From: Tom Hughes <tom@compton.nu>
Date: Wed, 22 Jul 2020 14:02:51 +0000 (+0100)
Subject: Merge remote-tracking branch 'upstream/pull/2723'
X-Git-Tag: live~2175
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/c47ae999428a0135d2febf470a0b1422c8774eb5?hp=bc3a5adc794765ce3646cc308834b9947c8b0aaf

Merge remote-tracking branch 'upstream/pull/2723'
---

diff --git a/.travis.yml b/.travis.yml
index ce0a625ec..6acf89e48 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -31,6 +31,7 @@ script:
   - bundle exec rubocop -f fuubar
   - bundle exec rake eslint
   - bundle exec erblint .
+  - bundle exec brakeman -q
   - bundle exec rake db:structure:dump
   - sed -e "/idle_in_transaction_session_timeout/d" -e 's/ IMMUTABLE / /' -e "/^--/d" db/structure.sql > db/structure.actual
   - diff -uw db/structure.expected db/structure.actual
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 439e2e95f..568566c17 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -41,6 +41,14 @@ You can view test coverage statistics by browsing the `coverage` directory.
 The tests are automatically run on Pull Requests and other commits with the
 results shown on [Travis CI](https://travis-ci.org/openstreetmap/openstreetmap-website).
 
+## Static Analysis
+
+We also perform static analysis of our code. You can run the analysis yourself with:
+
+```
+bundle exec brakeman -q
+```
+
 ## Comments
 
 Sometimes it's not apparent from the code itself what it does, or,
diff --git a/Gemfile b/Gemfile
index 1cd0edca7..540f61634 100644
--- a/Gemfile
+++ b/Gemfile
@@ -138,6 +138,7 @@ end
 
 # Gems needed for running tests
 group :test do
+  gem "brakeman"
   gem "capybara", ">= 2.15"
   gem "coveralls", :require => false
   gem "erb_lint", :require => false
diff --git a/Gemfile.lock b/Gemfile.lock
index 299d62f62..0843b96a0 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -110,6 +110,7 @@ GEM
       autoprefixer-rails (>= 9.1.0)
       popper_js (>= 1.14.3, < 2)
       sassc-rails (>= 2.0.0)
+    brakeman (4.8.2)
     browser (4.2.0)
     builder (3.2.4)
     bzip2-ffi (1.0.0)
@@ -484,6 +485,7 @@ DEPENDENCIES
   binding_of_caller
   bootsnap (>= 1.4.2)
   bootstrap (~> 4.5.0)
+  brakeman
   browser
   bzip2-ffi
   cancancan
diff --git a/config/brakeman.yml b/config/brakeman.yml
new file mode 100644
index 000000000..f8fab871e
--- /dev/null
+++ b/config/brakeman.yml
@@ -0,0 +1,9 @@
+:skip_checks:
+# These checks are skipped, but should be considered TODO
+- CheckCrossSiteScripting
+- CheckExecute
+- CheckFileAccess
+- CheckRedirect
+- CheckRender
+- CheckSendFile
+- CheckSQL