Issue with adding autoload_paths for views dir

[SethHorsley]

Background

Brakeman version: 6.1.0 Rails version: 7.1.0 Ruby version: 3.2.2

Link to Rails application code: ?

Issue

After installing phlex in our main app breakman started throwing warning about:

Confidence: High
Category: Redirect
Check: Redirect
Message: Possible unprotected redirect
Code: redirect_to((params[:redir] or root_path))
Check: Redirect
Message: Possible unprotected redirect
Code: redirect_to((params[:redir] or root_path))
File: app/controllers/accounts_controller.rb
Line: 77
Check: ForgerySetting
Message: `protect_from_forgery` should be called in `Users::SudoController`
File: app/controllers/users/sudo_controller.rb
File: app/controllers/users/sudo_controller.rb
Line: 1

Confidence: High
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: `protect_from_forgery` should be called in `Turbo::Native::NavigationController`
File: node_modules/@hotwired/turbo-rails/app/controllers/turbo/native/navigation_controller.rb
Line: 1

Confidence: High
Category: Redirect
Check: Redirect
Message: Possible unprotected redirect
Code: redirect_to((params[:redir] or root_path))
File: app/controllers/accounts_controller.rb
Line: 77

This issue only comes up after I add the autoload views for phlex:

    config.autoload_paths << "#{root}/app/views"
    config.autoload_paths << "#{root}/app/views/layouts"
    config.autoload_paths << "#{root}/app/views/components"

Other Error

Nothing else weird that the brakeman log from above doesn't have

Stack trace:

I can add it but we have a big app so this would be huge.

[presidentbeef]

Hm, that doesn't really make sense. Brakeman doesn't do anything with autoload_paths. Are you sure there are no other changes?