Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Magic comment stopped working #1280

Closed
cfabianski opened this issue Sep 18, 2023 · 1 comment · Fixed by #1284
Closed

Magic comment stopped working #1280

cfabianski opened this issue Sep 18, 2023 · 1 comment · Fixed by #1284
Assignees
@cfabianski
Labels
bug Something isn't working customer-feedback

Comments

@cfabianski
Copy link
Collaborator

cfabianski commented Sep 18, 2023
edited
Loading

Description & Reproduction

Block of code in app/services/reports/other/users/csv_generator.rb:

# bearer:disable ruby_lang_file_generation
report["data"].each do |data|
  csv << [data["id"], data["customer_name"], data["contact_name"], data["email"],
          data["company_role"], data[mapper['field']]]
end
> bearer scan app/services/reports/other/users/csv_generator.rb --config-file=bearer.yml --force
Loading rules
Scanning target app/services/reports/other/users/csv_generator.rb
 └ 100% [===============] (1/1, 8 files/min) [7s]
Running Detectors
Generating dataflow
Evaluating rules
 └ 100% [===============] (142/142, 145 rules/s) [0s]    


Security Report

=====================================

Rules: 
https://docs.bearer.com/reference/rules [v0.18.4]

Language  Default Rules  Custom Rules  Files  
Ruby      71             0             1      


HIGH: Sensitive data detected as part of a dynamic file generation. [CWE-532, CWE-313]
https://docs.bearer.com/reference/rules/ruby_lang_file_generation
To ignore this finding, run: bearer ignore add fce21edf0734b5bb814a9395c2b09559_0

File: app/services/reports/other/users/csv_generator.rb:16

 16               csv << [data["id"], data["customer_name"], data["contact_name"], data["email"],
 17                       data["company_role"], data[mapper['field']]]
=====================================

71 checks, 1 findings

CRITICAL: 0
HIGH: 1 (CWE-313, CWE-532)
MEDIUM: 0
LOW: 0
WARNING: 0

Link: https://discord.com/channels/1042147477765242973/1153448426114125834
@cfabianski cfabianski added the bug Something isn't working label Sep 18, 2023
@cfabianski
Copy link
Collaborator Author

cfabianski commented Sep 18, 2023
edited
Loading

bearer/internal/scanner/ast/ast.go

Lines 112 to 117 in 21480a5

if node.Type() == "comment" {
nextDisabledRules := disabledRules
nodeContent := builder.ContentFor(node)
if strings.Contains(nodeContent, "bearer:disable") {
rawRuleIDs := strings.Split(nodeContent, "bearer:disable")[1]

@didroe didroe mentioned this issue Sep 21, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cfabianski cfabianski

Labels
bug Something isn't working customer-feedback
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: disabling of rules using comments Bearer/bearer
1 participant
@cfabianski