kgilpin
commented
2 years ago Well, I don't want to leave those labels in because I'm not 100% sure that they are correct - but I don't want to lose track of the fact that I dug into this code to find them either.
Having these methods in the gem hooks will ensure that they are recorded. That way, if there's a finding ( https://github.com/applandinc/scanner/pull/88), this method will be there for context.
Eventually we should either commit these labels, or remove the method hook.
On Mon, Jan 24, 2022 at 1:56 PM Alan Potter @.***> wrote:
@.**** commented on this pull request.
In lib/appmap/gem_hooks/activerecord.yml https://github.com/applandinc/appmap-ruby/pull/214#discussion_r791060090 :
@@ -1,2 +1,4 @@
- method: ActiveRecord::Relation#records label: dao.materialize +- method: ActiveRecord::FixtureSet::File#raw_rows +# label: deserialize.safe
Why are these labels commented out?
— Reply to this email directly, view it on GitHub https://github.com/applandinc/appmap-ruby/pull/214#pullrequestreview-861390804, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAVC645AQTUZGW3UR6PSHDUXWOFPANCNFSM5MVXOJ7A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>
appland-release
Deserialization comes in two flavors:
deserialize.safecan deserialize untrusted data safely, because it only builds basic types and doesn't have any other weaknesses such as accessing the network or file system.deserialize.unsafecan only deserialize trusted data, because it can be configured/tricked into performing unsafe behaviors.These labels will be used in a Rule that checks for deserialization of untrusted data.
Related: https://github.com/applandinc/scanner/pull/88