presidentbeef/brakeman

safe-methods: pass "pointed" methods?

Open

#1738 opened on Nov 9, 2022

View on GitHub
 (1 comment) (1 reaction) (0 assignees)Ruby (7,232 stars) (767 forks)batch import
help wanted

Description

Hi,

I'm using Sanitize.fragment(str) to sanitize, but --safe-methods=Sanitize.fragment does not work, I have to decay this into --safe-methods=fragment. But I feel less secure this way. It would be nice to have richer means to specify the safe methods.

Cheers!

Contributor guide

Tech stack
ruby
Domain
security
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic RubyUnderstanding of Brakeman's option parsing
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
Review the implementation of the safe methods option in Brakeman's codebase, likely in lib/brakeman/options.rb or similar. Examine how methods are currently specified and stored. Consider extending the parsing to support class.method syntax (e.g., 'Sanitize.fragment') while maintaining backward compatibility. Check the single comment in the issue for any maintainer feedback or suggestions.