Comments (11)
Yes, this happens sometimes.
Imagine you have code like this:
x = User.where("name = '#{params[:name]}'")
y = x.location
z = find_real_location(y)
do_something_with z
Brakeman will see this like
x = User.where("name = '#{params[:name]}'")
y = User.where("name = '#{params[:name]}'").location
z = find_real_location(User.where("name = '#{params[:name]}'").location)
do_something_with find_real_location(User.where("name = '#{params[:name]}'").location)
Now reporting ALL of those would be silly, so Brakeman has to attempt to determine where the "real" instance of the vulnerability came from and suppress the duplicates. Unfortunately, sometimes this means only one vulnerability is reported when there might be more than one.
from brakeman.
In this case, they were in separate files. I would expect what you
describe, but not what I described. I think adding the full paths would
help solve this issue too?
On Tue, Jan 31, 2012 at 1:32 PM, Justin <
[email protected]
wrote:
Yes, this happens sometimes.
Imagine you have code like this:
x = User.where("name = '#{params[:name]}'") y = x.location z = find_real_location(y) do_something_with zBrakeman will see this like
x = User.where("name = '#{params[:name]}'") y = User.where("name = '#{params[:name]}'").location z = find_real_location(User.where("name = '#{params[:name]}'").location) do_something_with find_real_location(User.where("name = '#{params[:name]}'").location)Now reporting ALL of those would be silly, so Brakeman has to attempt to
determine where the "real" instance of the vulnerability came from and
suppress the duplicates. Unfortunately, sometimes this means only one
vulnerability is reported when there might be more than one.
Reply to this email directly or view it on GitHub:
#40 (comment)
Neil
from brakeman.
It sounds like the files must have been (nearly) identical? The duplicate detection checks location (which is either class+method or template) and line number.
from brakeman.
Yup, it was a copy/pasted file (not that brakeman should encourage
copy/pasting code) but it should be smart enough
On Tue, Jan 31, 2012 at 5:24 PM, Justin <
[email protected]
wrote:
It sounds like the files must have been (nearly) identical? The duplicate
detection checks location (which is either class+method or template) and
line number.
Reply to this email directly or view it on GitHub:
#40 (comment)
Neil
from brakeman.
This is a pretty edge case, so I'm going to be (in my mind) making detection of identical code at identical lines low priority. As I've mentioned before, Brakeman doesn't associate files with contents. This could change, but right now it's a lot of work for a pretty minimal advantage. (This is a separate issue from paths in reports.)
from brakeman.
agreed on the priority
from brakeman.
Still thinking about this...what kind of file was this? I can't figure out how this could happen.
from brakeman.
It was a view with an xss warning
On Feb 1, 2012 2:03 PM, "Justin" <
[email protected]>
wrote:
Still thinking about this...what kind of file was this? I can't figure out
how this could happen.
Reply to this email directly or view it on GitHub:
#40 (comment)
from brakeman.
I haven't been able to reproduce this problem (maybe it went away?)
from brakeman.
Pretty sure it's been fixed
Neil Matatall
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)
On Thursday, April 26, 2012 at 3:03 PM, Justin wrote:
I haven't been able to reproduce this problem (maybe it went away?)
Reply to this email directly or view it on GitHub:
#40 (comment)
from brakeman.
Okay, I'll close this out, then.
from brakeman.
Related Issues (20)
- UnsafeReflection requires array to be defined with values strictly in the context of the execution HOT 4
- Brakeman does not follow directory symlinks HOT 7
- Brakeman hangs on some platforms HOT 5
- Brakeman unable to detect Renderables in a Gem? HOT 2
- Command Injection doesn't detect shellescape unless the code is in the same function HOT 2
- Undeliverable address [email protected] in LICENSE.md HOT 2
- Controller with "log" in pathname excluded from scan HOT 1
- Check Graphql end-point for vulnerabilities HOT 1
- with_content for ViewComponent flagged as dynamic render path HOT 4
- Parsing Error on splat operator
- Issue with adding autoload_paths for views dir HOT 1
- False negatives due to --skip-libs ignoring app/ files. HOT 2
- Support non-standard gemfile naming for dual booting Rails apps HOT 1
- brakeman still references haml 4 - which is a bit long in the tooth (Haml::Filter::Coffee class vs. module)
- Incorrect identification of User input; Unable to dynamically render fully qualified path HOT 1
- Command injection false positive HOT 2
- Does not identify Rails 8 applications
- `eval` call not being detected HOT 2
- Unvalidated `redirect_back` false negatives HOT 2
- Ability to include multiple brakeman.ignore files via cmd HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from brakeman.