run brakeman

thedumbtechguy · thedumbtechguy · commit 2c463c0f4112 · 2024-02-18T00:38:19.000Z
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -94,6 +94,8 @@ GEM
     ast (2.4.2)
     base64 (0.2.0)
     bigdecimal (3.1.5)
+    brakeman (6.1.2)
+      racc
     builder (3.2.4)
     concurrent-ruby (1.2.2)
     connection_pool (2.4.1)
@@ -273,6 +275,7 @@ PLATFORMS
   x86_64-darwin-21
 
 DEPENDENCIES
+  brakeman
   plutonium!
   rake (~> 13.0)
   rspec (~> 3.0)
diff --git a/brakeman.ignore b/brakeman.ignore
@@ -0,0 +1,51 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Cross-Site Request Forgery",
+      "warning_code": 7,
+      "fingerprint": "1cb8570b8c91f38317cdf909e01e7016359846174f427e86011633c344d30fc3",
+      "check_name": "ForgerySetting",
+      "message": "`protect_from_forgery` should be called in `Plutonium::Reactor::ResourceController`",
+      "file": "lib/plutonium/reactor/resource_controller.rb",
+      "line": 10,
+      "link": "https://brakemanscanner.org/docs/warning_types/cross-site_request_forgery/",
+      "code": null,
+      "render_path": null,
+      "location": {
+        "type": "controller",
+        "controller": "Plutonium::Reactor::ResourceController"
+      },
+      "user_input": null,
+      "confidence": "High",
+      "cwe_id": [
+        352
+      ],
+      "note": "this is tested and confirmed to be a false flag"
+    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 70,
+      "fingerprint": "873ee0d868e06a32e8ff387a38ddb8c6183a419813d5c20122fa9c3a887f4e54",
+      "check_name": "MassAssignment",
+      "message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys",
+      "file": "lib/plutonium/reactor/resource_controller.rb",
+      "line": 58,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.require(resource_param_key).permit!",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Plutonium::Reactor::ResourceController",
+        "method": "resource_params"
+      },
+      "user_input": null,
+      "confidence": "Medium",
+      "cwe_id": [
+        915
+      ],
+      "note": "we manually filter params"
+    }
+  ],
+  "updated": "2024-02-18 00:37:39 +0000",
+  "brakeman_version": "6.1.2"
+}
diff --git a/lib/plutonium/reactor/resource_controller.rb b/lib/plutonium/reactor/resource_controller.rb
@@ -53,6 +53,8 @@ def resource_record
       helper_method :resource_record
 
       def resource_params
+        # Example of documenting an ignore in the source code
+        # NOTE: Brakeman warning ignored for MassAssignment because inputs are filtered manually
         input_params = params.require(resource_param_key).permit!.nilify.to_h
 
         # Override any entity scoping params
diff --git a/plutonium.gemspec b/plutonium.gemspec
@@ -39,6 +39,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency "simple_form", "~> 5.3"
   spec.add_dependency "rabl", "~> 0.16.1"
 
+  spec.add_development_dependency "brakeman"
+
   # For more information and examples about making a new gem, check out our
   # guide at: https://bundler.io/guides/creating_gem.html
 end
