diff --git a/lib/brakeman.rb b/lib/brakeman.rb index 86d750ab096df3987272dca6f562199cf72d3f93..8a92d4bfa8ef3587d1292fa3ce91db874328bef6 100644 --- a/lib/brakeman.rb +++ b/lib/brakeman.rb @@ -23,6 +23,7 @@ module Brakeman # * :config_file - configuration file # * :escape_html - escape HTML by default (automatic) # * :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false) + # * :highlight_user_input - highlight user input in reported warnings (default: true) # * :html_style - path to CSS file # * :ignore_model_output - consider models safe (default: false) # * :message_limit - limit length of messages @@ -113,6 +114,7 @@ module Brakeman :min_confidence => 2, :combine_locations => true, :collapse_mass_assignment => true, + :highlight_user_input => true, :ignore_redirect_to_model => true, :ignore_model_output => false, :message_limit => 100, diff --git a/lib/brakeman/options.rb b/lib/brakeman/options.rb index 0e2898663e408967d93d1aa652d30e2693c407d8..96058548acea03bc1b46fd15e4fb2ac11e5f0024 100644 --- a/lib/brakeman/options.rb +++ b/lib/brakeman/options.rb @@ -144,6 +144,10 @@ module Brakeman::Options options[:combine_locations] = combine end + opts.on "--[no-]highlights", "Highlight user input in report" do |highlight| + options[:highlight_user_input] = highlight + end + opts.on "-m", "--routes", "Report controller information" do options[:report_routes] = true end diff --git a/lib/brakeman/report.rb b/lib/brakeman/report.rb index 6ccd524656d94a7de509b4878cb2af2c3c501588..8bb25eabb9edc7cee9908ec4f2c72cf3563d0690 100644 --- a/lib/brakeman/report.rb +++ b/lib/brakeman/report.rb @@ -34,6 +34,7 @@ class Brakeman::Report @checks = tracker.checks @element_id = 0 #Used for HTML ids @warnings_summary = nil + @highlight_user_input = tracker.options[:highlight_user_input] end #Generate summary table of what was parsed @@ -491,7 +492,7 @@ class Brakeman::Report #Escape warning message and highlight user input in text output def text_message warning, message - if warning.user_input + if @highlight_user_input and warning.user_input user_input = Brakeman::OutputProcessor.new.format(warning.user_input) message.gsub(user_input, "+#{user_input}+") else @@ -502,7 +503,8 @@ class Brakeman::Report #Escape warning message and highlight user input in HTML output def html_message warning, message message = CGI.escapeHTML(message) - if warning.user_input + + if @highlight_user_input and warning.user_input user_input = CGI.escapeHTML(Brakeman::OutputProcessor.new.format(warning.user_input)) message.gsub!(user_input, "#{user_input}")