New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

.haml view files ignored, requires .html.haml extension #790

Closed
DMA57361 opened this Issue Dec 17, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@DMA57361

DMA57361 commented Dec 17, 2015

Brakeman does not report any issues within files that use a single .haml extension, only those that use a .html.haml extension chain. I'm assuming this is because Brakeman::AppTree.VIEW_EXTENSIONS doesn't happen to have the single haml as an entry.

Our projects seem to have mix of view files with some using a single .haml extension and some using a .html.haml extension chain (depends on when the file was created, we've been favouring the short version recently - ditto for .coffee vs .js.coffee and .sass vs .css.sass, for what it's worth). Today I just happened to notice a line that I was fairly sure should be a warning in Brakeman that had not been raised, and after some playing determined it was a Brakeman warning, but the file extension was causing its file to not be checked.

I could rename all our files to use the double extension chain or patch the brakeman gem to allow the single extension (which is what I'm going to do for now, to scan everything for missed warnings), but I wonder if Brakeman could just include the single .haml extension in it's selection of acceptable view extensions?

@presidentbeef

This comment has been minimized.

Show comment
Hide comment
@presidentbeef

presidentbeef Dec 17, 2015

Owner

Hi Daniel,

That seems reasonable, but it is slightly more complicated than just adding haml to Brakeman::AppTree.VIEW_EXTENSIONS. Currently Brakeman is only set up to handle HTML files. But you can template any language you would like - CSS, JavaScript, etc. Safely interpolating values into CSS or JavaScript is different than HTML, and plain text files should probably be ignored.

Anyhow, I'll look into this some more, because you are not the only one using just .haml (I found 22 new warnings in my test suite).

Owner

presidentbeef commented Dec 17, 2015

Hi Daniel,

That seems reasonable, but it is slightly more complicated than just adding haml to Brakeman::AppTree.VIEW_EXTENSIONS. Currently Brakeman is only set up to handle HTML files. But you can template any language you would like - CSS, JavaScript, etc. Safely interpolating values into CSS or JavaScript is different than HTML, and plain text files should probably be ignored.

Anyhow, I'll look into this some more, because you are not the only one using just .haml (I found 22 new warnings in my test suite).

@presidentbeef presidentbeef added the 4.0 label May 31, 2016

Repository owner locked and limited conversation to collaborators May 16, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.