https://github.com/presidentbeef/brakeman/issues/1841 #1842
Conversation
brakeman still references haml 4 - which is a bit long in the tooth (Haml::Filter::Coffee class vs. module) presidentbeef#1841
|
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Powered by DryRun Security |
|
Hmmm... I kind of think if Haml has these filters installed by default now, that the fake filters aren't needed? 🤔 And I think they were added in 6.0 when Hamlit became Haml? If I recall correctly, the fake filters were just to stub out the embedding of other languages and avoid raising errors. It wasn't to override the filters. |
I'm a little lost. What is the correct solution to #1841? |
|
Specifically, we would like to use brakeman-min (6.1.2 or so) with haml (6.3.0) and we can't because brakeman refers to these constants as modules and haml declares them as classes. I can't think of any solution to this other than the one I've proposed (short of forking brakeman - which seems ridiculous). Our version of brakeman-min is a little behind, but this is the most recent version of haml. |
|
I might have to look again, but I believe I was thinking instead of defining the classes In other words, for newer Haml Brakeman doesn't need to do anything, just skip defining the modules. |
I see! I can take a poke at that. |
DryRun Security SummaryThe provided code change is a maintenance update to the Brakeman project, a security scanner for Ruby on Rails applications, which involves handling the parsing of HAML files that contain embedded code, including the definition of "fake" filters for CoffeeScript, Markdown, and Sass code embedded within HAML templates. Expand for full summarySummary: The provided code change is related to the Brakeman project, a security scanner for Ruby on Rails applications. The change is made to the From an application security perspective, this change does not appear to introduce any significant security concerns. However, it's worth noting that the use of "fake" filters for handling embedded code could potentially introduce some complexity and maintainability issues if not properly managed. It's important to ensure that these filters are kept up-to-date and properly tested to avoid any potential security vulnerabilities that could arise from the handling of embedded code. Overall, this code change seems to be a maintenance update to the Brakeman project, and it does not appear to introduce any obvious security risks. Files Changed:
Code AnalysisWe ran Riskiness🟢 Risk threshold not exceeded. |
|
OK, the good news is that I think that will all work. The .. bad? new is that brakeman is locked to haml 5.1 so I'm having to do some other gymnastics to work around this issue anyway. Mostly it means no longer including brakeman in our gemfile (probably the right thing to do) and just run it from a container. So... victory? I guess merge this if you think it's the right thing. And thank you! |
|
Yes, looks like there are some breaking changes with Haml 6.x that need to be addressed. |
brakeman still references haml 4 - which is a bit long in the tooth (Haml::Filter::Coffee class vs. module) #1841