},
{
"path": "lib/brakeman/checks/check_json_encoding.rb",
"chars": 1542,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckJSONEncoding < Brakeman::BaseCheck\n Brakeman::Checks.add sel"
},
{
"path": "lib/brakeman/checks/check_json_entity_escape.rb",
"chars": 1301,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck\n Brakeman::Checks.add"
},
{
"path": "lib/brakeman/checks/check_json_parsing.rb",
"chars": 3444,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckJSONParsing < Brakeman::BaseCheck\n Brakeman::Checks.add self"
},
{
"path": "lib/brakeman/checks/check_link_to.rb",
"chars": 4284,
"preview": "require 'brakeman/checks/check_cross_site_scripting'\n\n#Checks for calls to link_to in versions of Ruby where link_to did"
},
{
"path": "lib/brakeman/checks/check_link_to_href.rb",
"chars": 4588,
"preview": "require 'brakeman/checks/check_cross_site_scripting'\n\n#Checks for calls to link_to which pass in potentially hazardous d"
},
{
"path": "lib/brakeman/checks/check_mail_to.rb",
"chars": 1741,
"preview": "require 'brakeman/checks/base_check'\n\n#Check for cross-site scripting vulnerability in mail_to :encode => :javascript\n#w"
},
{
"path": "lib/brakeman/checks/check_mass_assignment.rb",
"chars": 5723,
"preview": "require 'brakeman/checks/base_check'\nrequire 'set'\n\n#Checks for mass assignments to models.\n#\n#See http://guides.rubyonr"
},
{
"path": "lib/brakeman/checks/check_mime_type_dos.rb",
"chars": 1268,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckMimeTypeDoS < Brakeman::BaseCheck\n Brakeman::Checks.add self"
},
{
"path": "lib/brakeman/checks/check_model_attr_accessible.rb",
"chars": 1758,
"preview": "require 'brakeman/checks/base_check'\n\n# Author: Paul Deardorff (themetric)\n# Checks models to see if important foreign k"
},
{
"path": "lib/brakeman/checks/check_model_attributes.rb",
"chars": 2913,
"preview": "require 'brakeman/checks/base_check'\n\n#Check if mass assignment is used with models\n#which inherit from ActiveRecord::Ba"
},
{
"path": "lib/brakeman/checks/check_model_serialize.rb",
"chars": 2056,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckModelSerialize < Brakeman::BaseCheck\n Brakeman::Checks.add s"
},
{
"path": "lib/brakeman/checks/check_nested_attributes.rb",
"chars": 1244,
"preview": "require 'brakeman/checks/base_check'\n\n#Check for vulnerability in nested attributes in Rails 2.3.9 and 3.0.0\n#http://gro"
},
{
"path": "lib/brakeman/checks/check_nested_attributes_bypass.rb",
"chars": 1726,
"preview": "require 'brakeman/checks/base_check'\n\n#https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ\ncla"
},
{
"path": "lib/brakeman/checks/check_number_to_currency.rb",
"chars": 2298,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck\n Brakeman::Checks.add"
},
{
"path": "lib/brakeman/checks/check_page_caching_cve.rb",
"chars": 1193,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck\n Brakeman::Checks.add s"
},
{
"path": "lib/brakeman/checks/check_pathname.rb",
"chars": 1234,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckPathname < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n "
},
{
"path": "lib/brakeman/checks/check_permit_attributes.rb",
"chars": 1057,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckPermitAttributes < Brakeman::BaseCheck\n Brakeman::Checks.add"
},
{
"path": "lib/brakeman/checks/check_quote_table_name.rb",
"chars": 1461,
"preview": "require 'brakeman/checks/base_check'\n\n#Check for uses of quote_table_name in Rails versions before 2.3.13 and 3.0.10\n#ht"
},
{
"path": "lib/brakeman/checks/check_ransack.rb",
"chars": 1897,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckRansack < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n "
},
{
"path": "lib/brakeman/checks/check_redirect.rb",
"chars": 7771,
"preview": "require 'brakeman/checks/base_check'\n\n#Reports any calls to +redirect_to+ which include parameters in the arguments.\n#\n#"
},
{
"path": "lib/brakeman/checks/check_regex_dos.rb",
"chars": 1626,
"preview": "require 'brakeman/checks/base_check'\n\n#This check looks for regexes that include user input.\nclass Brakeman::CheckRegexD"
},
{
"path": "lib/brakeman/checks/check_render.rb",
"chars": 2430,
"preview": "require 'brakeman/checks/base_check'\n\n#Check calls to +render()+ for dangerous values\nclass Brakeman::CheckRender < Brak"
},
{
"path": "lib/brakeman/checks/check_render_dos.rb",
"chars": 1162,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckRenderDoS < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n"
},
{
"path": "lib/brakeman/checks/check_render_inline.rb",
"chars": 1665,
"preview": "class Brakeman::CheckRenderInline < Brakeman::CheckCrossSiteScripting\n Brakeman::Checks.add self\n\n @description = \"Che"
},
{
"path": "lib/brakeman/checks/check_render_rce.rb",
"chars": 1312,
"preview": "require 'brakeman/checks/check_render'\n\nclass Brakeman::CheckRenderRCE < Brakeman::CheckRender\n Brakeman::Checks.add se"
},
{
"path": "lib/brakeman/checks/check_response_splitting.rb",
"chars": 882,
"preview": "require 'brakeman/checks/base_check'\n\n#Warn about response splitting in Rails versions before 2.3.13\n#http://groups.goog"
},
{
"path": "lib/brakeman/checks/check_reverse_tabnabbing.rb",
"chars": 2068,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck\n Brakeman::Checks.ad"
},
{
"path": "lib/brakeman/checks/check_route_dos.rb",
"chars": 1355,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckRouteDoS < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n "
},
{
"path": "lib/brakeman/checks/check_safe_buffer_manipulation.rb",
"chars": 1057,
"preview": "require 'brakeman/checks/base_check'\n\n#Check for unsafe manipulation of strings\n#Right now this is just a version check "
},
{
"path": "lib/brakeman/checks/check_sanitize_config_cve.rb",
"chars": 3223,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckSanitizeConfigCve < Brakeman::BaseCheck\n Brakeman::Checks.ad"
},
{
"path": "lib/brakeman/checks/check_sanitize_methods.rb",
"chars": 3880,
"preview": "require 'brakeman/checks/base_check'\n\n#sanitize and sanitize_css are vulnerable:\n#CVE-2013-1855 and CVE-2013-1857\nclass "
},
{
"path": "lib/brakeman/checks/check_secrets.rb",
"chars": 1083,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckSecrets < Brakeman::BaseCheck\n Brakeman::Checks.add_optional"
},
{
"path": "lib/brakeman/checks/check_select_tag.rb",
"chars": 1994,
"preview": "require 'brakeman/checks/base_check'\n\n#Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:\n#https"
},
{
"path": "lib/brakeman/checks/check_select_vulnerability.rb",
"chars": 1781,
"preview": "require 'brakeman/checks/base_check'\n\n#Checks for select() helper vulnerability in some versions of Rails 3\n#http://grou"
},
{
"path": "lib/brakeman/checks/check_send.rb",
"chars": 1192,
"preview": "require 'brakeman/checks/base_check'\n\n#Checks if user supplied data is passed to send\nclass Brakeman::CheckSend < Brakem"
},
{
"path": "lib/brakeman/checks/check_send_file.rb",
"chars": 498,
"preview": "require 'brakeman/checks/check_file_access'\nrequire 'brakeman/processors/lib/processor_helper'\n\n#Checks for user input i"
},
{
"path": "lib/brakeman/checks/check_session_manipulation.rb",
"chars": 963,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckSessionManipulation < Brakeman::BaseCheck\n Brakeman::Checks."
},
{
"path": "lib/brakeman/checks/check_session_settings.rb",
"chars": 5167,
"preview": "require 'brakeman/checks/base_check'\n\n#Checks for session key length and http_only settings\nclass Brakeman::CheckSession"
},
{
"path": "lib/brakeman/checks/check_simple_format.rb",
"chars": 1904,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting\n Brakeman::"
},
{
"path": "lib/brakeman/checks/check_single_quotes.rb",
"chars": 2616,
"preview": "require 'brakeman/checks/base_check'\n\n#Checks for versions which do not escape single quotes.\n#https://groups.google.com"
},
{
"path": "lib/brakeman/checks/check_skip_before_filter.rb",
"chars": 1971,
"preview": "require 'brakeman/checks/base_check'\n\n#At the moment, this looks for\n#\n# skip_before_filter :verify_authenticity_token,"
},
{
"path": "lib/brakeman/checks/check_sprockets_path_traversal.rb",
"chars": 1362,
"preview": "class Brakeman::CheckSprocketsPathTraversal < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n @description = \"Checks "
},
{
"path": "lib/brakeman/checks/check_sql.rb",
"chars": 22606,
"preview": "require 'brakeman/checks/base_check'\n\n#This check tests for find calls which do not use Rails' auto SQL escaping\n#\n#For "
},
{
"path": "lib/brakeman/checks/check_sql_cves.rb",
"chars": 4052,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckSQLCVEs < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n "
},
{
"path": "lib/brakeman/checks/check_ssl_verify.rb",
"chars": 1377,
"preview": "require 'brakeman/checks/base_check'\n\n# Checks if verify_mode= is called with OpenSSL::SSL::VERIFY_NONE\n\nclass Brakeman:"
},
{
"path": "lib/brakeman/checks/check_strip_tags.rb",
"chars": 3401,
"preview": "require 'brakeman/checks/base_check'\n\n#Check for uses of strip_tags in Rails versions before 3.0.17, 3.1.8, 3.2.8 (inclu"
},
{
"path": "lib/brakeman/checks/check_symbol_dos.rb",
"chars": 1929,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckSymbolDoS < Brakeman::BaseCheck\n Brakeman::Checks.add_option"
},
{
"path": "lib/brakeman/checks/check_symbol_dos_cve.rb",
"chars": 1004,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck\n Brakeman::Checks.add sel"
},
{
"path": "lib/brakeman/checks/check_template_injection.rb",
"chars": 1017,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckTemplateInjection < Brakeman::BaseCheck\n Brakeman::Checks.ad"
},
{
"path": "lib/brakeman/checks/check_translate_bug.rb",
"chars": 1631,
"preview": "require 'brakeman/checks/base_check'\n\n#Check for vulnerability in translate() helper that allows cross-site scripting\ncl"
},
{
"path": "lib/brakeman/checks/check_unsafe_reflection.rb",
"chars": 1661,
"preview": "require 'brakeman/checks/base_check'\n\n# Checks for string interpolation and parameters in calls to\n# String#constantize,"
},
{
"path": "lib/brakeman/checks/check_unsafe_reflection_methods.rb",
"chars": 1722,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckUnsafeReflectionMethods < Brakeman::BaseCheck\n Brakeman::Che"
},
{
"path": "lib/brakeman/checks/check_unscoped_find.rb",
"chars": 1871,
"preview": "require 'brakeman/checks/base_check'\n\n# Checks for unscoped calls to models' #find and #find_by_id methods.\nclass Brakem"
},
{
"path": "lib/brakeman/checks/check_validation_regex.rb",
"chars": 2716,
"preview": "require 'brakeman/checks/base_check'\n\n#Reports any calls to +validates_format_of+ which do not use +\\A+ and +\\z+\n#as anc"
},
{
"path": "lib/brakeman/checks/check_verb_confusion.rb",
"chars": 1861,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckVerbConfusion < Brakeman::BaseCheck\n Brakeman::Checks.add se"
},
{
"path": "lib/brakeman/checks/check_weak_hash.rb",
"chars": 3251,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckWeakHash < Brakeman::BaseCheck\n Brakeman::Checks.add_optiona"
},
{
"path": "lib/brakeman/checks/check_weak_rsa_key.rb",
"chars": 3995,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckWeakRSAKey < Brakeman::BaseCheck\n Brakeman::Checks.add self\n"
},
{
"path": "lib/brakeman/checks/check_without_protection.rb",
"chars": 2018,
"preview": "require 'brakeman/checks/base_check'\n\n#Check for bypassing mass assignment protection\n#with without_protection => true\n#"
},
{
"path": "lib/brakeman/checks/check_xml_dos.rb",
"chars": 1463,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckXMLDoS < Brakeman::BaseCheck\n Brakeman::Checks.add self\n\n @"
},
{
"path": "lib/brakeman/checks/check_yaml_parsing.rb",
"chars": 3734,
"preview": "require 'brakeman/checks/base_check'\n\nclass Brakeman::CheckYAMLParsing < Brakeman::BaseCheck\n Brakeman::Checks.add self"
},
{
"path": "lib/brakeman/checks/eol_check.rb",
"chars": 1768,
"preview": "require 'date'\nrequire 'brakeman/checks/base_check'\n\n# Not used directly - base check for EOLRails and EOLRuby\nclass Bra"
},
{
"path": "lib/brakeman/checks.rb",
"chars": 5687,
"preview": "require 'thread'\nrequire 'brakeman/differ'\n\n#Collects up results from running different checks.\n#\n#Checks can be added w"
},
{
"path": "lib/brakeman/codeclimate/engine_configuration.rb",
"chars": 2718,
"preview": "require 'pathname'\n\nmodule Brakeman\n module Codeclimate\n class EngineConfiguration\n\n def initialize(engine_conf"
},
{
"path": "lib/brakeman/commandline.rb",
"chars": 6564,
"preview": "require 'brakeman/options'\n\nmodule Brakeman\n\n # Implements handling of running Brakeman from the command line.\n class "
},
{
"path": "lib/brakeman/differ.rb",
"chars": 1449,
"preview": "# extracting the diff logic to it's own class for consistency. Currently handles\n# an array of Brakeman::Warnings or pla"
},
{
"path": "lib/brakeman/file_parser.rb",
"chars": 3184,
"preview": "require 'parallel'\n\nmodule Brakeman\n ASTFile = Struct.new(:path, :ast)\n\n # This class handles reading and parsing file"
},
{
"path": "lib/brakeman/file_path.rb",
"chars": 2312,
"preview": "require 'pathname'\n\nmodule Brakeman\n # Class to represent file paths within Brakeman.\n # FilePath objects track both t"
},
{
"path": "lib/brakeman/format/style.css",
"chars": 1903,
"preview": "/* CSS style used for HTML reports */\n\nbody {\n font-family: sans-serif;\n color: #161616;\n}\n\na {\n color: #161616;\n}\n\np"
},
{
"path": "lib/brakeman/logger.rb",
"chars": 6117,
"preview": "module Brakeman\n module Logger\n def self.get_logger options, dest = $stderr\n case\n when options[:debug]\n "
},
{
"path": "lib/brakeman/messages.rb",
"chars": 3901,
"preview": "module Brakeman\n module Messages\n # Create a new message from a list of messages.\n # Strings are converted to Bra"
},
{
"path": "lib/brakeman/options.rb",
"chars": 15160,
"preview": "require 'optparse'\nrequire 'set'\n\n#Parses command line arguments for Brakeman\nmodule Brakeman::Options\n\n class << self\n"
},
{
"path": "lib/brakeman/parsers/haml6_embedded.rb",
"chars": 664,
"preview": "[:Coffee, :CoffeeScript, :Markdown, :Sass].each do |name|\n klass = Module.const_get(\"Haml::Filters::#{name}\")\n\n klass."
},
{
"path": "lib/brakeman/parsers/haml_embedded.rb",
"chars": 1326,
"preview": "module Brakeman\n module FakeHamlFilter\n # Copied from Haml 4 - force delayed compilation\n def compile(compiler, t"
},
{
"path": "lib/brakeman/parsers/rails_erubi.rb",
"chars": 2081,
"preview": "# frozen_string_literal: true\n# Copied almost verbatim from Rails\n# https://github.com/rails/rails/blob/5359cf8a5b093b04"
},
{
"path": "lib/brakeman/parsers/slim_embedded.rb",
"chars": 1471,
"preview": "# Fake filters for Slim\nmodule Slim\n class Embedded\n class TiltEngine\n alias_method :on_slim_embedded, :on_slim"
},
{
"path": "lib/brakeman/parsers/template_parser.rb",
"chars": 4418,
"preview": "module Brakeman\n class TemplateParser\n include Brakeman::Util\n attr_reader :tracker\n KNOWN_TEMPLATE_EXTENSIONS"
},
{
"path": "lib/brakeman/processor.rb",
"chars": 3452,
"preview": "#Load all files in processors/\nDir.glob(\"#{File.expand_path(File.dirname(__FILE__))}/processors/*.rb\").each { |f| requir"
},
{
"path": "lib/brakeman/processors/alias_processor.rb",
"chars": 38045,
"preview": "require 'brakeman/util'\nrequire 'ruby_parser/bm_sexp_processor'\nrequire 'brakeman/processors/lib/processor_helper'\nrequi"
},
{
"path": "lib/brakeman/processors/base_processor.rb",
"chars": 6881,
"preview": "require 'brakeman/processors/lib/processor_helper'\nrequire 'brakeman/processors/lib/safe_call_helper'\nrequire 'brakeman/"
},
{
"path": "lib/brakeman/processors/config_processor.rb",
"chars": 574,
"preview": "require 'brakeman/processors/base_processor'\nrequire 'brakeman/processors/alias_processor'\nrequire 'brakeman/processors/"
},
{
"path": "lib/brakeman/processors/controller_alias_processor.rb",
"chars": 6815,
"preview": "require 'brakeman/processors/alias_processor'\nrequire 'brakeman/processors/lib/render_helper'\nrequire 'brakeman/processo"
},
{
"path": "lib/brakeman/processors/controller_processor.rb",
"chars": 7243,
"preview": "require 'brakeman/processors/base_processor'\nrequire 'brakeman/processors/lib/module_helper'\nrequire 'brakeman/tracker/c"
},
{
"path": "lib/brakeman/processors/erb_template_processor.rb",
"chars": 1862,
"preview": "require 'brakeman/processors/template_processor'\n\n#Processes ERB templates\n#(those ending in .html.erb or .rthml).\nclass"
},
{
"path": "lib/brakeman/processors/erubi_template_procesor.rb",
"chars": 2321,
"preview": "require 'brakeman/processors/template_processor'\n\n#Processes ERB templates using Erubi instead of erb.\nclass Brakeman::E"
},
{
"path": "lib/brakeman/processors/gem_processor.rb",
"chars": 2821,
"preview": "require 'brakeman/processors/lib/basic_processor'\n\n#Processes Gemfile and Gemfile.lock\nclass Brakeman::GemProcessor < Br"
},
{
"path": "lib/brakeman/processors/haml6_template_processor.rb",
"chars": 2459,
"preview": "require 'brakeman/processors/haml_template_processor'\n\nclass Brakeman::Haml6TemplateProcessor < Brakeman::HamlTemplatePr"
},
{
"path": "lib/brakeman/processors/haml_template_processor.rb",
"chars": 4941,
"preview": "require 'brakeman/processors/template_processor'\n\n#Processes HAML templates.\nclass Brakeman::HamlTemplateProcessor < Bra"
},
{
"path": "lib/brakeman/processors/lib/basic_processor.rb",
"chars": 791,
"preview": "require 'brakeman/processors/lib/processor_helper'\nrequire 'brakeman/processors/lib/safe_call_helper'\nrequire 'brakeman/"
},
{
"path": "lib/brakeman/processors/lib/call_conversion_helper.rb",
"chars": 3099,
"preview": "module Brakeman\n module CallConversionHelper\n # Join two array literals into one.\n def join_arrays lhs, rhs, orig"
},
{
"path": "lib/brakeman/processors/lib/file_type_detector.rb",
"chars": 1338,
"preview": "module Brakeman\n class FileTypeDetector < BaseProcessor\n def initialize\n super(nil)\n reset\n end\n\n de"
},
{
"path": "lib/brakeman/processors/lib/find_all_calls.rb",
"chars": 6086,
"preview": "require 'brakeman/processors/lib/basic_processor'\n\nclass Brakeman::FindAllCalls < Brakeman::BasicProcessor\n attr_reader"
},
{
"path": "lib/brakeman/processors/lib/find_call.rb",
"chars": 2863,
"preview": "require 'brakeman/processors/lib/basic_processor'\n\n#Finds method calls matching the given target(s).\n# #-- This should"
},
{
"path": "lib/brakeman/processors/lib/find_return_value.rb",
"chars": 3803,
"preview": "require 'brakeman/processors/alias_processor'\n\n#Attempts to determine the return value of a method.\n#\n#Preferred usage:\n"
},
{
"path": "lib/brakeman/processors/lib/module_helper.rb",
"chars": 3375,
"preview": "module Brakeman::ModuleHelper\n def handle_module exp, tracker_class, parent = nil\n name = class_name(exp.module_name"
},
{
"path": "lib/brakeman/processors/lib/processor_helper.rb",
"chars": 1752,
"preview": "#Contains a couple shared methods for Processors.\nmodule Brakeman::ProcessorHelper\n def process_all exp\n exp.each_se"
},
{
"path": "lib/brakeman/processors/lib/rails2_config_processor.rb",
"chars": 3705,
"preview": "require 'brakeman/processors/lib/basic_processor'\n\n#Processes configuration. Results are put in tracker.config.\n#\n#Confi"
},
{
"path": "lib/brakeman/processors/lib/rails2_route_processor.rb",
"chars": 8137,
"preview": "require 'brakeman/processors/lib/basic_processor'\n\n#Processes the Sexp from routes.rb. Stores results in tracker.routes."
},
{
"path": "lib/brakeman/processors/lib/rails3_config_processor.rb",
"chars": 3539,
"preview": "\nrequire 'brakeman/processors/lib/basic_processor'\n\n#Processes configuration. Results are put in tracker.config.\n#\n#Conf"
},
{
"path": "lib/brakeman/processors/lib/rails3_route_processor.rb",
"chars": 7265,
"preview": "require 'brakeman/processors/lib/basic_processor'\n\n#Processes the Sexp from routes.rb. Stores results in tracker.routes."
},
{
"path": "lib/brakeman/processors/lib/rails4_config_processor.rb",
"chars": 622,
"preview": "require 'brakeman/processors/lib/rails3_config_processor'\n\nclass Brakeman::Rails4ConfigProcessor < Brakeman::Rails3Confi"
},
{
"path": "lib/brakeman/processors/lib/render_helper.rb",
"chars": 6579,
"preview": "require 'digest/sha1'\n\n#Processes a call to render() in a controller or template\nmodule Brakeman::RenderHelper\n\n #Proce"
},
{
"path": "lib/brakeman/processors/lib/render_path.rb",
"chars": 2635,
"preview": "module Brakeman\n class RenderPath\n attr_reader :path\n\n def initialize\n @path = []\n end\n\n def add_contr"
},
{
"path": "lib/brakeman/processors/lib/route_helper.rb",
"chars": 1956,
"preview": "module Brakeman::RouteHelper\n #Manage Controller prefixes\n #@prefix is an Array, but this method returns a string\n #s"
},
{
"path": "lib/brakeman/processors/lib/safe_call_helper.rb",
"chars": 462,
"preview": "module Brakeman\n module SafeCallHelper\n [[:process_safe_call, :process_call],\n [:process_safe_attrasgn, :process"
},
{
"path": "lib/brakeman/processors/library_processor.rb",
"chars": 2347,
"preview": "require 'brakeman/processors/base_processor'\nrequire 'brakeman/processors/alias_processor'\nrequire 'brakeman/processors/"
},
{
"path": "lib/brakeman/processors/model_processor.rb",
"chars": 3218,
"preview": "require 'brakeman/processors/base_processor'\nrequire 'brakeman/processors/lib/module_helper'\nrequire 'brakeman/tracker/m"
}
]
// ... and 1164 more files (download for full content)
About this extraction
This page contains the full source code of the presidentbeef/brakeman GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 1364 files (2.5 MB), approximately 745.4k tokens, and a symbol index with 4611 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.