Log in
Log in
Log in
Book a Demo
Get Started
668.4K 482K 8.2K
Back to Repositories

Testing External Security Check Integration in Brakeman

This test suite validates the functionality of external checks integration in the Brakeman security scanner. It verifies that custom security checks located outside the main checks directory can be properly loaded and executed using the additional_checks_path option flag.

Test Coverage Overview

The test suite focuses on validating the external check loading mechanism in Brakeman. It covers:

  • Integration of custom security checks from external directories
  • Verification of optional check registration
  • Detection of potentially dangerous method calls
  • User input validation scenarios

Implementation Analysis

The testing approach implements a custom security check class that inherits from BaseCheck. It utilizes Brakeman’s built-in tracking system to detect specific method calls and analyze their arguments for potential security issues.

The implementation leverages Brakeman’s warning system with custom warning types, codes, and confidence levels.

Technical Details

  • Inherits from Brakeman::BaseCheck for core functionality
  • Uses Brakeman::Checks.add_optional for registration
  • Implements tracker.find_call for method detection
  • Utilizes has_immediate_user_input? for input validation
  • Includes CWE ID integration for security tracking

Best Practices Demonstrated

The test exemplifies security testing best practices through structured warning generation and clear separation of concerns. It demonstrates proper inheritance patterns, explicit warning type definitions, and comprehensive input validation techniques.

  • Clear warning message construction
  • Structured security check organization
  • Proper confidence level assignment
  • Security tracking integration

presidentbeef/brakeman

test/apps/rails4/external_checks/check_external_check_test.rb

            
require 'brakeman/checks/base_check'

#Verify that checks external to the checks/ dir are added by the additional_checks_path options flag
class Brakeman::CheckExternalCheckTest < Brakeman::BaseCheck
  Brakeman::Checks.add_optional self

  @description = "An external check that does nothing, used for testing"

  def run_check
    tracker.find_call(target: nil, method: :call_shady_method).each do |result|
      if user_input = has_immediate_user_input?(result[:call].first_arg)
        warn result: result,
          warning_type: "Shady Call",
          warning_code: :custom_check,
          message: "Called something shady!",
          confidence: :high,
          user_input: user_input,
          :cwe_id => [-1]
      end
    end
  end
end