From 78c5b69a17fbe55e1f425de7df81829e74282cfc Mon Sep 17 00:00:00 2001
From: Noah Berman <15199622+bermannoah@users.noreply.github.com>
Date: Thu, 9 Dec 2021 12:16:14 +0000
Subject: [PATCH] scan .erb files + add run_all_checks config

Co-authored-by: Gavin Morrice <gavin@gavinmorrice.com>
---
 README.md                                     |  11 ++++
 lib/pronto/brakeman.rb                        |  35 +++++++++---
 lib/pronto/brakeman/version.rb                |   2 +-
 .../app/views/layouts/application.html.erb    |   6 ++-
 spec/fixtures/test.git/git/COMMIT_EDITMSG     |   1 +
 spec/fixtures/test.git/git/index              | Bin 6136 -> 6136 bytes
 spec/fixtures/test.git/git/logs/HEAD          |   2 +
 .../test.git/git/logs/refs/heads/master       |   2 +
 .../01/7afdbc86e35b2aeacb2c67673c66de76b2ef6f | Bin 0 -> 200 bytes
 .../1a/434a7ca370b8a4e7dbe269824b462c735b1106 | Bin 0 -> 65 bytes
 .../33/2406c5ad51ed6976ac26bf363994aa9085989d | Bin 0 -> 49 bytes
 .../70/8b611a518b602dafee3fc62eb0e1e97e32a794 | Bin 0 -> 433 bytes
 .../73/7a2ccda4d398b65fd784dd34940c1abffa67f4 | Bin 0 -> 374 bytes
 .../83/8853977ce26e7891807974dafaea83c9547587 | Bin 0 -> 433 bytes
 .../b0/9de21aa02cbb43386e3a1d7e7e0a628df7ca66 |   3 ++
 .../c1/35cd22d47f5639e61723a47debd5a6d0fe3af0 | Bin 0 -> 50 bytes
 .../dc/0e362153d2e76f0a7ea457d665b3eb9f4aaf83 | Bin 0 -> 244 bytes
 .../eb/593c37df1cf6c6904adb9fa5f27f1757939802 | Bin 0 -> 242 bytes
 .../ec/0e22e42de60b4180b3762557e605a3062c1d40 | Bin 0 -> 200 bytes
 .../fc/ce070251b258ea92c18cae48bacafb8179a140 | Bin 0 -> 65 bytes
 spec/fixtures/test.git/git/refs/heads/master  |   2 +-
 spec/pronto/brakeman_spec.rb                  |  50 ++++++++++++++++++
 spec/spec_helper.rb                           |   4 +-
 23 files changed, 105 insertions(+), 13 deletions(-)
 create mode 100644 spec/fixtures/test.git/git/COMMIT_EDITMSG
 create mode 100644 spec/fixtures/test.git/git/objects/01/7afdbc86e35b2aeacb2c67673c66de76b2ef6f
 create mode 100644 spec/fixtures/test.git/git/objects/1a/434a7ca370b8a4e7dbe269824b462c735b1106
 create mode 100644 spec/fixtures/test.git/git/objects/33/2406c5ad51ed6976ac26bf363994aa9085989d
 create mode 100644 spec/fixtures/test.git/git/objects/70/8b611a518b602dafee3fc62eb0e1e97e32a794
 create mode 100644 spec/fixtures/test.git/git/objects/73/7a2ccda4d398b65fd784dd34940c1abffa67f4
 create mode 100644 spec/fixtures/test.git/git/objects/83/8853977ce26e7891807974dafaea83c9547587
 create mode 100644 spec/fixtures/test.git/git/objects/b0/9de21aa02cbb43386e3a1d7e7e0a628df7ca66
 create mode 100644 spec/fixtures/test.git/git/objects/c1/35cd22d47f5639e61723a47debd5a6d0fe3af0
 create mode 100644 spec/fixtures/test.git/git/objects/dc/0e362153d2e76f0a7ea457d665b3eb9f4aaf83
 create mode 100644 spec/fixtures/test.git/git/objects/eb/593c37df1cf6c6904adb9fa5f27f1757939802
 create mode 100644 spec/fixtures/test.git/git/objects/ec/0e22e42de60b4180b3762557e605a3062c1d40
 create mode 100644 spec/fixtures/test.git/git/objects/fc/ce070251b258ea92c18cae48bacafb8179a140

diff --git a/README.md b/README.md
index b5249cd..2186bc2 100644
--- a/README.md
+++ b/README.md
@@ -11,3 +11,14 @@ Pronto runner for [Brakeman](https://github.com/presidentbeef/brakeman), securit
 Brakeman [Confidence](https://github.com/presidentbeef/brakeman#confidence-levels) is mapped to severity levels on the
 messages generated by Pronto. High confidence maps to fatal, medium confidence maps to warning, and low confidence maps
 to info.
+
+## Run all checks
+
+Brakeman also includes some optional checks and by setting the following in your `.pronto.yml` you can run every check included in the gem:
+
+```yaml
+brakeman:
+  run_all_checks: true
+```
+
+(This is the equivalent of running `brakeman -A` on the command line.)
diff --git a/lib/pronto/brakeman.rb b/lib/pronto/brakeman.rb
index 1234bec..f31c004 100644
--- a/lib/pronto/brakeman.rb
+++ b/lib/pronto/brakeman.rb
@@ -4,23 +4,25 @@
 module Pronto
   class Brakeman < Runner
     def run
-      files = ruby_patches.map do |patch|
+      patches = ruby_patches | erb_patches
+      files = patches.map do |patch|
         patch.new_file_full_path.relative_path_from(repo_path).to_s
-      end
+      end.sort
 
       return [] unless files.any?
 
       output = ::Brakeman.run(app_path: repo_path,
                               output_formats: [:to_s],
-                              only_files: files)
-      messages_for(ruby_patches, output).compact
+                              only_files: files,
+                              run_all_checks: run_all_checks?)
+       messages_for(patches, output).compact
     rescue ::Brakeman::NoApplication
       []
     end
 
-    def messages_for(ruby_patches, output)
+    def messages_for(code_patches, output)
       output.filtered_warnings.map do |warning|
-        patch = patch_for_warning(ruby_patches, warning)
+        patch = patch_for_warning(code_patches, warning)
 
         next unless patch
         line = patch.added_lines.find do |added_line|
@@ -49,10 +51,27 @@ def severity_for_confidence(confidence_level)
       end
     end
 
-    def patch_for_warning(ruby_patches, warning)
-      ruby_patches.find do |patch|
+    def patch_for_warning(code_patches, warning)
+      code_patches.find do |patch|
         patch.new_file_full_path.to_s == warning.file.absolute
       end
     end
+
+    def run_all_checks?
+      pronto_brakeman_config['run_all_checks']
+    end
+
+    def pronto_brakeman_config
+      pronto_brakeman_config ||= Pronto::ConfigFile.new.to_h['brakeman'] || {}
+    end
+
+    def erb_patches
+      @erb_patches ||= Array(@patches).select { |patch| patch.additions > 0 }
+                                      .select { |patch| erb_file?(patch.new_file_full_path) }
+    end
+
+    def erb_file?(path)
+      File.extname(path) == '.erb'
+    end
   end
 end
diff --git a/lib/pronto/brakeman/version.rb b/lib/pronto/brakeman/version.rb
index 09a9e2c..bcc5d8a 100644
--- a/lib/pronto/brakeman/version.rb
+++ b/lib/pronto/brakeman/version.rb
@@ -1,5 +1,5 @@
 module Pronto
   module BrakemanVersion
-    VERSION = '0.11.0'.freeze
+    VERSION = '0.11.1'.freeze
   end
 end
diff --git a/spec/fixtures/test.git/app/views/layouts/application.html.erb b/spec/fixtures/test.git/app/views/layouts/application.html.erb
index 863127e..dc0e362 100644
--- a/spec/fixtures/test.git/app/views/layouts/application.html.erb
+++ b/spec/fixtures/test.git/app/views/layouts/application.html.erb
@@ -8,7 +8,11 @@
 </head>
 <body>
 
-<%= yield %>
+  <%= link_to some_url, target: "_blank" do -%>
+    Uh oh
+  <% end %>
+
+ <%= yield %>
 
 </body>
 </html>
diff --git a/spec/fixtures/test.git/git/COMMIT_EDITMSG b/spec/fixtures/test.git/git/COMMIT_EDITMSG
new file mode 100644
index 0000000..c6bbe62
--- /dev/null
+++ b/spec/fixtures/test.git/git/COMMIT_EDITMSG
@@ -0,0 +1 @@
+Fix typo
diff --git a/spec/fixtures/test.git/git/index b/spec/fixtures/test.git/git/index
index 45a976267674f90985f865b5a6c2a6d38e587aa8..2fe53b5c3ad23ffd056d458cde06dbf790d8c51d 100644
GIT binary patch
delta 2263
zcmYM#e@xVM9LMqR9dhV#!U1Qj>m(Q_Q9FLdh&$A5Iutk!VT+2hypo8ru<kg=udDDt
z=+1(Daruw-M@*ZesOXQh>&KkMDp!k^TN7DoO)W5MuBb)peedt<`}Pm^{No;be?EM_
z?}NpX#S+)1+QyBFq8RC?%74szz3QB2QLjN!tjf``2NdO{aYZrwHR>wO<<I8w8uY?6
zi|H-Y%#Wvf*ic~}6muGLE^T;|4Hf1g-KaJL23>i@&4>!LLy*r<rJeT2$w@|3phpG0
zZ`h)tKfSjwq5}B^IgCJm4=*vI0zED$qNAn0Ax2c7RzdT|4Sbwi`5`@l5(R1#<V^xH
z&OXeD3e+xWB1wBr?&RtmMpU4u1^ug|)cWrkQGuQj<Xu*^*8lF+Q$@Efl;~x2;=(>1
z(FWM)Er({)D)X9VE_ay2<IQJVr+$6CZgQXc=`xr0OJ%q4gLYGK%JVc}A+a8+B^md%
zN9}wSDo{X>FIju9?$y3pMpU4npm81LZZ2U&1?m(uucQ27UNturC?u%DggX^{(ae*m
zKzj-CUaJuk?o>2Az=#UeCFqPv+ckH|(H2Hjpl(6V6dYGJmCc9>)FUXEf=LylK}J-d
zUO{JcR28_whzb-I<Xo<8t=se8G$Sg|3xZ<Hv1{vhj4+}Cy(nm2NB6ybmJt=GUyyeN
zCT-fblMxk2)<~UL(V(r$mXv=OQGp^d$zjID>rNbGL<JfU6ftAc*4pEYs6c~)Zs?O5
z`nnlWf%XgXrQ+g^!IO-rKtqD!skqZ)HD5EL0u2jtT7cT(A2Ff=MFqtyc)?FOv`JK;
zn4q65Se4z`_wytw&;daeD>3QW#cPbHK(7jlt<)xYIyyg0phPuv@ODA7I(lyFlZ>c9
zd4gPNm=q|SVMGPW7u1_p$S>Fv8o9`b3baPhX?;>x**Zp4paMa*bR5@x{&z-HpgRQZ
z(oxT(%7_Y7D9DnLqt2w;wR?pf-!Y^D-gy&Rab*9IdPY<rmmr^2d+MIZ0RJIN6sY(n
zGOSj=wce&3Ik>)<r%?e*1zIvNZD<Yu+w@R@$_4qX`Re|RRob+dO|S7ZDqw}cxIQiV
z4S(f5RG>;h6G=I0d1j_I?ZDiZJdFx?kHB4-xZ7yxJR>SlwV-&W_U-Ygk2Eo&0<9C|
z$l7Mx6ZPA-M|T!YUc2}6;&(1w4VNDqQ^Q%#Mnm^feDG4sUB7(gYHM5j#9ZjT-#S9=
zt$PDXS#Fv6Zl~$9x3({|hb9U>sdSGW9~n4wc(=c+qcfQJywq&pSl9c;o)5+^pS#%J
mUti-2v}Bm3Ze(3gvNhRb#+vH>pFiH5Su~w<#M3vKz3P8BAt~_y

delta 2263
zcmZ|OT}V@L7zXfjHr?ht&V8Abb2D1CVt8D+SR~jNR4~jmSJ9*-M_<+`O|6zGE$w0;
za)RonZq`M#i=gjV5F$i1iax-Ll0dsOD6=$-XolzU>bW@lFV2tWeb4`W&$K)(dpB>Z
z+aw5rCi?_J8=m~mo`QOcf{-I_EUyuSo}?g%KL@-OW$HWioHN^DVjgB{VTNeV4%H}j
zkp?vYg~b4?whQQ<xRs$jKn@K>dx7E{H3E%m*0XZ^fPz|znt)PTdQS&{{%{ll3g!f=
z)QPF*+~f|aC_8w2cFN_wzU5;hKP<t9`Zb=Xm#1$1y;7W1p5=JiM;*xqe4SknMarf9
z9t8^L(z&((B{@0<G|tg+ph_L>DVjz9_gabTXiq1AGCI0zCxP60TCNqSO;3~BfHEAl
z1Gx=!Yde4v2D)pVK;s;p0Se~Pq_aS&yjr#@F(8MLHhvB$Zlp<FK$AS_JWx2FHr@@C
z&Zj-~0J$ZKE&wGYI^a0a7m2RQMWD(8n$!oBC}2r)G0-QD76N%qG^qqAX7Z2$%cVd=
zJjn@UFQnyMK+PPL0ZA68@~&_Z>ud2mG}Dr9ps<<Uy1Z;2iKWV0a|tWy0hBB>Z6#3H
zyhQ1<6tOffV4A0u1EsW1WtG*+(qzD9EA4GHP}<7=9@!7%u+`XQ+w=SFqt40Ddsiem
z8mY{D>@8BdZ0<T!|B9uJ3*x(H`t`5Y-MLXc_5IDI_QR2mR>4>1GY-H0{Ma~nbxZey
z`r$l7ba3LsFIP*`>FBAp+4mJj`Jq|#cfK6E8N61#|DZJ)eX;h@-AUUwt$oIG{dU!e
RG~wUrnF!`*I=rEQ^gnT^L%{$5

diff --git a/spec/fixtures/test.git/git/logs/HEAD b/spec/fixtures/test.git/git/logs/HEAD
index 9be2d72..3c473f4 100644
--- a/spec/fixtures/test.git/git/logs/HEAD
+++ b/spec/fixtures/test.git/git/logs/HEAD
@@ -1,2 +1,4 @@
 0000000000000000000000000000000000000000 da701274f54ae0fde7878e9834e5fb2e1148d48b Mindaugas MozÅ«ras <mindaugas.mozuras@gmail.com> 1429988205 +0300	commit (initial): Initial commit
 da701274f54ae0fde7878e9834e5fb2e1148d48b 225af1ab522457873a5994c150d7ad571ff260c0 Mindaugas MozÅ«ras <mindaugas.mozuras@gmail.com> 1429988422 +0300	commit: Add unsafe redirect_to with params
+225af1ab522457873a5994c150d7ad571ff260c0 b09de21aa02cbb43386e3a1d7e7e0a628df7ca66 Noah Berman <noah-berman@cookpad.com> 1638890290 +0000	commit: Add a link that is vulnerable to reverse tabnabbing
+b09de21aa02cbb43386e3a1d7e7e0a628df7ca66 737a2ccda4d398b65fd784dd34940c1abffa67f4 Noah Berman <noah-berman@cookpad.com> 1639049703 +0000	commit: Fix typo
diff --git a/spec/fixtures/test.git/git/logs/refs/heads/master b/spec/fixtures/test.git/git/logs/refs/heads/master
index 9be2d72..3c473f4 100644
--- a/spec/fixtures/test.git/git/logs/refs/heads/master
+++ b/spec/fixtures/test.git/git/logs/refs/heads/master
@@ -1,2 +1,4 @@
 0000000000000000000000000000000000000000 da701274f54ae0fde7878e9834e5fb2e1148d48b Mindaugas MozÅ«ras <mindaugas.mozuras@gmail.com> 1429988205 +0300	commit (initial): Initial commit
 da701274f54ae0fde7878e9834e5fb2e1148d48b 225af1ab522457873a5994c150d7ad571ff260c0 Mindaugas MozÅ«ras <mindaugas.mozuras@gmail.com> 1429988422 +0300	commit: Add unsafe redirect_to with params
+225af1ab522457873a5994c150d7ad571ff260c0 b09de21aa02cbb43386e3a1d7e7e0a628df7ca66 Noah Berman <noah-berman@cookpad.com> 1638890290 +0000	commit: Add a link that is vulnerable to reverse tabnabbing
+b09de21aa02cbb43386e3a1d7e7e0a628df7ca66 737a2ccda4d398b65fd784dd34940c1abffa67f4 Noah Berman <noah-berman@cookpad.com> 1639049703 +0000	commit: Fix typo
diff --git a/spec/fixtures/test.git/git/objects/01/7afdbc86e35b2aeacb2c67673c66de76b2ef6f b/spec/fixtures/test.git/git/objects/01/7afdbc86e35b2aeacb2c67673c66de76b2ef6f
new file mode 100644
index 0000000000000000000000000000000000000000..e85c0a0cbe46d90bd72bac89f1c32ae38f1bd423
GIT binary patch
literal 200
zcmV;(05|`50V^p=O;s>5Fkvt;00M=?;^NejVg?-%<|{vWY-}!@+*$LHzo>gbqvQdI
zg5><XlA`>aoYbOX2KM8RH%(2S*l6j&Y1Mz*kZ;ZQk_8Y|8L2r1AQhpPbEdKG-}K+#
zel2%h?(R_U<7Jy6DsmGu!DeVKQ93v&aNW9{?Ba2=jU-p@yLL<rsv<unHK&*%F@6VA
z+IE4m()YFH5y3Cyj<LPaf+#4<Of4^FFjiqZx;F4_X4x9G{brU^R!wM~F&6-YTvFiR
CxnQ~g

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/objects/1a/434a7ca370b8a4e7dbe269824b462c735b1106 b/spec/fixtures/test.git/git/objects/1a/434a7ca370b8a4e7dbe269824b462c735b1106
new file mode 100644
index 0000000000000000000000000000000000000000..1b9bacf4c990e58e38ea90a599684757a8f9e798
GIT binary patch
literal 65
zcmV-H0KWft0V^p=O;s?lU@$Z=Ff%bxNGvGG$xKcx$;{8w%P7gs(Mv5#Vz|R+rWkzb
Xc|KR&lJIM(n_tiOTHg!+51tjBVNx9i

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/objects/33/2406c5ad51ed6976ac26bf363994aa9085989d b/spec/fixtures/test.git/git/objects/33/2406c5ad51ed6976ac26bf363994aa9085989d
new file mode 100644
index 0000000000000000000000000000000000000000..d27e0c56a2aa723c7ed584c0c13dc0157680ddb1
GIT binary patch
literal 49
zcmV-10M7q-0V^p=O;s>9VK6ZO0)?E!%KXxjVg@N^ubRaLJC;1Z{V21^+fAo9T96F@
HDzFbA&e{`l

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/objects/70/8b611a518b602dafee3fc62eb0e1e97e32a794 b/spec/fixtures/test.git/git/objects/70/8b611a518b602dafee3fc62eb0e1e97e32a794
new file mode 100644
index 0000000000000000000000000000000000000000..1b0b7cb5f5239d6dc77b7f0747a706d4c1584608
GIT binary patch
literal 433
zcmV;i0Z#sS0V^p=O;s>4Ghr|^FfcPQQP4}zEXhpI%P&f0VC9)R_4uPV&M&nkpB2v9
zs`RyC(F&+4_tf09%$!t)MVk`RnF6mTr<}Lc*&kOm>F~DgKcGs2Tpe9}UG<7m@{<|v
z`b~eNCps%4TH%p^#?O?d+NfWCFlC9^sbHgaWf$9CGVN{cXK;zzJMoanhp(5Oniv3q
zLSjJy17p?SJ#CMpwO*apNl&*)yH~d9eLh4sDKn2ja_6-Zi|5##nKvWaWPQhK#d+-a
zOQGf`=jWwmrt1}zGVE>M6e460Kl$&56_eJ!HFzrCF>@Eh2#6YnQ2zPKj~o56IsQ%j
z8z(wx=Mk1`4<QOtk{F737psT9+vRHIdBS~y>mqC6TPj8n$(+n22KF0sx$6QZ&3(mt
zzOFdLv`5f*UmH|5Kb=8yiPFJIf$P@oWEYQ{Z6vvJ-?d|65ZQv#q@2uT2Ia-dnJi3P
z(+;grZ;!KM3lc7=xdl;Bl3HBC!2G-AP0vxY*0N&PzeZQBzD`d%rUa2LOU+BkFJfqD
bdGWwEkmpdd;%BaDZtgWld6Z)S*LS-QjxgBa

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/objects/73/7a2ccda4d398b65fd784dd34940c1abffa67f4 b/spec/fixtures/test.git/git/objects/73/7a2ccda4d398b65fd784dd34940c1abffa67f4
new file mode 100644
index 0000000000000000000000000000000000000000..834b06b63d6a9d3ba55d27b3587cea74c653d797
GIT binary patch
literal 374
zcmV-+0g3*20iBP*a+@#!M0@5dboZo|1PC*ec8V~jI1>WFIFOqpWPv?cm|$c3>r0bs
zPu<JTzQfM0&~4icz=qbhp_dXkaKQ;e%tn(#T(O;$=1veSIh07cjx;fIT+8TKFOLJ@
z(5)m!j6p0ow@h<Eq{&d_NJm0O@S@r|f)Qe{^HA#^#G2KB%D!bs@OYfU1OE)agw}_S
zRo{hfe*#2I7h0|ZO)!I#jEPP&2l?Lxs#7100uO&hgD{Fg5+)#v!r0s7ufZobfB~Aw
z3OrgqdCT%GO4G2~jE8K$OkdEP(-OU`=<A)Fl)D~tzvRC=`>F(Q-J1ERc`w$30m?Vq
zE3tcFCavFnd(ScSe04}Sb()LWNhevgFTB80tL)<zK)Msp$tA(z_EwxzeqT=wqjsFG
z*pjPYFuxZ`{7k)dmg3Pq_4RdjS7ke&jgh9|Y1^OkToNDq7i{AK&6T1C_z}paGrryi
U@$z3^ja736!>!ZCAM(1J9_DGgUH||9

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/objects/83/8853977ce26e7891807974dafaea83c9547587 b/spec/fixtures/test.git/git/objects/83/8853977ce26e7891807974dafaea83c9547587
new file mode 100644
index 0000000000000000000000000000000000000000..bc37d106803dcecc9f72604d70e0f8357f7cec19
GIT binary patch
literal 433
zcmV;i0Z#sS0V^p=O;s>4Ghr|^FfcPQQP4}zEXhpI%P&f0VC9)R_4uPV&M&nkpB2v9
zs`RyC(F&+4_tf09%$!t)MVk`RnF6mTr<}Lc*&kOm>F~DgKcGs2Tpe9}UG<7m@{<|v
z`b~eNCps%4TH%p^#?O?d+NfWCFlC9^sbHgaWf$9CGVN{cXK;zzJMoanhp(5Oniv3q
zLSjJy!y7)OC%VtL9UC^6sfIseUCgE<>j05W%FJVs+<EQ9;yHF_=FNyUS>Lf*aUT2q
zQmFaK`FUxX>3T(_411e5g$NnMPyV}M#iX@w4W5d3%-jVr0-}Z?lz+bR<3_)1j(-#X
z#)(ead4%QKLx_TuB!(j1#p<E&cDY)4o^YSwy2x7imWmNXGAA>Mf&Io@?z(_Ub6@eE
zuPY8Q?GZHI*9Mi%PiN3vqI7Ul;JS4?*~Q~#8%eI*ckP%MM7E$bDJL_TL3y!qCJPhS
zv_mV@+vDumf`m(IZb1~3q!yPjF#m3O({t3UwXE3nuhCVjuhWx`DM6&mQu9*six?VO
bUOey(<T=!=_?c^(n|sYs9_1JSEFQPn1n=Ia

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/objects/b0/9de21aa02cbb43386e3a1d7e7e0a628df7ca66 b/spec/fixtures/test.git/git/objects/b0/9de21aa02cbb43386e3a1d7e7e0a628df7ca66
new file mode 100644
index 0000000..4cbf35e
--- /dev/null
+++ b/spec/fixtures/test.git/git/objects/b0/9de21aa02cbb43386e3a1d7e7e0a628df7ca66
@@ -0,0 +1,3 @@
+xOÍ’š@Ìyžâ»[‡‘afª’T@Yt5(þ.{ûF@Ñ­äéC6×œÒ§î®®®nÝTUÑ·Å§®5äHJ>RBhÃ#¤²$JØ)Ñ iÕG¹ä‚­©;`ŒãÑÂ„3fs!Å¹R¶¶8M¦\XÇ#s¨¦ï]Þ´6˜ƒgÚ
+køR÷â)ùßuÓ”L?ë¦ú–ÓÏP”)
+Úƒôn?³3ÿ]]²[‘ÁÓx~0a¬`3Bw»[û>ÅÌö]/ž»“ø0‹¢ Ý¾—›Ó$ZZÃÄ‹­å³·þå\3õò¾Ç¨Ä<ÓI¥r[ÅÛëKG >p7fê#/óSÂ¨;ÎÊh›G;=¸6«¾ï3ß-OSÿ§âÓñÙ>È›ê\‡€S.ÖÙü4Àés¸¤¸g™t‡nË7ñ£½†ÞÜ{uÄ‚¦¦³«,}™V©.¯Kw-?ó_Ks–äï[?œüë+qÓÎE]B—cÅ÷smZLÎºZó0í­§˜Ô˜$E‘ß[#¦è
\ No newline at end of file
diff --git a/spec/fixtures/test.git/git/objects/c1/35cd22d47f5639e61723a47debd5a6d0fe3af0 b/spec/fixtures/test.git/git/objects/c1/35cd22d47f5639e61723a47debd5a6d0fe3af0
new file mode 100644
index 0000000000000000000000000000000000000000..b8b76cbf79acab9fa8e16e3dfa9547378d84253c
GIT binary patch
literal 50
zcmV-20L}k+0V^p=O;s>9VK6ZO0)?E!%KXxjVunBG*qH)1MZB7HuxFjeu2a7oD;GKd
I06QcRr11$8pa1{>

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/objects/dc/0e362153d2e76f0a7ea457d665b3eb9f4aaf83 b/spec/fixtures/test.git/git/objects/dc/0e362153d2e76f0a7ea457d665b3eb9f4aaf83
new file mode 100644
index 0000000000000000000000000000000000000000..75063bc8d6a38bf934f3e4c0c8720db0ad1d0bde
GIT binary patch
literal 244
zcmV<Q01N+k0gaG7PsA_`hMD^-%t@y%S9Jgh>6FXB#|*<UFhy?TyN0?+mAFX#_p~W2
zOn9+u%g^iA4TlEq9`0|{?epu?`Qz;cIvH3O>NgQuT>vO?!lciX<S}AT1A0|&y>+@j
zL6Vs%bwpy=`Q8X#VTlsQkzI@8f-es+kac)my39*eS`@5gicMH|QY8`FzJ!woi4(y-
zOE2(G{KC{mH;Qq-<;ha!|AGG-*QR(e0|~B_w92Tu%T84j?5v9)Pn(edDGX$$$OjON
uSCS*_OvC8=9oPU>J`>=*gV5zoAa7S{kv}s#;;mHmhF{e3m%jm3vUeU6IClsD

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/objects/eb/593c37df1cf6c6904adb9fa5f27f1757939802 b/spec/fixtures/test.git/git/objects/eb/593c37df1cf6c6904adb9fa5f27f1757939802
new file mode 100644
index 0000000000000000000000000000000000000000..24296838de9e15539d42ebfb8dee286f17706621
GIT binary patch
literal 242
zcmV<O01f|m0gaHcZo@DPL_7N{*Z_f-1RgRJ2ow)ZI=4eQbP{NbiB;2*A<+f=_m$;#
z=~ONRPvAQp8}<zxo(>P{@$!1Ue!RUvCj-}o`fY@!E&!BRVXChb<vCza13Fc$+VZ+R
zL6n&(c0{7tx?T(3AytXv$hJkX-jzET$XGlkl{rnNLBYLDq4CR3+)Kc=FX2>!go$9A
ztrPqczc9AJj-st=c`}swf8hVdwK3fEK!OV;E;g#_a#GcJGuOpWrZtF%=m*kM;2j8t
sJIN6?x?yzv28>^S3Gm*5@A4v$GmBc}!_1a=9aXi`lUY9UH{h6d@U#GRwg3PC

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/objects/ec/0e22e42de60b4180b3762557e605a3062c1d40 b/spec/fixtures/test.git/git/objects/ec/0e22e42de60b4180b3762557e605a3062c1d40
new file mode 100644
index 0000000000000000000000000000000000000000..de5051eeda81b28c2675a63fea06c62405475520
GIT binary patch
literal 200
zcmV;(05|`50V^p=O;s>5Fkvt;00M=?;^NejVg?-%<|{vWY-}!@+*$LHzo>gbqvQdI
zg5><XlA`>aoYbOX2KM8RH%(2S*l6j&Y1Mz*kZ;ZQk_8Y|8L2r1AQhpPbEdKG-}K+#
zel2%h?(R_U<7Jy6DsmGu!DeVKQ93v&aNW9{?Ba2=jU-p@yLL<rsv<unHK&*%F@6VA
z+IE4m()YFH5y3Cyj<LPaf+#4<Of4^FIB0rS=}LW=<uh^RCAF`wF1zs0>H`3lq*T)S
CoMS=&

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/objects/fc/ce070251b258ea92c18cae48bacafb8179a140 b/spec/fixtures/test.git/git/objects/fc/ce070251b258ea92c18cae48bacafb8179a140
new file mode 100644
index 0000000000000000000000000000000000000000..999dcb9cb212fc4d11fd07bf28a9ec5e0d35fe52
GIT binary patch
literal 65
zcmV-H0KWft0V^p=O;s?lU@$Z=Ff%bxNGvGG$xKcx$;{8w%P7gs(Mv5#Vt5^CV}4)e
X+p!5=x92bYR4*Prc?J^zAWaqBHw_uh

literal 0
HcmV?d00001

diff --git a/spec/fixtures/test.git/git/refs/heads/master b/spec/fixtures/test.git/git/refs/heads/master
index 4de84ba..d963748 100644
--- a/spec/fixtures/test.git/git/refs/heads/master
+++ b/spec/fixtures/test.git/git/refs/heads/master
@@ -1 +1 @@
-225af1ab522457873a5994c150d7ad571ff260c0
+737a2ccda4d398b65fd784dd34940c1abffa67f4
diff --git a/spec/pronto/brakeman_spec.rb b/spec/pronto/brakeman_spec.rb
index 3924c30..75979d2 100644
--- a/spec/pronto/brakeman_spec.rb
+++ b/spec/pronto/brakeman_spec.rb
@@ -3,6 +3,14 @@
 module Pronto
   describe Brakeman do
     let(:brakeman) { Brakeman.new(patches) }
+    let(:pronto_config) do
+      instance_double Pronto::ConfigFile, to_h: config_hash
+    end
+    let(:config_hash) { {} }
+
+    before do
+      allow(Pronto::ConfigFile).to receive(:new) { pronto_config }
+    end
 
     describe '#run' do
       subject { brakeman.run }
@@ -33,6 +41,48 @@ module Pronto
             'Possible security vulnerability: [Possible unprotected redirect](https://brakemanscanner.org/docs/warning_types/redirect/)'
         end
       end
+
+      context 'with a change to an erb file' do
+        context 'with brakeman not included in pronto config' do
+          let(:config_hash) { { 'foo' => {} } }
+          include_context 'test repo'
+          let(:patches) { repo.diff('b09de21aa02cbb43386e3a1d7e7e0a628df7ca66') }
+
+          it 'should disable all checks' do
+            expect(brakeman.run_all_checks?).to eq nil
+          end
+
+          its(:count) { should == 0 }
+        end
+
+        context 'with brakeman included in pronto config' do
+          context 'with run all checks disabled' do
+            let(:config_hash) { { 'brakeman' => { 'run_all_checks' => false } } }
+            include_context 'test repo'
+            let(:patches) { repo.diff('b09de21aa02cbb43386e3a1d7e7e0a628df7ca66') }
+
+            it 'should disable all checks' do
+              expect(brakeman.run_all_checks?).to eq false
+            end
+
+            its(:count) { should == 0 }
+          end
+
+          context 'with run all checks enabled' do
+            let(:config_hash) { { 'brakeman' => { 'run_all_checks' => true } } }
+            include_context 'test repo'
+            let(:patches) { repo.diff('b09de21aa02cbb43386e3a1d7e7e0a628df7ca66') }
+
+            it 'should enable all checks' do
+              expect(brakeman.run_all_checks?).to eq true
+            end
+            its(:count) { should == 1 }
+            it "should report a tabnabbing vulnerability" do
+              expect(subject.first.msg).to include("Possible security vulnerability: [When opening a link in a new tab without setting `rel:")
+            end
+          end
+        end
+      end
     end
 
     describe "#severity_for_confidence" do
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 76444f5..c9a66f3 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -13,6 +13,6 @@
 end
 
 RSpec.configure do |config|
-  config.expect_with(:rspec) { |c| c.syntax = :should }
-  config.mock_with(:rspec) { |c| c.syntax = :should }
+  config.expect_with(:rspec) { |c| c.syntax = [:should, :expect] }
+  config.mock_with(:rspec) { |c| c.syntax =  [:should, :expect] }
 end