Permalink
Browse files

Catch YAML parsing errors

fixes #1046
  • Loading branch information...
presidentbeef committed May 15, 2017
1 parent 28d45a6 commit 9ee79d6fa0caefbf59a46e9285286072f0fe1a67
Showing with 11 additions and 1 deletion.
  1. +7 −1 lib/brakeman/checks/check_session_settings.rb
  2. +4 −0 test/apps/rails5/config/secrets.yml
@@ -115,7 +115,13 @@ def check_secrets_yaml
yaml = @app_tree.read secrets_file
require 'date' # https://github.com/dtao/safe_yaml/issues/80
require 'safe_yaml/load'
secrets = SafeYAML.load yaml
begin
secrets = SafeYAML.load yaml
rescue => e
Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
return
end
if secrets["production"] and secret = secrets["production"]["secret_key_base"]
unless secret.include? "<%="
@@ -20,3 +20,7 @@ test:
# instead read values from the environment.
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
<% if Rails.root.join('config/ansible/secrets.yml').exist? %>
<%= Rails.root.join('config/ansible/secrets.yml').read %>
<% end %>

0 comments on commit 9ee79d6

Please sign in to comment.