Omar A.
Omar A.
`Model.new({something: params.fetch(:something_id)})` isn't flagged by the authz cop in some contexts due to `fetch` not being tracked in the same way `permit` is. Adding `fetch` catches it but introduces false...
Hi folks, It's me deleting another rule. This time it's a rule that basically flags specific parameter names as a high severity finding. I get what it's going for but...
Hi folks, This PR removes some ruby/rails rules we feel are no longer relevant. We maintain a fork of semgrep-rules internally that allowed us to remove these without waiting for...
```ruby def test some_user.other_model.active.find_by_token(token) end def token params[:token] end ``` This raises an offense, even though we're operating in a trusted context (off of `some_user`). Interestingly, using `find_by(token:)` and `find(token)`...
UnscopedFind has made the assumption that if you're doing a `find` off of an object (e.g. `current_user`), your query will be scoped to whatever belongs to that object. However, it...