url_safe_methods #22
Comments
|
I'm pretty sure this is not possible right now. There was talk a long time ago about revamping the configuration to better align with the command line options of Brakeman, but now it's limited to the "supported" flags and it does a janky translation. I would be glad to help point you in the right direction if you're interested in fixing this, even if only a short term fix. |
|
Don't the options get passed through to Brakeman? |
|
Yeah via Maybe it's just a matter of exposing it in the guard config |
|
If you point me in the right direction, I would be interested in fixing Chris On Thu, Jul 24, 2014 at 4:39 AM, Neil Matatall notifications@github.com
|
|
The set_options code is https://github.com/presidentbeef/brakeman/blob/fdfdd8065e0d9cbf0c6d29f8685b3e03590ef14c/lib/brakeman.rb#L63 And it looks like guard accepts arbitrary values as settings So I think the two just need to be hooked up. Although, I only see a reference to |
|
That's missing documentation in lib/brakeman.rb. The setting is |
|
I have this working now using my one of my rails projects as the test bed. In regard to a test case for it, is it sufficient to use exactly the same test as "with the exclude option" (line 45 of brakman_spec.rb), which just appears to test if guard still runs after the option is set? Chris |
|
I'm not sure, that test is garbage to begin with. Can you post what you have? |
|
OK, hope to do this tonight, Sydney time. On Tue, Jul 29, 2014 at 8:00 AM, Neil Matatall notifications@github.com
|
|
I have pushed the changes to https://github.com/obromios/guard-brakeman/blob/safe_methods/lib/guard/brakeman.rb. This processes an option of the form url_safe_methods: ["func1","func2",...]. The key change is convert the function names to symbols. This is because https://github.com/presidentbeef/brakeman/blob/fdfdd8065e0d9cbf0c6d29f8685b3e03590ef14c/lib/brakeman/checks/check_link_to_href.rb adds function names in the form of symbols to @ignore_methods. In theory, you do not have to change the code, and could just input the option in the form url_safe_methods: [:func1,:func2,...]. Apart from inconsistency with other option formats, the problem with this is that if someone mistakenly enters a function in the form of url_safe_methods: "func1", there appears to be a problem in the brakeman code that allows all functions to be considered url-safe-methods. The code that I have proposed stops this problem from being evidenced. If you are happy with my approach, I can easily implement the safe_methods option using the same technique. Chris |
|
I'm very happy with this. Looking forward to the pull request.
@presidentbeef is this an issue worth making changes to brakeman? |
|
From what I can tell, setting that option to a string causes an exception. The exception may cause the check to not run, which would explain the behavior. I think raising an exception is acceptable behavior for an invalid option. I could be persuaded otherwise. |
|
I have updated the documentation and done a pull request. At this stage I I think the code for the safe_methods is likely to be almost identical. If there are any other brakeman options that can be implemented with a Chris On Wed, Jul 30, 2014 at 6:45 AM, Justin notifications@github.com wrote:
|
This is very useful thank you.
When running brakeman from the command line, I can specify which url methods are safe using the url_safe_methods parameter. Can I do this with guard-brakeman?
Chris
The text was updated successfully, but these errors were encountered: