search

presidentbeef / brakeman

A static analysis security vulnerability scanner for Ruby on Rails applications
https://brakemanscanner.org/
Other
7.02k stars 732 forks source link

Fix parsing issue of yields in ERB templates #1844

Closed presidentbeef closed 6 months ago

presidentbeef commented 6 months ago

Yields with no method/block context is now a syntax error at parse time, so ERB templates need to avoid that to be parsed correctly.

Ruby 3.2.1:

$ echo yield | ruby -c
Syntax OK

Ruby 3.3.0:

$ echo yield | ruby -c
-:1: Invalid yield
yield
-: compile error (SyntaxError)
dryrunsecurity[bot] commented 6 months ago

Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer :white_check_mark: 0 findings
Secrets Analyzer :white_check_mark: 0 findings
Sensitive Files Analyzer :white_check_mark: 0 findings
Authn/Authz Analyzer :white_check_mark: 0 findings
AppSec Analyzer :white_check_mark: 0 findings

[!Note] :green_circle: Risk threshold not exceeded.

Change Summary (click to expand) The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. **Summary:** The provided code change is related to the Brakeman security scanner for Ruby on Rails applications. Brakeman is a static code analysis tool that helps identify security vulnerabilities in Rails applications. The changes are made to the `Brakeman::Rails3Erubis` class, which is a custom Erubis template handler used by Brakeman to parse and process Ruby on Rails templates. The changes focus on ensuring the correct syntax and handling of the generated code, which is an important aspect of a security scanner like Brakeman. From an application security perspective, these changes do not appear to introduce any security vulnerabilities and are likely aimed at improving the overall functionality and accuracy of the Brakeman tool. **Files Changed:** - `lib/brakeman/parsers/rails3_erubis.rb`: The changes in this file are related to the `Brakeman::Rails3Erubis` class, which is a custom Erubis template handler used by Brakeman. The `add_preamble` method has been updated to include a line that ensures the generated code is syntactically correct, particularly when dealing with `yield` statements in the templates. The `add_postamble` method has been updated to include the closing brace for the added block. These changes are focused on improving the handling of Rails templates, which is crucial for Brakeman to accurately analyze the application's code and identify potential security issues.

Powered by DryRun Security