From abdebd0c117c487f9b6b018d98761be9a8abf16e Mon Sep 17 00:00:00 2001 From: Thomas Leese Date: Thu, 2 Aug 2018 15:21:17 +0100 Subject: [PATCH 1/2] Add a warning about dynamic template path We manually validate this path https://github.com/alphagov/static/blob/67887c238ca848b61936836c1e2958b802542b9d/app/controllers/root_controller.rb#L26 to check that it doesn't contain slashes or underscores. --- config/brakeman.ignore | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 config/brakeman.ignore diff --git a/config/brakeman.ignore b/config/brakeman.ignore new file mode 100644 index 000000000..4cdd8a483 --- /dev/null +++ b/config/brakeman.ignore @@ -0,0 +1,26 @@ +{ + "ignored_warnings": [ + { + "warning_type": "Dynamic Render Path", + "warning_code": 15, + "fingerprint": "0a4ebe31686d3a336e8746a0562a643ef742503fdf160807cf8ee2109f539609", + "check_name": "Render", + "message": "Render path contains parameter value", + "file": "app/controllers/root_controller.rb", + "line": 20, + "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", + "code": "render(action => params[:template], { :layout => \"govuk_template\" })", + "render_path": null, + "location": { + "type": "method", + "class": "RootController", + "method": "template" + }, + "user_input": "params[:template]", + "confidence": "High", + "note": "We validate the parameter in validate_template_param to check it contains no slashes or underscores." + } + ], + "updated": "2018-08-02 15:21:08 +0100", + "brakeman_version": "4.3.1" +} From c71b9a83bd3a6a1482f1a5bed77116f7efef50ef Mon Sep 17 00:00:00 2001 From: Thomas Leese Date: Thu, 2 Aug 2018 15:22:16 +0100 Subject: [PATCH 2/2] Enable Brakeman This allows us to find any security vulnerabilities. --- Jenkinsfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Jenkinsfile b/Jenkinsfile index 033d6b4c8..1347edcae 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -16,5 +16,6 @@ node { } }, publishingE2ETests: true, + brakeman: true, ) }