From 283fc9bddb0c4b8ca65e4a1026008cb2d2f24808 Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Fri, 8 Nov 2024 12:44:44 -0500 Subject: [PATCH] Bearer integration (#269) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a POC for [bearer](https://docs.bearer.com/), which is a static scanner for security/privacy vulnerabilities. While [brakeman](https://brakemanscanner.org/) is Rails-specific, Bearer adds support for vulnerabilities on the language-level and supports the following languages: 1. JavaScript/TypeScript 2. Ruby 3. PHP 4. Java 5. Go 6. Python This PR aims to prove out bearer's effectiveness in the power-tools repo. Example failure: ![Screenshot 2024-11-06 at 9 56 43 AM](https://github.com/user-attachments/assets/6d99c673-26e9-4ce5-b03b-44ea3a5e3525) --- .github/workflows/reviewdog.yml | 28 +++++++++++++++++++++++ packages/consent/docs/CHANGELOG.md | 2 ++ packages/consent/lib/consent/dsl.rb | 8 ------- packages/consent/spec/consent/dsl_spec.rb | 16 ------------- 4 files changed, 30 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/reviewdog.yml diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml new file mode 100644 index 00000000..60e770e3 --- /dev/null +++ b/.github/workflows/reviewdog.yml @@ -0,0 +1,28 @@ +name: Automated Code Reviews +on: [pull_request] + +permissions: + contents: read + pull-requests: write + +jobs: + bearer: + name: Bearer Security Analysis + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: reviewdog/action-setup@v1 + with: + reviewdog_version: latest + - name: Bearer + uses: bearer/bearer-action@v2 + with: + diff: true + format: rdjson + output: rd.json + - name: Run reviewdog + if: always() + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + touch rd.json && cat rd.json | reviewdog -f=rdjson -reporter=github-pr-check diff --git a/packages/consent/docs/CHANGELOG.md b/packages/consent/docs/CHANGELOG.md index 774a1a1c..87b1057b 100644 --- a/packages/consent/docs/CHANGELOG.md +++ b/packages/consent/docs/CHANGELOG.md @@ -1,5 +1,7 @@ ## [Unreleased] +- removed eval_view as a legacy, unsafe concern + ## [2.0.1] - 2023-01-08 - Bugfixes, minor version bumps diff --git a/packages/consent/lib/consent/dsl.rb b/packages/consent/lib/consent/dsl.rb index ee06d8ac..c82136a4 100644 --- a/packages/consent/lib/consent/dsl.rb +++ b/packages/consent/lib/consent/dsl.rb @@ -14,14 +14,6 @@ def with_defaults(new_defaults, &block) DSL.build(@subject, @defaults.merge(new_defaults), &block) end - # rubocop:disable Lint/UnusedBlockArgument, Security/Eval - def eval_view(key, label, collection_conditions) - view key, label do |user| - eval(collection_conditions) - end - end - # rubocop:enable Lint/UnusedBlockArgument, Security/Eval - def view(key, label, instance = nil, collection = nil, &block) collection ||= block @subject.views[key] = View.new(key, label, instance, collection) diff --git a/packages/consent/spec/consent/dsl_spec.rb b/packages/consent/spec/consent/dsl_spec.rb index 64ebf812..06fbf3a4 100644 --- a/packages/consent/spec/consent/dsl_spec.rb +++ b/packages/consent/spec/consent/dsl_spec.rb @@ -46,22 +46,6 @@ end end - describe "#eval_view" do - it "accepts a conditions string for eval" do - dsl.eval_view :view_key, "View YEY", "{object: 1}" - - expect(subject.views[:view_key].conditions(nil)).to eql(object: 1) - end - - it "is a view that evaluate the condition as ruby with the user variable" do - user = double(id: 1) - - dsl.eval_view :view_key, "View YEY", "{user: user.id}" - - expect(subject.views[:view_key].conditions(user)).to eql(user: 1) - end - end - describe "#action" do let(:view_all) { double } let(:view_no_access) { double }