dynamic render path check fires on component inheriting from ViewComponent::Base (but from a gem)

[dgholz]

Background

Brakeman version: 5.2.1
Rails version: 6.1.4.4
Ruby version: 3.0.3

Link to Rails application code: it's private

False Positive

Full warning from Brakeman: Warning: Render path contains parameter value

Relevant code:

          <%= render(MySharedComponentFromGem.new(
            person_name: @this_user.name,
            quotation_date: @this_user.quotation_date

Why might this be a false positive?

MySharedComponentFromGem is a class which inherits from ViewComponent::Base, and is distributed in a gem. The gem is shared across a couple of apps so they have a consistent appearance. Because the gem's code isn't scanned by Brakeman, it can't tell its ancestry and thus can't skip over the dynamic render check that knows about ViewComponent::Base.

For now I'm grabbing the file path to the gem with bundle info --path gem_name and adding it as an additional engine path.

[dgholz]

Now I've has some time to think about it, I think this is hard to solve generally. If the user could specify the gems they'd like Brakeman to also analyse, then that could solve it for specific cases. Maybe something like --add-gems-lib-path?

[presidentbeef]

Maybe something like --add-gems-lib-path?

Thinking on this, because --add-libs-path does not appear to work outside of the application directory. So either need to change that or add an explicit option to include code outside of the application 🤔