Improve brakeman config and fix some warnings.

gregschmit · gregschmit · commit dde30274f98c · 2025-05-08T17:52:37.000-05:00
diff --git a/bin/reloader b/bin/reloader
@@ -25,8 +25,13 @@ def reload(skip_seed: false)
   # Run the test suite (generates coverage report).
   system("#{"SKIP_SEED=1" if skip_seed} SIMPLECOV_INLINE_ASSETS=1 bin/rails test".strip)
 
-  # Generate brakeman report.
+  # Generate lib brakeman report.
   system("bin/brakeman")
+
+  # Generage app brakeman report.
+  Dir.chdir(File.join(PROJECT_ROOT, "test")) do
+    system("bin/brakeman")
+  end
 end
 
 # Load to generate initial reports.
diff --git a/config/brakeman.yml b/config/brakeman.yml
@@ -1,4 +1,4 @@
 ---
 :output_files:
-  - test/public/reports/brakeman.html
+  - test/public/reports/brakeman-lib.html
 :combine_locations: false
diff --git a/test/app/controllers/application_controller.rb b/test/app/controllers/application_controller.rb
@@ -1,3 +1,5 @@
 class ApplicationController < ActionController::Base
   include ActiveStorage::SetCurrent
+
+  protect_from_forgery
 end
diff --git a/test/app/controllers/home_controller.rb b/test/app/controllers/home_controller.rb
@@ -25,6 +25,10 @@ def send_guide_asset
 
   protected
 
+  def sanitize_path(path)
+    return path&.gsub(/[^a-zA-Z0-9-_\/]+/, "")&.gsub(/^\/+/, "")&.gsub(/\/+$/, "")
+  end
+
   def render_content(path)
     file_content = File.read(path)
 
@@ -42,7 +46,7 @@ def render_content(path)
   def lookup_section(section, asset: nil)
     if path = self.get_sections.dig(section, :path)
       if asset
-        f = File.join(path, "assets/#{asset}")
+        f = File.join(path, "assets/#{sanitize_path(asset)}")
         return f if File.exist?(f)
       else
         return File.join(path, "index.md")
diff --git a/test/bin/brakeman b/test/bin/brakeman
@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("brakeman", "brakeman")
diff --git a/test/config/brakeman.yml b/test/config/brakeman.yml
@@ -0,0 +1,4 @@
+---
+:output_files:
+  - public/reports/brakeman-app.html
+:combine_locations: false
diff --git a/test/public/reports/index.html b/test/public/reports/index.html
@@ -5,7 +5,8 @@
   </head>
   <body>
     <h1>Reports:</h1>
-    <p><a href="/reports/coverage/">SimpleCov Coverage Report</a></p>
-    <p><a href="/reports/brakeman.html">Brakeman Vulnerability Report</a></p>
+    <p><a target="_blank" href="/reports/coverage/">SimpleCov Coverage Report</a></p>
+    <p><a target="_blank" href="/reports/brakeman-lib.html">Brakeman Vulnerability Report - Lib</a></p>
+    <p><a target="_blank" href="/reports/brakeman-app.html">Brakeman Vulnerability Report - App</a></p>
   </body>
 </html>
