Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not treat private methods as routable #1876

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Do not treat private methods as routable #1876

wants to merge 2 commits into from

Conversation

presidentbeef
Copy link
Owner

When processing controllers, don't try to run before actions and look for templates to render from private methods.

This saves significant time on some applications.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 21, 2024
edited
Loading

DryRun Security Summary

The provided code changes are related to the Brakeman application security tool, focusing on improving the functionality and accuracy of the tool, particularly in the area of identifying and analyzing routes and methods within the Ruby on Rails applications.

Expand for full summary

Summary:

The provided code changes are related to the Brakeman application security tool, which is a static code analysis tool for scanning Ruby on Rails applications for security vulnerabilities. The changes focus on improving the functionality and accuracy of the Brakeman tool, particularly in the area of identifying and analyzing routes and methods within the application.

The first change introduces a new private? method in the Brakeman::Collection class, which checks if a given method name is private in the collection. This change is not directly related to security vulnerabilities, but it could be part of a larger effort to enhance the tool's capabilities.

The second change modifies the route? method in the Brakeman::ControllerAliasProcessor class. The updated method checks if the given method name is a private method of the current controller class, in addition to the existing checks for the @tracker.routes[:allow_all_actions] and @tracker.options[:assume_all_routes] flags. This change can help Brakeman to focus its analysis on publicly accessible routes, which are more likely to be the entry points for potential security vulnerabilities, and reduce the number of false positives.

Files Changed:

  1. lib/brakeman/tracker/collection.rb:

    • Added a new private? method that checks if a given method name is private in the collection.
    • The private? method checks if the method name exists in the @methods[:private] hash.

  2. lib/brakeman/processors/controller_alias_processor.rb:

    • Modified the route? method to check if the given method name is a private method of the current controller class, in addition to the existing checks for the @tracker.routes[:allow_all_actions] and @tracker.options[:assume_all_routes] flags.
    • This change can help Brakeman to focus its analysis on publicly accessible routes and reduce the number of false positives.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@presidentbeef