Possible results clobbering? about brakeman HOT 11 CLOSED

Yes, this happens sometimes.

Imagine you have code like this:

x = User.where("name = '#{params[:name]}'")

y = x.location

z = find_real_location(y)

do_something_with z

Brakeman will see this like

x = User.where("name = '#{params[:name]}'")

y = User.where("name = '#{params[:name]}'").location

z = find_real_location(User.where("name = '#{params[:name]}'").location)

do_something_with find_real_location(User.where("name = '#{params[:name]}'").location)

Now reporting ALL of those would be silly, so Brakeman has to attempt to determine where the "real" instance of the vulnerability came from and suppress the duplicates. Unfortunately, sometimes this means only one vulnerability is reported when there might be more than one.

from brakeman.

In this case, they were in separate files. I would expect what you
describe, but not what I described. I think adding the full paths would
help solve this issue too?

On Tue, Jan 31, 2012 at 1:32 PM, Justin <
[email protected]

wrote:

Yes, this happens sometimes.

Imagine you have code like this:

x = User.where("name = '#{params[:name]}'")

y = x.location

z = find_real_location(y)

do_something_with z

Brakeman will see this like

x = User.where("name = '#{params[:name]}'")

y = User.where("name = '#{params[:name]}'").location

z = find_real_location(User.where("name = '#{params[:name]}'").location)

do_something_with find_real_location(User.where("name =
'#{params[:name]}'").location)

Now reporting ALL of those would be silly, so Brakeman has to attempt to
determine where the "real" instance of the vulnerability came from and
suppress the duplicates. Unfortunately, sometimes this means only one
vulnerability is reported when there might be more than one.

---

Reply to this email directly or view it on GitHub:
#40 (comment)

Neil

from brakeman.

It sounds like the files must have been (nearly) identical? The duplicate detection checks location (which is either class+method or template) and line number.

from brakeman.

Yup, it was a copy/pasted file (not that brakeman should encourage
copy/pasting code) but it should be smart enough

On Tue, Jan 31, 2012 at 5:24 PM, Justin <
[email protected]

wrote:

It sounds like the files must have been (nearly) identical? The duplicate
detection checks location (which is either class+method or template) and
line number.

---

Reply to this email directly or view it on GitHub:
#40 (comment)

Neil

from brakeman.

This is a pretty edge case, so I'm going to be (in my mind) making detection of identical code at identical lines low priority. As I've mentioned before, Brakeman doesn't associate files with contents. This could change, but right now it's a lot of work for a pretty minimal advantage. (This is a separate issue from paths in reports.)

from brakeman.

agreed on the priority

from brakeman.

Still thinking about this...what kind of file was this? I can't figure out how this could happen.

from brakeman.

It was a view with an xss warning
On Feb 1, 2012 2:03 PM, "Justin" <
[email protected]>
wrote:

Still thinking about this...what kind of file was this? I can't figure out
how this could happen.

---

Reply to this email directly or view it on GitHub:
#40 (comment)

from brakeman.

I haven't been able to reproduce this problem (maybe it went away?)

from brakeman.

Pretty sure it's been fixed

Neil Matatall
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)

On Thursday, April 26, 2012 at 3:03 PM, Justin wrote:

I haven't been able to reproduce this problem (maybe it went away?)

---

Reply to this email directly or view it on GitHub:
#40 (comment)

from brakeman.

Okay, I'll close this out, then.

from brakeman.