Description
Steps to reproduce
Hi! I’m seeing an issue specifically when working with view_components and brakeman. Basically, the way we’re using view_components is to create reusable components (like buttons for example) so that we can plug and play these onto a page easily.
However, we’re encountering an issue if we want to send in a record to the component. I believe this has to do with how view_component is monkey patching the render method. Essentially, any time we try to send in something to do with params or with a record that’s found with params, we’re seeing a dynamic render path error. I’ve pasted an example below, where we have a button to component that accepts a path as a param.
class Owlery::ButtonToComponent < ApplicationComponent
def initialize(name = nil, options = nil, html_options = {})
@name = name
@options = options
@html_options = html_options
end
<%= render Owlery::ButtonToComponent.new(a_store_path(@store), nil, {is_color: 'dark', is_outlined: true, method: :delete}) do %>
A button
<% end %>
{
"warning_type": "Dynamic Render Path",
"warning_code": 15,
"check_name": "Render",
"message": "Render path contains parameter value",
"file": "<our_file>",
"line": 14,
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
"code": "render(action => Owlery::ButtonToComponent.new(a_store_path(Store.find(params[:id]), nil, :is_color => \"primary\", :method => :delete), {})",
Normally, render can tell if you’re grabbing a record and doesn’t throw an error. But because we’re rendering a component with fairly complex logic that ALSO sends in a record found via params, brakeman can’t parse what’s happening, and thus throws this dynamic render path error.
This can easily be fixed if we add an exception to our brakeman list any time this happens. The brakeman error that this produces is a weak confidence error, so it’s less worrying. But the issue I have with that is that it’s not a sustainable solution. As our usage of components grows we’re going to need to send them records that were found via params. Having a growing list of brakeman exceptions defeats the purpose of fixing brakeman issues - especially if the habit becomes ‘oh that’s known, just create an exception and move on’.
Expected behavior
You should be able to send in a record found in the controller via params to the view component without brakeman throwing a dynamic render path warning.
Actual behavior
Brakeman throws a warning when you send in a record you found into your view component
System configuration
Rails version: 5.2.4.4
Ruby version: 2.6.5
Gem version: 2.24.0