Skip to content

Commit

Permalink
fix: avoid detecting 'ViewComponentContrib::Base' as dynamic render p…
Browse files Browse the repository at this point in the history 
…aths
  • Loading branch information
@vividmuimui
vividmuimui committed Jan 26, 2024
1 parent 7c34984 commit 26d4180
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 1 deletion.
7 changes: 6 additions & 1 deletion lib/brakeman/checks/check_render.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,11 @@ def renderable? exp
def known_renderable_class? class_name
klass = tracker.find_class(class_name)
return false if klass.nil?
klass.ancestor?(:"ViewComponent::Base") || klass.ancestor?(:"Phlex::HTML")
knowns = [
:"ViewComponent::Base",
:"ViewComponentContrib::Base",
:"Phlex::HTML"
]
knowns.any? { |k| klass.ancestor? k }

Check warning on line 116 in lib/brakeman/checks/check_render.rb

View check run for this annotation

DryRunSecurity / AI-powered Sensitive Function Check

Possible Sensitive Function 


                        Our AI-Powered Sensitive Function checker believes it has discovered
                        a sensitive function being modified in this PR. The name of the function
                        is `known_renderable_class?`. Extra care must be taken when modifying a 
                        function that is potentially security-sensitive. The following reason was
                        provided for why this function was flagged as sensitive:
    
                        This function checks if a class is a known renderable class which may be used for authorization purposes.
end
end
5 changes: 5 additions & 0 deletions test/apps/rails6/app/components/test_view_component_contrib.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
class TestViewComponentContrib < ViewComponentContrib::Base
def initialize(prop)
@prop = prop
end
end
4 changes: 4 additions & 0 deletions test/apps/rails6/app/controllers/groups_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,4 +84,8 @@ def enum_include_check
def render_phlex_component
render(TestPhlexComponent.new(params.require('name')))
end

def render_view_component_contrib
render(TestViewComponentContrib.new(params.require('name')))
end
end
12 changes: 12 additions & 0 deletions test/tests/rails6.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,18 @@ def test_dynamic_render_path_phlex_component
:user_input => s(:call, s(:params), :require, s(:str, "name"))
end

def test_dynamic_render_view_component_contrib
assert_no_warning :type => :warning,
:warning_code => 15,
:warning_type => "Dynamic Render Path",
:line => 88,
:message => /^Render\ path\ contains\ parameter\ value/,
:confidence => 2,
:relative_path => "app/controllers/groups_controller.rb",
:code => s(:render, :action, s(:call, s(:const, :TestViewComponentContrib), :new, s(:call, s(:params), :require, s(:str, "name"))), s(:hash)),
:user_input => s(:call, s(:params), :require, s(:str, "name"))
end

def test_dynamic_render_path_dir_glob_filter
assert_no_warning :type => :warning,
:warning_code => 15,
Expand Down

0 comments on commit 26d4180

Please sign in to comment.