-
Notifications
You must be signed in to change notification settings - Fork 715
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive: Dynamic render path is not taking into account allow-listed values #1569
Comments
Whoops, I screwed up when simplifying the test case, I've updated the relevant code! |
Agree, and I think this is totally fixable. Thank you for reporting! |
That's great @presidentbeef! I'm afraid I might be in over my head with trying to write a PR for this, but if you have any tips, I can give it a whirl. |
We are also regularly seeing false positives here. |
presidentbeef
added a commit
that referenced
this issue
Dec 3, 2022
Repository owner
locked and limited conversation to collaborators
May 9, 2024
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi Brakeman folks! Love the library, but ran into a situation where Brakeman is reporting a warning that I think might be a false positive.
Background
Brakeman version: 5.0.0
Rails version: 6.0.3.5
Ruby version: 2.7.2
Link to Rails application code: Closed source, but reproduced below
False Positive
Full warning from Brakeman:
Relevant code:
Why might this be a false positive?
Since we're allow-listing the fields coming in from query parameters via
Object#presence_in
, I don't believe this should trigger a warning.The text was updated successfully, but these errors were encountered: