.haml view files ignored, requires .html.haml extension #790

Closed
DMA57361 opened this Issue Dec 17, 2015 · 1 comment

Projects

None yet

2 participants

@DMA57361

Brakeman does not report any issues within files that use a single .haml extension, only those that use a .html.haml extension chain. I'm assuming this is because Brakeman::AppTree.VIEW_EXTENSIONS doesn't happen to have the single haml as an entry.

Our projects seem to have mix of view files with some using a single .haml extension and some using a .html.haml extension chain (depends on when the file was created, we've been favouring the short version recently - ditto for .coffee vs .js.coffee and .sass vs .css.sass, for what it's worth). Today I just happened to notice a line that I was fairly sure should be a warning in Brakeman that had not been raised, and after some playing determined it was a Brakeman warning, but the file extension was causing its file to not be checked.

I could rename all our files to use the double extension chain or patch the brakeman gem to allow the single extension (which is what I'm going to do for now, to scan everything for missed warnings), but I wonder if Brakeman could just include the single .haml extension in it's selection of acceptable view extensions?

@presidentbeef
Owner

Hi Daniel,

That seems reasonable, but it is slightly more complicated than just adding haml to Brakeman::AppTree.VIEW_EXTENSIONS. Currently Brakeman is only set up to handle HTML files. But you can template any language you would like - CSS, JavaScript, etc. Safely interpolating values into CSS or JavaScript is different than HTML, and plain text files should probably be ignored.

Anyhow, I'll look into this some more, because you are not the only one using just .haml (I found 22 new warnings in my test suite).

@presidentbeef presidentbeef added the 4.0 label May 31, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment