STRLCPY/bearer

chore: fix typo for devise and improve test coverage (#273)
Cédric Fabianski committed with GitHub 1 year ago

d48ec41c

1 parent 802ebd9f

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

integration/flags/.snapshots/TestInitCommand

		skipped 687 lines
688	688		match_violation: true
689	689		- pattern: \|
690	690		class $ANYTHING < ApplicationRecord
691		-	device password_length: $MIN_LENGTH..$MAX_LENGTH
	691	+	devise password_length: $MIN_LENGTH..$MAX_LENGTH
692	692		end
693	693		filters:
694	694		- variable: MAX_LENGTH
		skipped 7 lines
702	702		maximum: null
703	703		match_violation: true
704	704		- pattern: \|
705		-	Device.setup do \|config\|
	705	+	Devise.setup do \|config\|
	706	+	config.password_length = $MIN_LENGTH..$MAX_LENGTH
	707	+	end
	708	+	filters:
	709	+	- variable: MIN_LENGTH
	710	+	values: []
	711	+	minimum: 8
	712	+	maximum: null
	713	+	match_violation: true
	714	+	- pattern: \|
	715	+	Devise.setup do \|config\|
706	716		config.password_length = $LENGTH
707	717		end
708	718		filters:
		skipped 1651 lines

■ ■ ■ ■ ■ ■

pkg/commands/process/settings/custom_detector.yml

		skipped 12 lines
13	13		match_violation: true
14	14		- pattern: \|
15	15		class $ANYTHING < ApplicationRecord
16		-	device password_length: $MIN_LENGTH..$MAX_LENGTH
	16	+	devise password_length: $MIN_LENGTH..$MAX_LENGTH
17	17		end
18	18		filters:
19	19		- variable: MAX_LENGTH
		skipped 3 lines
23	23		minimum: 8
24	24		match_violation: true
25	25		- pattern: \|
26		-	Device.setup do \|config\|
	26	+	Devise.setup do \|config\|
	27	+	config.password_length = $MIN_LENGTH..$MAX_LENGTH
	28	+	end
	29	+	filters:
	30	+	- variable: MIN_LENGTH
	31	+	minimum: 8
	32	+	match_violation: true
	33	+	- pattern: \|
	34	+	Devise.setup do \|config\|
27	35		config.password_length = $LENGTH
28	36		end
29	37		filters:
		skipped 419 lines

■ ■ ■ ■ ■ ■

pkg/detectors/custom/.snapshots/TestRubyPasswordLengthClassMinMax

		skipped 5 lines
6	6		"filename": "users.rb",
7	7		"language": "Ruby",
8	8		"language_type": "programming",
	9	+	"line_number": 7,
	10	+	"column_number": 1,
	11	+	"text": "class $ANYTHING \u003c ApplicationRecord\n validates :password, length: { minimum: $LENGTH }\nend\n"
	12	+	},
	13	+	"value": {
	14	+	"line_number": 7,
	15	+	"content": "class Employee \u003c ApplicationRecord\n\tvalidates :password, length: { minimum: 6 }\nend"
	16	+	}
	17	+	},
	18	+	{
	19	+	"type": "custom_risk",
	20	+	"detector_type": "ruby_password_length",
	21	+	"source": {
	22	+	"filename": "users.rb",
	23	+	"language": "Ruby",
	24	+	"language_type": "programming",
9	25		"line_number": 2,
10	26		"column_number": 1,
11		-	"text": "class $ANYTHING \u003c ApplicationRecord\n device password_length: $MIN_LENGTH..$MAX_LENGTH\nend\n"
	27	+	"text": "class $ANYTHING \u003c ApplicationRecord\n devise password_length: $MIN_LENGTH..$MAX_LENGTH\nend\n"
12	28		},
13	29		"value": {
14	30		"line_number": 2,
15		-	"content": "class User \u003c ApplicationRecord\n\tdevice password_length: 11..32\nend"
	31	+	"content": "class User \u003c ApplicationRecord\n\tdevise password_length: 11..32\nend"
16	32		}
17	33		},
18	34		{
		skipped 3 lines
22	38		"filename": "users.rb",
23	39		"language": "Ruby",
24	40		"language_type": "programming",
25		-	"line_number": 8,
	41	+	"line_number": 12,
26	42		"column_number": 1,
27		-	"text": "class $ANYTHING \u003c ApplicationRecord\n device password_length: $MIN_LENGTH..$MAX_LENGTH\nend\n"
	43	+	"text": "class $ANYTHING \u003c ApplicationRecord\n devise password_length: $MIN_LENGTH..$MAX_LENGTH\nend\n"
28	44		},
29	45		"value": {
30		-	"line_number": 8,
31		-	"content": "class Student \u003c ApplicationRecord\n\tdevice password_length: 6..36\nend"
	46	+	"line_number": 12,
	47	+	"content": "class Student \u003c ApplicationRecord\n\tdevise password_length: 6..36\nend"
32	48		}
33	49		}
34	50		]
		skipped 1 lines

■ ■ ■ ■ ■ ■

pkg/detectors/custom/.snapshots/TestRubyPasswordLengthIteration

		skipped 2 lines
3	3		"type": "custom_risk",
4	4		"detector_type": "ruby_password_length",
5	5		"source": {
	6	+	"filename": "devise.rb",
	7	+	"language": "Ruby",
	8	+	"language_type": "programming",
	9	+	"line_number": 11,
	10	+	"column_number": 1,
	11	+	"text": "Devise.setup do \|config\|\n config.password_length = $MIN_LENGTH..$MAX_LENGTH\nend\n"
	12	+	},
	13	+	"value": {
	14	+	"line_number": 11,
	15	+	"content": "Devise.setup do \|config\|\n # The secret key used by Devise. Devise uses this key to generate\n # random tokens. Changing this key will render invalid all existing\n # confirmation, reset password and unlock tokens in the database.\n # Devise will use the `secret_key_base` as its `secret_key`\n # by default. You can change it below and use your own secret key.\n # config.secret_key = '\u003c%= SecureRandom.hex(64) %\u003e'\n\n # ==\u003e Controller configuration\n # Configure the parent class to the devise controllers.\n # config.parent_controller = 'DeviseController'\n\n # ==\u003e Mailer Configuration\n # Configure the e-mail address which will be shown in Devise::Mailer,\n # note that it will be overwritten if you use your own mailer class\n # with default \"from\" parameter.\n config.mailer_sender = '[email protected]'\n\n # Configure the class responsible to send e-mails.\n # config.mailer = 'Devise::Mailer'\n\n # Configure the parent class responsible to send e-mails.\n # config.parent_mailer = 'ActionMailer::Base'\n\n # ==\u003e ORM configuration\n # Load and configure the ORM. Supports :active_record (default) and\n # :mongoid (bson_ext recommended) by default. Other ORMs may be\n # available as additional gems.\n require 'devise/orm/\u003c%= options[:orm] %\u003e'\n\n # ==\u003e Configuration for any authentication mechanism\n # Configure which keys are used when authenticating a user. The default is\n # just :email. You can configure it to use [:username, :subdomain], so for\n # authenticating a user, both parameters are required. Remember that those\n # parameters are used only when authenticating and not when retrieving from\n # session. If you need permissions, you should implement that in a before filter.\n # You can also supply a hash where the value is a boolean determining whether\n # or not authentication should be aborted when the value is not present.\n # config.authentication_keys = [:email]\n\n # Configure parameters from the request object used for authentication. Each entry\n # given should be a request method and it will automatically be passed to the\n # find_for_authentication method and considered in your model lookup. For instance,\n # if you set :request_keys to [:subdomain], :subdomain will be used on authentication.\n # The same considerations mentioned for authentication_keys also apply to request_keys.\n # config.request_keys = []\n\n # Configure which authentication keys should be case-insensitive.\n # These keys will be downcased upon creating or modifying a user and when used\n # to authenticate or find a user. Default is :email.\n config.case_insensitive_keys = [:email]\n\n # Configure which authentication keys should have whitespace stripped.\n # These keys will have whitespace before and after removed upon creating or\n # modifying a user and when used to authenticate or find a user. Default is :email.\n config.strip_whitespace_keys = [:email]\n\n # Tell if authentication through request.params is enabled. True by default.\n # It can be set to an array that will enable params authentication only for the\n # given strategies, for example, `config.params_authenticatable = [:database]` will\n # enable it only for database (email + password) authentication.\n # config.params_authenticatable = true\n\n # Tell if authentication through HTTP Auth is enabled. False by default.\n # It can be set to an array that will enable http authentication only for the\n # given strategies, for example, `config.http_authenticatable = [:database]` will\n # enable it only for database authentication.\n # For API-only applications to support authentication \"out-of-the-box\", you will likely want to\n # enable this with :database unless you are using a custom strategy.\n # The supported strategies are:\n # :database = Support basic authentication with authentication key + password\n # config.http_authenticatable = false\n\n # If 401 status code should be returned for AJAX requests. True by default.\n # config.http_authenticatable_on_xhr = true\n\n # The realm used in Http Basic Authentication. 'Application' by default.\n # config.http_authentication_realm = 'Application'\n\n # It will change confirmation, password recovery and other workflows\n # to behave the same regardless if the e-mail provided was right or wrong.\n # Does not affect registerable.\n # config.paranoid = true\n\n # By default Devise will store the user in session. You can skip storage for\n # particular strategies by setting this option.\n # Notice that if you are skipping storage for all authentication paths, you\n # may want to disable generating routes to Devise's sessions controller by\n # passing skip: :sessions to `devise_for` in your config/routes.rb\n config.skip_session_storage = [:http_auth]\n\n # By default, Devise cleans up the CSRF token on authentication to\n # avoid CSRF token fixation attacks. This means that, when using AJAX\n # requests for sign in and sign up, you need to get a new CSRF token\n # from the server. You can disable this option at your own risk.\n # config.clean_up_csrf_token_on_authentication = true\n\n # When false, Devise will not attempt to reload routes on eager load.\n # This can reduce the time taken to boot the app but if your application\n # requires the Devise mappings to be loaded during boot time the application\n # won't boot properly.\n # config.reload_routes = true\n\n # ==\u003e Configuration for :database_authenticatable\n # For bcrypt, this is the cost for hashing the password and defaults to 12. If\n # using other algorithms, it sets how many times you want the password to be hashed.\n # The number of stretches used for generating the hashed password are stored\n # with the hashed password. This allows you to change the stretches without\n # invalidating existing passwords.\n #\n # Limiting the stretches to just one in testing will increase the performance of\n # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use\n # a value less than 10 in other environments. Note that, for bcrypt (the default\n # algorithm), the cost increases exponentially with the number of stretches (e.g.\n # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation).\n config.stretches = Rails.env.test? ? 1 : 12\n\n # Set up a pepper to generate the hashed password.\n # config.pepper = '\u003c%= SecureRandom.hex(64) %\u003e'\n\n # Send a notification to the original email when the user's email is changed.\n # config.send_email_changed_notification = false\n\n # Send a notification email when the user's password is changed.\n # config.send_password_change_notification = false\n\n # ==\u003e Configuration for :confirmable\n # A period that the user is allowed to access the website even without\n # confirming their account. For instance, if set to 2.days, the user will be\n # able to access the website for two days without confirming their account,\n # access will be blocked just in the third day.\n # You can also set it to nil, which will allow the user to access the website\n # without confirming their account.\n # Default is 0.days, meaning the user cannot access the website without\n # confirming their account.\n # config.allow_unconfirmed_access_for = 2.days\n\n # A period that the user is allowed to confirm their account before their\n # token becomes invalid. For example, if set to 3.days, the user can confirm\n # their account within 3 days after the mail was sent, but on the fourth day\n # their account can't be confirmed with the token any more.\n # Default is nil, meaning there is no restriction on how long a user can take\n # before confirming their account.\n # config.confirm_within = 3.days\n\n # If true, requires any email changes to be confirmed (exactly the same way as\n # initial account confirmation) to be applied. Requires additional unconfirmed_email\n # db field (see migrations). Until confirmed, new email is stored in\n # unconfirmed_email column, and copied to email column on successful confirmation.\n config.reconfirmable = true\n\n # Defines which key will be used when confirming an account\n # config.confirmation_keys = [:email]\n\n # ==\u003e Configuration for :rememberable\n # The time the user will be remembered without asking for credentials again.\n # config.remember_for = 2.weeks\n\n # Invalidates all the remember me tokens when the user signs out.\n config.expire_all_remember_me_on_sign_out = true\n\n # If true, extends the user's remember period when remembered via cookie.\n # config.extend_remember_period = false\n\n # Options to be passed to the created cookie. For instance, you can set\n # secure: true in order to force SSL only cookies.\n # config.rememberable_options = {}\n\n # ==\u003e Configuration for :validatable\n # Range for password length.\n config.password_length = 6..128\n\n # Email regex used to validate email formats. It simply asserts that\n # one (and only one) @ exists in the given string. This is mainly\n # to give user feedback and not to assert the e-mail validity.\n config.email_regexp = /\\A[^@\\s]+@[^@\\s]+\\z/\n\n # ==\u003e Configuration for :timeoutable\n # The time you want to timeout the user session without activity. After this\n # time the user will be asked for credentials again. Default is 30 minutes.\n # config.timeout_in = 30.minutes\n\n # ==\u003e Configuration for :lockable\n # Defines which strategy will be used to lock an account.\n # :failed_attempts = Locks an account after a number of failed attempts to sign in.\n # :none = No lock strategy. You should handle locking by yourself.\n # config.lock_strategy = :failed_attempts\n\n # Defines which key will be used when locking and unlocking an account\n # config.unlock_keys = [:email]\n\n # Defines which strategy will be used to unlock an account.\n # :email = Sends an unlock link to the user email\n # :time = Re-enables login after a certain amount of time (see :unlock_in below)\n # :both = Enables both strategies\n # :none = No unlock strategy. You should handle unlocking by yourself.\n # config.unlock_strategy = :both\n\n # Number of authentication tries before locking an account if lock_strategy\n # is failed attempts.\n # config.maximum_attempts = 20\n\n # Time interval to unlock the account if :time is enabled as unlock_strategy.\n # config.unlock_in = 1.hour\n\n # Warn on the last attempt before the account is locked.\n # config.last_attempt_warning = true\n\n # ==\u003e Configuration for :recoverable\n #\n # Defines which key will be used when recovering the password for an account\n # config.reset_password_keys = [:email]\n\n # Time interval you can reset your password with a reset password key.\n # Don't put a too small interval or your users won't have the time to\n # change their passwords.\n config.reset_password_within = 6.hours\n\n # When set to false, does not sign a user in automatically after their password is\n # reset. Defaults to true, so a user is signed in automatically after a reset.\n # config.sign_in_after_reset_password = true\n\n # ==\u003e Configuration for :encryptable\n # Allow you to use another hashing or encryption algorithm besides bcrypt (default).\n # You can use :sha1, :sha512 or algorithms from others authentication tools as\n # :clearance_sha1, :authlogic_sha512 (then you should set stretches above to 20\n # for default behavior) and :restful_authentication_sha1 (then you should set\n # stretches to 10, and copy REST_AUTH_SITE_KEY to pepper).\n #\n # Require the `devise-encryptable` gem when using anything other than bcrypt\n # config.encryptor = :sha512\n\n # ==\u003e Scopes configuration\n # Turn scoped views on. Before rendering \"sessions/new\", it will first check for\n # \"users/sessions/new\". It's turned off by default because it's slower if you\n # are using only default views.\n # config.scoped_views = false\n\n # Configure the default scope given to Warden. By default it's the first\n # devise role declared in your routes (usually :user).\n # config.default_scope = :user\n\n # Set this configuration to false if you want /users/sign_out to sign out\n # only the current scope. By default, Devise signs out all scopes.\n # config.sign_out_all_scopes = true\n\n # ==\u003e Navigation configuration\n # Lists the formats that should be treated as navigational. Formats like\n # :html, should redirect to the sign in page when the user does not have\n # access, but formats like :xml or :json, should return 401.\n #\n # If you have any extra navigational formats, like :iphone or :mobile, you\n # should add them to the navigational formats lists.\n #\n # The \"/\" below is required to match Internet Explorer requests.\n # config.navigational_formats = ['/', :html]\n\n # The default HTTP method used to sign out a resource. Default is :delete.\n config.sign_out_via = :delete\n\n # ==\u003e OmniAuth\n # Add a new OmniAuth provider. Check the wiki for more information on setting\n # up on your models and hooks.\n # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'\n\n # ==\u003e Warden configuration\n # If you want to use other strategies, that are not supported by Devise, or\n # change the failure app, you can configure them inside the config.warden block.\n #\n # config.warden do \|manager\|\n # manager.intercept_401 = false\n # manager.default_strategies(scope: :user).unshift :some_external_strategy\n # end\n\n # ==\u003e Mountable engine configurations\n # When using Devise inside an engine, let's call it `MyEngine`, and this engine\n # is mountable, there are some extra configurations to be taken into account.\n # The following options are available, assuming the engine is mounted as:\n #\n # mount MyEngine, at: '/my_engine'\n #\n # The router that invoked `devise_for`, in the example above, would be:\n # config.router_name = :my_engine\n #\n # When using OmniAuth, Devise cannot automatically set OmniAuth path,\n # so you need to do it manually. For the users scope, it would be:\n # config.omniauth_path_prefix = '/my_engine/users/auth'\n\n # ==\u003e Turbolinks configuration\n # If your app is using Turbolinks, Turbolinks::Controller needs to be included to make redirection work correctly:\n #\n # ActiveSupport.on_load(:devise_failure_app) do\n # include Turbolinks::Controller\n # end\n\n # ==\u003e Configuration for :registerable\n\n # When set to false, does not sign a user in automatically after their password is\n # changed. Defaults to true, so a user is signed in automatically after changing a password.\n # config.sign_in_after_change_password = true\nend"
	16	+	}
	17	+	},
	18	+	{
	19	+	"type": "custom_risk",
	20	+	"detector_type": "ruby_password_length",
	21	+	"source": {
6	22		"filename": "users.rb",
7	23		"language": "Ruby",
8	24		"language_type": "programming",
9	25		"line_number": 1,
10	26		"column_number": 1,
11		-	"text": "Device.setup do \|config\|\n config.password_length = $LENGTH\nend\n"
	27	+	"text": "Devise.setup do \|config\|\n config.password_length = $LENGTH\nend\n"
12	28		},
13	29		"value": {
14	30		"line_number": 1,
15		-	"content": "Device.setup do \|config\|\n\tconfig.password_length = 6\nend"
	31	+	"content": "Devise.setup do \|config\|\n\tconfig.password_length = 6\nend"
16	32		}
17	33		}
18	34		]
		skipped 1 lines

■ ■ ■ ■ ■ ■

pkg/detectors/custom/testdata/config/ruby_password_length.yml

		skipped 8 lines
9	9		end
10	10		filters:
11	11		- variable: LENGTH
12		-	minimum: 10
	12	+	minimum: 8
13	13		match_violation: true
14	14		- pattern: \|
15	15		class $ANYTHING < ApplicationRecord
16		-	device password_length: $MIN_LENGTH..$MAX_LENGTH
	16	+	devise password_length: $MIN_LENGTH..$MAX_LENGTH
17	17		end
18	18		filters:
19	19		- variable: MAX_LENGTH
20	20		minimum: 35
21	21		match_violation: true
22	22		- variable: MIN_LENGTH
23		-	minimum: 10
	23	+	minimum: 8
	24	+	match_violation: true
	25	+	- pattern: \|
	26	+	Devise.setup do \|config\|
	27	+	config.password_length = $MIN_LENGTH..$MAX_LENGTH
	28	+	end
	29	+	filters:
	30	+	- variable: MIN_LENGTH
	31	+	minimum: 8
	32	+	match_violation: true
	33	+	- variable: MAX_LENGTH
	34	+	minimum: 35
24	35		match_violation: true
25	36		- pattern: \|
26		-	Device.setup do \|config\|
	37	+	Devise.setup do \|config\|
27	38		config.password_length = $LENGTH
28	39		end
29	40		filters:
30	41		- variable: LENGTH
31		-	minimum: 10
	42	+	minimum: 8
32	43		match_violation: true
33	44		detect_presence: true
34	45

■ ■ ■ ■ ■ ■

pkg/detectors/custom/testdata/ruby/password_length/class_min_max/users.rb

1	1		# it should match since max is lower than required
2	2		class User < ApplicationRecord
3		-	device password_length: 11..32
	3	+	devise password_length: 11..32
4	4		end
5	5
	6	+	# it should match since minimum is lower than required
	7	+	class Employee < ApplicationRecord
	8	+	validates :password, length: { minimum: 6 }
	9	+	end
6	10
7	11		# it should match since min is lower than required
8	12		class Student < ApplicationRecord
9		-	device password_length: 6..36
	13	+	devise password_length: 6..36
10	14		end
11	15
12	16		# it shouldn't match since max and min are withing boundaries
13	17		class Admin < ApplicationRecord
14		-	device password_length: 11..36
	18	+	devise password_length: 11..36
15	19		end

■ ■ ■ ■ ■ ■

pkg/detectors/custom/testdata/ruby/password_length/iteration/devise.rb

1	+	# frozen_string_literal: true
2	+
3	+	# Assuming you have not yet modified this file, each configuration option below
4	+	# is set to its default value. Note that some are commented out while others
5	+	# are not: uncommented lines are intended to protect your configuration from
6	+	# breaking changes in upgrades (i.e., in the event that future versions of
7	+	# Devise change the default values for those options).
8	+	#
9	+	# Use this hook to configure devise mailer, warden hooks and so forth.
10	+	# Many of these configuration options can be set straight in your model.
11	+	Devise.setup do \|config\|
12	+	# The secret key used by Devise. Devise uses this key to generate
13	+	# random tokens. Changing this key will render invalid all existing
14	+	# confirmation, reset password and unlock tokens in the database.
15	+	# Devise will use the `secret_key_base` as its `secret_key`
16	+	# by default. You can change it below and use your own secret key.
17	+	# config.secret_key = '<%= SecureRandom.hex(64) %>'
18	+
19	+	# ==> Controller configuration
20	+	# Configure the parent class to the devise controllers.
21	+	# config.parent_controller = 'DeviseController'
22	+
23	+	# ==> Mailer Configuration
24	+	# Configure the e-mail address which will be shown in Devise::Mailer,
25	+	# note that it will be overwritten if you use your own mailer class
26	+	# with default "from" parameter.
27	+	config.mailer_sender = '[email protected]'
28	+
29	+	# Configure the class responsible to send e-mails.
30	+	# config.mailer = 'Devise::Mailer'
31	+
32	+	# Configure the parent class responsible to send e-mails.
33	+	# config.parent_mailer = 'ActionMailer::Base'
34	+
35	+	# ==> ORM configuration
36	+	# Load and configure the ORM. Supports :active_record (default) and
37	+	# :mongoid (bson_ext recommended) by default. Other ORMs may be
38	+	# available as additional gems.
39	+	require 'devise/orm/<%= options[:orm] %>'
40	+
41	+	# ==> Configuration for any authentication mechanism
42	+	# Configure which keys are used when authenticating a user. The default is
43	+	# just :email. You can configure it to use [:username, :subdomain], so for
44	+	# authenticating a user, both parameters are required. Remember that those
45	+	# parameters are used only when authenticating and not when retrieving from
46	+	# session. If you need permissions, you should implement that in a before filter.
47	+	# You can also supply a hash where the value is a boolean determining whether
48	+	# or not authentication should be aborted when the value is not present.
49	+	# config.authentication_keys = [:email]
50	+
51	+	# Configure parameters from the request object used for authentication. Each entry
52	+	# given should be a request method and it will automatically be passed to the
53	+	# find_for_authentication method and considered in your model lookup. For instance,
54	+	# if you set :request_keys to [:subdomain], :subdomain will be used on authentication.
55	+	# The same considerations mentioned for authentication_keys also apply to request_keys.
56	+	# config.request_keys = []
57	+
58	+	# Configure which authentication keys should be case-insensitive.
59	+	# These keys will be downcased upon creating or modifying a user and when used
60	+	# to authenticate or find a user. Default is :email.
61	+	config.case_insensitive_keys = [:email]
62	+
63	+	# Configure which authentication keys should have whitespace stripped.
64	+	# These keys will have whitespace before and after removed upon creating or
65	+	# modifying a user and when used to authenticate or find a user. Default is :email.
66	+	config.strip_whitespace_keys = [:email]
67	+
68	+	# Tell if authentication through request.params is enabled. True by default.
69	+	# It can be set to an array that will enable params authentication only for the
70	+	# given strategies, for example, `config.params_authenticatable = [:database]` will
71	+	# enable it only for database (email + password) authentication.
72	+	# config.params_authenticatable = true
73	+
74	+	# Tell if authentication through HTTP Auth is enabled. False by default.
75	+	# It can be set to an array that will enable http authentication only for the
76	+	# given strategies, for example, `config.http_authenticatable = [:database]` will
77	+	# enable it only for database authentication.
78	+	# For API-only applications to support authentication "out-of-the-box", you will likely want to
79	+	# enable this with :database unless you are using a custom strategy.
80	+	# The supported strategies are:
81	+	# :database = Support basic authentication with authentication key + password
82	+	# config.http_authenticatable = false
83	+
84	+	# If 401 status code should be returned for AJAX requests. True by default.
85	+	# config.http_authenticatable_on_xhr = true
86	+
87	+	# The realm used in Http Basic Authentication. 'Application' by default.
88	+	# config.http_authentication_realm = 'Application'
89	+
90	+	# It will change confirmation, password recovery and other workflows
91	+	# to behave the same regardless if the e-mail provided was right or wrong.
92	+	# Does not affect registerable.
93	+	# config.paranoid = true
94	+
95	+	# By default Devise will store the user in session. You can skip storage for
96	+	# particular strategies by setting this option.
97	+	# Notice that if you are skipping storage for all authentication paths, you
98	+	# may want to disable generating routes to Devise's sessions controller by
99	+	# passing skip: :sessions to `devise_for` in your config/routes.rb
100	+	config.skip_session_storage = [:http_auth]
101	+
102	+	# By default, Devise cleans up the CSRF token on authentication to
103	+	# avoid CSRF token fixation attacks. This means that, when using AJAX
104	+	# requests for sign in and sign up, you need to get a new CSRF token
105	+	# from the server. You can disable this option at your own risk.
106	+	# config.clean_up_csrf_token_on_authentication = true
107	+
108	+	# When false, Devise will not attempt to reload routes on eager load.
109	+	# This can reduce the time taken to boot the app but if your application
110	+	# requires the Devise mappings to be loaded during boot time the application
111	+	# won't boot properly.
112	+	# config.reload_routes = true
113	+
114	+	# ==> Configuration for :database_authenticatable
115	+	# For bcrypt, this is the cost for hashing the password and defaults to 12. If
116	+	# using other algorithms, it sets how many times you want the password to be hashed.
117	+	# The number of stretches used for generating the hashed password are stored
118	+	# with the hashed password. This allows you to change the stretches without
119	+	# invalidating existing passwords.
120	+	#
121	+	# Limiting the stretches to just one in testing will increase the performance of
122	+	# your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
123	+	# a value less than 10 in other environments. Note that, for bcrypt (the default
124	+	# algorithm), the cost increases exponentially with the number of stretches (e.g.
125	+	# a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation).
126	+	config.stretches = Rails.env.test? ? 1 : 12
127	+
128	+	# Set up a pepper to generate the hashed password.
129	+	# config.pepper = '<%= SecureRandom.hex(64) %>'
130	+
131	+	# Send a notification to the original email when the user's email is changed.
132	+	# config.send_email_changed_notification = false
133	+
134	+	# Send a notification email when the user's password is changed.
135	+	# config.send_password_change_notification = false
136	+
137	+	# ==> Configuration for :confirmable
138	+	# A period that the user is allowed to access the website even without
139	+	# confirming their account. For instance, if set to 2.days, the user will be
140	+	# able to access the website for two days without confirming their account,
141	+	# access will be blocked just in the third day.
142	+	# You can also set it to nil, which will allow the user to access the website
143	+	# without confirming their account.
144	+	# Default is 0.days, meaning the user cannot access the website without
145	+	# confirming their account.
146	+	# config.allow_unconfirmed_access_for = 2.days
147	+
148	+	# A period that the user is allowed to confirm their account before their
149	+	# token becomes invalid. For example, if set to 3.days, the user can confirm
150	+	# their account within 3 days after the mail was sent, but on the fourth day
151	+	# their account can't be confirmed with the token any more.
152	+	# Default is nil, meaning there is no restriction on how long a user can take
153	+	# before confirming their account.
154	+	# config.confirm_within = 3.days
155	+
156	+	# If true, requires any email changes to be confirmed (exactly the same way as
157	+	# initial account confirmation) to be applied. Requires additional unconfirmed_email
158	+	# db field (see migrations). Until confirmed, new email is stored in
159	+	# unconfirmed_email column, and copied to email column on successful confirmation.
160	+	config.reconfirmable = true
161	+
162	+	# Defines which key will be used when confirming an account
163	+	# config.confirmation_keys = [:email]
164	+
165	+	# ==> Configuration for :rememberable
166	+	# The time the user will be remembered without asking for credentials again.
167	+	# config.remember_for = 2.weeks
168	+
169	+	# Invalidates all the remember me tokens when the user signs out.
170	+	config.expire_all_remember_me_on_sign_out = true
171	+
172	+	# If true, extends the user's remember period when remembered via cookie.
173	+	# config.extend_remember_period = false
174	+
175	+	# Options to be passed to the created cookie. For instance, you can set
176	+	# secure: true in order to force SSL only cookies.
177	+	# config.rememberable_options = {}
178	+
179	+	# ==> Configuration for :validatable
180	+	# Range for password length.
181	+	config.password_length = 6..128
182	+
183	+	# Email regex used to validate email formats. It simply asserts that
184	+	# one (and only one) @ exists in the given string. This is mainly
185	+	# to give user feedback and not to assert the e-mail validity.
186	+	config.email_regexp = /\A[^@\s]+@[^@\s]+\z/
187	+
188	+	# ==> Configuration for :timeoutable
189	+	# The time you want to timeout the user session without activity. After this
190	+	# time the user will be asked for credentials again. Default is 30 minutes.
191	+	# config.timeout_in = 30.minutes
192	+
193	+	# ==> Configuration for :lockable
194	+	# Defines which strategy will be used to lock an account.
195	+	# :failed_attempts = Locks an account after a number of failed attempts to sign in.
196	+	# :none = No lock strategy. You should handle locking by yourself.
197	+	# config.lock_strategy = :failed_attempts
198	+
199	+	# Defines which key will be used when locking and unlocking an account
200	+	# config.unlock_keys = [:email]
201	+
202	+	# Defines which strategy will be used to unlock an account.
203	+	# :email = Sends an unlock link to the user email
204	+	# :time = Re-enables login after a certain amount of time (see :unlock_in below)
205	+	# :both = Enables both strategies
206	+	# :none = No unlock strategy. You should handle unlocking by yourself.
207	+	# config.unlock_strategy = :both
208	+
209	+	# Number of authentication tries before locking an account if lock_strategy
210	+	# is failed attempts.
211	+	# config.maximum_attempts = 20
212	+
213	+	# Time interval to unlock the account if :time is enabled as unlock_strategy.
214	+	# config.unlock_in = 1.hour
215	+
216	+	# Warn on the last attempt before the account is locked.
217	+	# config.last_attempt_warning = true
218	+
219	+	# ==> Configuration for :recoverable
220	+	#
221	+	# Defines which key will be used when recovering the password for an account
222	+	# config.reset_password_keys = [:email]
223	+
224	+	# Time interval you can reset your password with a reset password key.
225	+	# Don't put a too small interval or your users won't have the time to
226	+	# change their passwords.
227	+	config.reset_password_within = 6.hours
228	+
229	+	# When set to false, does not sign a user in automatically after their password is
230	+	# reset. Defaults to true, so a user is signed in automatically after a reset.
231	+	# config.sign_in_after_reset_password = true
232	+
233	+	# ==> Configuration for :encryptable
234	+	# Allow you to use another hashing or encryption algorithm besides bcrypt (default).
235	+	# You can use :sha1, :sha512 or algorithms from others authentication tools as
236	+	# :clearance_sha1, :authlogic_sha512 (then you should set stretches above to 20
237	+	# for default behavior) and :restful_authentication_sha1 (then you should set
238	+	# stretches to 10, and copy REST_AUTH_SITE_KEY to pepper).
239	+	#
240	+	# Require the `devise-encryptable` gem when using anything other than bcrypt
241	+	# config.encryptor = :sha512
242	+
243	+	# ==> Scopes configuration
244	+	# Turn scoped views on. Before rendering "sessions/new", it will first check for
245	+	# "users/sessions/new". It's turned off by default because it's slower if you
246	+	# are using only default views.
247	+	# config.scoped_views = false
248	+
249	+	# Configure the default scope given to Warden. By default it's the first
250	+	# devise role declared in your routes (usually :user).
251	+	# config.default_scope = :user
252	+
253	+	# Set this configuration to false if you want /users/sign_out to sign out
254	+	# only the current scope. By default, Devise signs out all scopes.
255	+	# config.sign_out_all_scopes = true
256	+
257	+	# ==> Navigation configuration
258	+	# Lists the formats that should be treated as navigational. Formats like
259	+	# :html, should redirect to the sign in page when the user does not have
260	+	# access, but formats like :xml or :json, should return 401.
261	+	#
262	+	# If you have any extra navigational formats, like :iphone or :mobile, you
263	+	# should add them to the navigational formats lists.
264	+	#
265	+	# The "/" below is required to match Internet Explorer requests.
266	+	# config.navigational_formats = ['/', :html]
267	+
268	+	# The default HTTP method used to sign out a resource. Default is :delete.
269	+	config.sign_out_via = :delete
270	+
271	+	# ==> OmniAuth
272	+	# Add a new OmniAuth provider. Check the wiki for more information on setting
273	+	# up on your models and hooks.
274	+	# config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
275	+
276	+	# ==> Warden configuration
277	+	# If you want to use other strategies, that are not supported by Devise, or
278	+	# change the failure app, you can configure them inside the config.warden block.
279	+	#
280	+	# config.warden do \|manager\|
281	+	# manager.intercept_401 = false
282	+	# manager.default_strategies(scope: :user).unshift :some_external_strategy
283	+	# end
284	+
285	+	# ==> Mountable engine configurations
286	+	# When using Devise inside an engine, let's call it `MyEngine`, and this engine
287	+	# is mountable, there are some extra configurations to be taken into account.
288	+	# The following options are available, assuming the engine is mounted as:
289	+	#
290	+	# mount MyEngine, at: '/my_engine'
291	+	#
292	+	# The router that invoked `devise_for`, in the example above, would be:
293	+	# config.router_name = :my_engine
294	+	#
295	+	# When using OmniAuth, Devise cannot automatically set OmniAuth path,
296	+	# so you need to do it manually. For the users scope, it would be:
297	+	# config.omniauth_path_prefix = '/my_engine/users/auth'
298	+
299	+	# ==> Turbolinks configuration
300	+	# If your app is using Turbolinks, Turbolinks::Controller needs to be included to make redirection work correctly:
301	+	#
302	+	# ActiveSupport.on_load(:devise_failure_app) do
303	+	# include Turbolinks::Controller
304	+	# end
305	+
306	+	# ==> Configuration for :registerable
307	+
308	+	# When set to false, does not sign a user in automatically after their password is
309	+	# changed. Defaults to true, so a user is signed in automatically after changing a password.
310	+	# config.sign_in_after_change_password = true
311	+	end

■ ■ ■ ■ ■ ■

pkg/detectors/custom/testdata/ruby/password_length/iteration/users.rb

1		-	Device.setup do \|config\|
	1	+	Devise.setup do \|config\|
2	2		config.password_length = 6
3	3		end
4	4
5	5		# it should ignore this one as value is above minimum
6		-	Device.setup do \|config\|
	6	+	Devise.setup do \|config\|
7	7		config.password_length = 11
8	8		end

chore: fix typo for devise and improve test coverage (#273)