Skip to content

Option to process additional/non-standard config files #1887

New issue
New issue
Open
Open
Option to process additional/non-standard config files#1887
@joshuay03

Description

@joshuay03
joshuay03
opened on Nov 26, 2024

Is your feature request related to a problem? Please describe.

In an effort to standardize defaults loading when upgrading our Rails monolith, we ended up moving the code that calls load_defaults into a separate class and file that gets required and used in config/application.rb. It seems like Brakeman is unable to determine the defaults and overrides in this case e.g. we see cross-site forgery warnings despite config.action_controller.default_protect_from_forgery evaluating to true.

Describe the solution you'd like

An option to provide a list of additional config files to check alongside config/application.rb, config/environments/production.rb etc.:

brakeman/lib/brakeman/scanner.rb

Lines 171 to 200 in 88994b8

#Process config/environment.rb and config/gems.rb
#
#Stores parsed information in tracker.config
def process_config
# Sometimes folks like to put constants in environment.rb
# so let's always process it even for newer Rails versions
process_config_file "environment.rb"
if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
process_config_file "application.rb"
process_config_file "environments/production.rb"
else
process_config_file "gems.rb"
end
if @app_tree.exists?("vendor/plugins/rails_xss") or
options[:rails3] or options[:escape_html]
tracker.config.escape_html = true
Brakeman.notify "[Notice] Escaping HTML by default"
end
if @app_tree.exists? ".ruby-version"
if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
tracker.config.set_ruby_version version, @app_tree.file_path(".ruby-version"), 1
end
end
tracker.config.load_rails_defaults
end

Describe alternatives you've considered

No workaround as far as I can tell.

Additional context

Brakeman version: 6.2.1
Rails version: 7.0.8.4 loading 6.1 defaults
Ruby version: 3.3.6

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions