labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

Allow Brakeman to determine the Rails configuration by querying `Rails.application.config`

Open gstokkink opened this issue 10 months ago • 2 comments

Is your feature request related to a problem? Please describe.

We have a bunch of Rails applications in a single repository (i.e., a monorepo). These Rails applications share a lot of the same configuration. We want to manage this shared configuration in a single place, thus we include shared modules in various configuration files (for instance, application.rb). Because Brakeman currently parses the configuration files directly, it misses the configuration that's set by the included modules. For instance, if we were to set config.action_controller.default_protect_from_forgery = true in a shared configuration module rather than setting it directly in application.rb (or environment.rb), Brakeman would not detect this, and will start complaining about controllers missing forgery protection. If Brakeman were to query Rails.application.config.action_controller.default_protect_from_forgery instead, however, it would see that it's set.

Describe the solution you'd like

Brakeman to determine the Rails configuration by querying Rails.application.config instead of parsing the configuration files.

Describe alternatives you've considered

Including the shared configuration modules in the files that Brakeman scans. This requires hacking the Brakeman internals, however. Perhaps an option to define additional places where configuration is defined?

Additional context Add any other context or screenshots about the feature request here.

gstokkink avatar Jun 10 '25 07:06 gstokkink

This would require Brakeman to load and execute code from the application (not to mention to be compatible with doing so), which is against Brakeman's design principles (and a little dangerous).

What do the shared modules and their use look like?

presidentbeef avatar Jul 04 '25 19:07 presidentbeef

@presidentbeef thanks for your reply. It looks something like this:

In the application:

require 'concerns/shared_application_config'

module SomeApplication
  class Application < Rails::Application
    include SharedApplicationConfig
    
    ...
  end
end

In the shared application config:

module SharedApplicationConfig
  extend ActiveSupport::Concern

  included do
    config.load_defaults('8.0')
    config.time_zone = 'Amsterdam'
    
    ...
  end
end

This works fine, except for Brakeman not supporting it 😄

gstokkink avatar Jul 07 '25 09:07 gstokkink