We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Brakeman version: 4.10.0 Rails version: 6.0.3.4 Ruby version: 2.5.7p206
Link to Rails application code: private, sorry
Minimal example that does not parse. This is a view.
<% "#{__FILE__}" %>
I could not get ruby_parser to crash on this.
Here is what I get:
$ brakeman --only app/views/commandes/foo.html.erb --debug Loading scanner... Processing application in /home/solutions/reference_dev/reference_dev Processing gems... Parsing /home/solutions/reference_dev/reference_dev/Gemfile [Notice] Detected Rails 6 application Processing configuration... Parsing /home/solutions/reference_dev/reference_dev/config/environment.rb Parsing /home/solutions/reference_dev/reference_dev/config/application.rb Parsing /home/solutions/reference_dev/reference_dev/config/environments/production.rb [Notice] Escaping HTML by default Parsing files... Parsing /home/solutions/reference_dev/reference_dev/app/views/commandes/foo.html.erb Parsing /home/solutions/reference_dev/reference_dev/app/views/commandes/foo.html.erb undefined method `force_encoding' for #<Brakeman::FilePath:0x000055f83b8096f0> While processing /home/solutions/reference_dev/reference_dev/app/views/commandes/foo.html.erb /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:604:in `literal_concat' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby27_parser.rb:6399:in `_reduce_502' /opt/ruby-2.5.7/lib/ruby/2.5.0/racc/parser.rb:259:in `_racc_do_parse_c' /opt/ruby-2.5.7/lib/ruby/2.5.0/racc/parser.rb:259:in `do_parse' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:1329:in `block in process' /opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:93:in `block in timeout' /opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `block in catch' /opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `catch' /opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `catch' /opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:108:in `timeout' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:1317:in `process' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:36:in `block in process' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:33:in `each' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:33:in `process' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:39:in `parse_ruby' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/parsers/template_parser.rb:35:in `parse_template' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:87:in `block in parse_files' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:29:in `block in read_files' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:26:in `each' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:26:in `read_files' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:86:in `parse_files' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:45:in `process' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman.rb:373:in `scan' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman.rb:84:in `run' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:157:in `run_brakeman' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:125:in `regular_report' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:166:in `run_report' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:35:in `run' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:20:in `start' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bin/brakeman:10:in `<top (required)>' /opt/ruby/bin/brakeman:23:in `load' /opt/ruby/bin/brakeman:23:in `<main>' Processing initializers... Processing libs... Processing routes... Parsing /home/solutions/reference_dev/reference_dev/config/routes.rb Processing templates... Processing data flow in templates... Processing models... Processing controllers... Processing data flow in controllers... Indexing call sites... Running checks in parallel... - CheckBasicAuth - CheckBasicAuthTimingAttack - CheckCrossSiteScripting - CheckContentTag - CheckCookieSerialization - CheckCreateWith - CheckCSRFTokenForgeryCVE Checking for XSS in content_tag Automatic to_json escaping is enabled. - CheckDefaultRoutes - CheckDeserialize - CheckDetailedExceptions - CheckDigestDoS - CheckDynamicFinders - CheckEscapeFunction - CheckEvaluation - CheckExecute - CheckFileAccess - CheckFileDisclosure - CheckFilterSkipping - CheckForgerySetting - CheckHeaderDoS Finding system calls using `` Finding other system calls Processing system calls Finding eval-like calls Processing eval-like calls - CheckI18nXSS - CheckJRubyXML Finding possible file access Finding calls to load() Finding calls using FileUtils Processing found calls - CheckJSONEncoding - CheckJSONEntityEscape - CheckJSONParsing - CheckLinkTo - CheckLinkToHref - CheckMailTo - CheckMassAssignment - CheckMimeTypeDoS - CheckModelAttrAccessible - CheckModelAttributes - CheckModelSerialize - CheckNestedAttributes - CheckNestedAttributesBypass - CheckNumberToCurrency - CheckPageCachingCVE - CheckPermitAttributes - CheckQuoteTableName - CheckRedirect - CheckRegexDoS Finding calls to redirect_to() - CheckRender - CheckRenderDoS - CheckRenderInline - CheckResponseSplitting Automatic to_json escaping is enabled. - CheckRouteDoS - CheckSafeBufferManipulation - CheckSanitizeMethods - CheckSelectTag - CheckSelectVulnerability - CheckSend - CheckSendFile - CheckSessionManipulation - CheckSessionSettings Finding dynamic regexes Processing dynamic regexes Finding instances of #send Finding all calls to send_file() - CheckSimpleFormat - CheckSingleQuotes - CheckSkipBeforeFilter - CheckSprocketsPathTraversal - CheckSQL - CheckSQLCVEs - CheckSSLVerify - CheckStripTags Finding possible SQL calls on models Finding possible SQL calls with no target Finding possible SQL calls using constantized() Finding calls to named_scope or scope Processing possible SQL calls - CheckSymbolDoSCVE - CheckTemplateInjection Finding calls to strip_tags() - CheckTranslateBug - CheckUnsafeReflection Finding ERB.new calls Processing ERB.new calls - CheckValidationRegex - CheckWithoutProtection - CheckXMLDoS - CheckYAMLParsing Checks finished, collecting results... Generating report... == Brakeman Report == Application Path: /home/solutions/reference_dev/reference_dev Rails Version: 6.0.3.4 Brakeman Version: 4.10.0 Scan Date: 2021-01-07 13:23:33 +0100 Duration: 0.969251921 seconds Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing == Overview == Controllers: 0 Models: 0 Templates: 0 Errors: 1 Security Warnings: 1 == Warning Types == Default Routes: 1 == Controller Overview == == Template Output == == Errors == Error: undefined method `force_encoding' for #<Brakeman::FilePath:0x000055f83b8096f0> While processing /home/solutions/reference_dev/reference_dev/app/views/commandes/foo.html.erb Location: /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:604:in `literal_concat' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby27_parser.rb:6399:in `_reduce_502' /opt/ruby-2.5.7/lib/ruby/2.5.0/racc/parser.rb:259:in `_racc_do_parse_c' /opt/ruby-2.5.7/lib/ruby/2.5.0/racc/parser.rb:259:in `do_parse' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:1329:in `block in process' /opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:93:in `block in timeout' /opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `block in catch' /opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `catch' /opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:33:in `catch' /opt/ruby-2.5.7/lib/ruby/2.5.0/timeout.rb:108:in `timeout' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser_extras.rb:1317:in `process' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:36:in `block in process' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:33:in `each' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby_parser.rb:33:in `process' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:39:in `parse_ruby' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/parsers/template_parser.rb:35:in `parse_template' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:87:in `block in parse_files' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:29:in `block in read_files' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:26:in `each' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/file_parser.rb:26:in `read_files' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:86:in `parse_files' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/scanner.rb:45:in `process' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman.rb:373:in `scan' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman.rb:84:in `run' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:157:in `run_brakeman' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:125:in `regular_report' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:166:in `run_report' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:35:in `run' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/lib/brakeman/commandline.rb:20:in `start' /opt/ruby-2.5.7/lib/ruby/gems/2.5.0/gems/brakeman-4.10.0/bin/brakeman:10:in `<top (required)>' /opt/ruby/bin/brakeman:23:in `load' /opt/ruby/bin/brakeman:23:in `<main>' == Warnings == Confidence: High Category: Default Routes Check: DefaultRoutes Message: All public methods in controllers are available as actions in `routes.rb` File: config/routes.rb Line: 60
Cheers!
The text was updated successfully, but these errors were encountered:
This was fixed in 4.10.1. Please try it out!
#1534
Sorry, something went wrong.
Oops, sorry, I thought I was up to date. Thanks!
No branches or pull requests
Background
Brakeman version: 4.10.0
Rails version: 6.0.3.4
Ruby version: 2.5.7p206
Link to Rails application code: private, sorry
Parse Error
Minimal example that does not parse. This is a view.
I could not get ruby_parser to crash on this.
Here is what I get:
Cheers!
The text was updated successfully, but these errors were encountered: