Skip to content

Commit

Permalink
Merge pull request #1821 from vividmuimui/view_component_contrib_base
Browse files Browse the repository at this point in the history
fix: avoid detecting 'ViewComponentContrib::Base' as dynamic render paths
  • Loading branch information
presidentbeef authored Jan 29, 2024
2 parents 5291a41 + 26d4180 commit fe9e0a3
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 1 deletion.
7 changes: 6 additions & 1 deletion lib/brakeman/checks/check_render.rb
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,11 @@ def renderable? exp
def known_renderable_class? class_name
klass = tracker.find_class(class_name)
return false if klass.nil?
klass.ancestor?(:"ViewComponent::Base") || klass.ancestor?(:"Phlex::HTML")
knowns = [
:"ViewComponent::Base",
:"ViewComponentContrib::Base",
:"Phlex::HTML"
]
knowns.any? { |k| klass.ancestor? k }
end
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
class TestViewComponentContrib < ViewComponentContrib::Base
def initialize(prop)
@prop = prop
end
end
4 changes: 4 additions & 0 deletions test/apps/rails6/app/controllers/groups_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -84,4 +84,8 @@ def enum_include_check
def render_phlex_component
render(TestPhlexComponent.new(params.require('name')))
end

def render_view_component_contrib
render(TestViewComponentContrib.new(params.require('name')))
end
end
12 changes: 12 additions & 0 deletions test/tests/rails6.rb
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,18 @@ def test_dynamic_render_path_phlex_component
:user_input => s(:call, s(:params), :require, s(:str, "name"))
end

def test_dynamic_render_view_component_contrib
assert_no_warning :type => :warning,
:warning_code => 15,
:warning_type => "Dynamic Render Path",
:line => 88,
:message => /^Render\ path\ contains\ parameter\ value/,
:confidence => 2,
:relative_path => "app/controllers/groups_controller.rb",
:code => s(:render, :action, s(:call, s(:const, :TestViewComponentContrib), :new, s(:call, s(:params), :require, s(:str, "name"))), s(:hash)),
:user_input => s(:call, s(:params), :require, s(:str, "name"))
end

def test_dynamic_render_path_dir_glob_filter
assert_no_warning :type => :warning,
:warning_code => 15,
Expand Down

0 comments on commit fe9e0a3

Please sign in to comment.