Rake task aborted with "stack level too deep"

[arkadyan]

Running version 2.1.0 as a rake task throws a "stack level too deep" error.

Running with something like this:

bundle exec rake --trace brakeman:run[brakeman.html]

Results in the following output:

** Invoke brakeman:run (first_time)
** Execute brakeman:run
rake aborted!
stack level too deep
/Users/shanley/.rbenv/versions/1.9.3-p448/lib/ruby/gems/1.9.1/gems/rake-10.0.4/lib/rake/task.rb:188
Tasks: TOP => brakeman:run

This same rake task works fine in 2.0.0 and 1.9.x.

[arkadyan]

Contents of my brakeman:run rake task:

namespace :brakeman do
  desc "Run Brakeman"
  task :run, :output_files do |t, args|
    require 'brakeman'

    files = args[:output_files].split(' ') if args[:output_files]
    Brakeman.run :app_path => ".", :output_files => files, :print_report => true
  end
end

[presidentbeef]

Hi Matthew,

Thanks for reporting this issue! Does the same thing happen if you run Brakeman normally?

[arkadyan]

No, running the "brakeman" binary from the command line works just fine for me.

[presidentbeef]

What if you run it from IRB, like

require "brakeman"
Brakeman.run :app_path => ".", :output_files => ["brakeman.html"], :print_report => true

(Need to verify it's not a conflict with another gem)

[arkadyan]

That also produces an error: "SystemStackError: stack level too deep"

[presidentbeef]

Okay :(

I don't suppose the source code for this application is available? Haven't been able to reproduce so far. Any chance of a stack trace?

[arkadyan]

Unfortunately the source isn't available. Output the backtrace for the exception while running in the console only produces this:

/Users/shanley/.rbenv/versions/1.9.3-p448/lib/ruby/gems/1.9.1/gems/brakeman-2.1.0/lib/brakeman.rb:379

I'll try to make a project that reproduces.

[arkadyan]

I produced a stock rails project with the minimum Gemfile that would reproduce the exception: https://github.com/arkadyan/brakeman_exception_demo

Looks like the acts_as_list gem (https://github.com/chaffeqa/acts_as_list) produces the conflict.

Hopefully that allows you to see the exception, but let me know if I can debug further.

[presidentbeef]

Wow, thanks for the test case.

I see what is going on now. It's because Rails overrides require and calls load_dependency...which happens to be a new method on Brakeman which also calls require which calls load_dependency and here we are again. You can see the root cause of the mess here.

In general, I don't think it's a good idea to run Brakeman inside the context of the application since it is needlessly mixing up code. Why is there a rake task, then? Because I thought it would be helpful :(

[oreoshake]

No you can blame this one on me 👌 #26

[presidentbeef]

I think the only way to solve this is to rename the load_dependency method.

[arkadyan]

Made a pull request: I was thinking the same thing about a name change. Obviously I agree about the use of a rake task for CI, ease of running, etc.

[exalted]

Is this released yet please? I am having the same issue...

[presidentbeef]

It has not been released yet, as there have been almost no changes since 2.1.0.

It's very easy to build your own gem, though:

git clone https://github.com/presidentbeef/brakeman.git
cd brakeman
gem build brakeman.gemspec
gem install brakeman-*.gem

[unindented]

Can't you release a minor version with this fix? It's biting me too, even without acts_as_list. I can't install gems manually on production...

[presidentbeef]

Yes, there will be a bugfix release early next week.

[unindented]

👍

[mccabe615]

We're having the same issue with the rails_best_practices gem on a Rails 3.2.13 app, FYI.

[presidentbeef]

Thanks Mike. It doesn't really matter what the other gems are, Rails has its own require which calls load_dependency which I had the misfortune of naming a method in Brakeman 😿