diff options
author | Thibaut Girka <thib@sitedethib.com> | 2020-06-09 10:39:20 +0200 |
---|---|---|
committer | Thibaut Girka <thib@sitedethib.com> | 2020-06-09 10:39:20 +0200 |
commit | 12c8ac9e1443d352eca3538ed1558de8ccdd9434 (patch) | |
tree | ed480d77b29f0d571ad219190288bde3b0c09b32 /config/brakeman.ignore | |
parent | f328f2faa3fbdb182921366c6a20e745c069b840 (diff) | |
parent | 89f40b6c3ec525b09d02f21e9b45276084167d8d (diff) |
Merge branch 'master' into glitch-soc/merge-upstream
Conflicts: - `app/controllers/activitypub/collections_controller.rb`: Conflict due to glitch-soc having to take care of local-only pinned toots in that controller. Took upstream's changes and restored the local-only special handling. - `app/controllers/auth/sessions_controller.rb`: Minor conflicts due to the theming system, applied upstream changes, adapted the following two files for glitch-soc's theming system: - `app/controllers/concerns/sign_in_token_authentication_concern.rb` - `app/controllers/concerns/two_factor_authentication_concern.rb` - `app/services/backup_service.rb`: Minor conflict due to glitch-soc having to handle local-only toots specially. Applied upstream changes and restored the local-only special handling. - `app/views/admin/custom_emojis/index.html.haml`: Minor conflict due to the theming system. - `package.json`: Upstream dependency updated, too close to a glitch-soc-only dependency in the file. - `yarn.lock`: Upstream dependency updated, too close to a glitch-soc-only dependency in the file.
Diffstat (limited to 'config/brakeman.ignore')
-rw-r--r-- | config/brakeman.ignore | 228 |
1 files changed, 113 insertions, 115 deletions
diff --git a/config/brakeman.ignore b/config/brakeman.ignore index 7e3828f7e..baa993c78 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -1,33 +1,13 @@ { "ignored_warnings": [ { - "warning_type": "Mass Assignment", - "warning_code": 105, - "fingerprint": "0117d2be5947ea4e4fbed9c15f23c6615b12c6892973411820c83d079808819d", - "check_name": "PermitAttributes", - "message": "Potentially dangerous key allowed for mass assignment", - "file": "app/controllers/api/v1/search_controller.rb", - "line": 30, - "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", - "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)", - "render_path": null, - "location": { - "type": "method", - "class": "Api::V1::SearchController", - "method": "search_params" - }, - "user_input": ":account_id", - "confidence": "High", - "note": "" - }, - { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "04dbbc249b989db2e0119bbb0f59c9818e12889d2b97c529cdc0b1526002ba4b", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/report.rb", - "line": 90, + "line": 112, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "Admin::ActionLog.from(\"(#{[Admin::ActionLog.where(:target_type => \"Report\", :target_id => id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Account\", :target_id => target_account_id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)].map do\n \"(#{query.to_sql})\"\n end.join(\" UNION ALL \")}) AS admin_action_logs\")", "render_path": null, @@ -47,7 +27,7 @@ "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/status.rb", - "line": 87, + "line": 100, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")", "render_path": null, @@ -61,39 +41,62 @@ "note": "" }, { - "warning_type": "Mass Assignment", - "warning_code": 105, - "fingerprint": "28d81cc22580ef76e912b077b245f353499aa27b3826476667224c00227af2a9", - "check_name": "PermitAttributes", - "message": "Potentially dangerous key allowed for mass assignment", - "file": "app/controllers/admin/reports_controller.rb", - "line": 56, - "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", - "code": "params.permit(:account_id, :resolved, :target_account_id)", - "render_path": null, + "warning_type": "Dynamic Render Path", + "warning_code": 15, + "fingerprint": "20a660939f2bbf8c665e69f2844031c0564524689a9570a0091ed94846212020", + "check_name": "Render", + "message": "Render path contains parameter value", + "file": "app/views/admin/action_logs/index.html.haml", + "line": 26, + "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", + "code": "render(action => Admin::ActionLogFilter.new(filter_params).results.page(params[:page]), {})", + "render_path": [ + { + "type": "controller", + "class": "Admin::ActionLogsController", + "method": "index", + "line": 8, + "file": "app/controllers/admin/action_logs_controller.rb", + "rendered": { + "name": "admin/action_logs/index", + "file": "app/views/admin/action_logs/index.html.haml" + } + } + ], "location": { - "type": "method", - "class": "Admin::ReportsController", - "method": "filter_params" + "type": "template", + "template": "admin/action_logs/index" }, - "user_input": ":account_id", - "confidence": "High", + "user_input": "params[:page]", + "confidence": "Weak", "note": "" }, { "warning_type": "Dynamic Render Path", "warning_code": 15, - "fingerprint": "4b6a895e2805578d03ceedbe1d469cc75a0c759eba093722523edb4b8683c873", + "fingerprint": "371fe16dc4c9d6ab08a20437d65be4825776107a67c38f6d4780a9c703cd44a5", "check_name": "Render", "message": "Render path contains parameter value", - "file": "app/views/admin/action_logs/index.html.haml", - "line": 4, + "file": "app/views/admin/email_domain_blocks/index.html.haml", + "line": 17, "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", - "code": "render(action => Admin::ActionLog.page(params[:page]), {})", - "render_path": [{"type":"controller","class":"Admin::ActionLogsController","method":"index","line":7,"file":"app/controllers/admin/action_logs_controller.rb","rendered":{"name":"admin/action_logs/index","file":"/home/eugr/Projects/mastodon/app/views/admin/action_logs/index.html.haml"}}], + "code": "render(action => EmailDomainBlock.where(:parent_id => nil).includes(:children).order(:id => :desc).page(params[:page]), {})", + "render_path": [ + { + "type": "controller", + "class": "Admin::EmailDomainBlocksController", + "method": "index", + "line": 10, + "file": "app/controllers/admin/email_domain_blocks_controller.rb", + "rendered": { + "name": "admin/email_domain_blocks/index", + "file": "app/views/admin/email_domain_blocks/index.html.haml" + } + } + ], "location": { "type": "template", - "template": "admin/action_logs/index" + "template": "admin/email_domain_blocks/index" }, "user_input": "params[:page]", "confidence": "Weak", @@ -106,7 +109,7 @@ "check_name": "Redirect", "message": "Possible unprotected redirect", "file": "app/controllers/remote_interaction_controller.rb", - "line": 21, + "line": 24, "link": "https://brakemanscanner.org/docs/warning_types/redirect/", "code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))", "render_path": null, @@ -120,32 +123,13 @@ "note": "" }, { - "warning_type": "Dynamic Render Path", - "warning_code": 15, - "fingerprint": "67afc0d5f7775fa5bd91d1912e1b5505aeedef61876347546fa20f92fd6915e6", - "check_name": "Render", - "message": "Render path contains parameter value", - "file": "app/views/stream_entries/embed.html.haml", - "line": 3, - "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", - "code": "render(action => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :centered => true, :autoplay => ActiveModel::Type::Boolean.new.cast(params[:autoplay]) })", - "render_path": [{"type":"controller","class":"StatusesController","method":"embed","line":63,"file":"app/controllers/statuses_controller.rb","rendered":{"name":"stream_entries/embed","file":"/home/eugr/Projects/mastodon/app/views/stream_entries/embed.html.haml"}}], - "location": { - "type": "template", - "template": "stream_entries/embed" - }, - "user_input": "params[:id]", - "confidence": "Weak", - "note": "" - }, - { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "6f075c1484908e3ec9bed21ab7cf3c7866be8da3881485d1c82e13093aefcbd7", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/status.rb", - "line": 92, + "line": 105, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "result.joins(\"LEFT OUTER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")", "render_path": null, @@ -159,22 +143,43 @@ "note": "" }, { - "warning_type": "Dynamic Render Path", - "warning_code": 15, - "fingerprint": "8d843713d99e8403f7992f3e72251b633817cf9076ffcbbad5613859d2bbc127", - "check_name": "Render", - "message": "Render path contains parameter value", - "file": "app/views/admin/custom_emojis/index.html.haml", - "line": 45, - "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", - "code": "render(action => filtered_custom_emojis.eager_load(:local_counterpart).page(params[:page]), {})", - "render_path": [{"type":"controller","class":"Admin::CustomEmojisController","method":"index","line":11,"file":"app/controllers/admin/custom_emojis_controller.rb","rendered":{"name":"admin/custom_emojis/index","file":"/home/eugr/Projects/mastodon/app/views/admin/custom_emojis/index.html.haml"}}], + "warning_type": "Mass Assignment", + "warning_code": 105, + "fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a", + "check_name": "PermitAttributes", + "message": "Potentially dangerous key allowed for mass assignment", + "file": "app/controllers/api/v2/search_controller.rb", + "line": 28, + "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", + "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)", + "render_path": null, "location": { - "type": "template", - "template": "admin/custom_emojis/index" + "type": "method", + "class": "Api::V2::SearchController", + "method": "search_params" }, - "user_input": "params[:page]", - "confidence": "Weak", + "user_input": ":account_id", + "confidence": "High", + "note": "" + }, + { + "warning_type": "Mass Assignment", + "warning_code": 105, + "fingerprint": "8f63dec68951d9bcf7eddb15af9392b2e1333003089c41fb76688dfd3579f394", + "check_name": "PermitAttributes", + "message": "Potentially dangerous key allowed for mass assignment", + "file": "app/controllers/api/v1/crypto/deliveries_controller.rb", + "line": 23, + "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", + "code": "params.require(:device).permit(:account_id, :device_id, :type, :body, :hmac)", + "render_path": null, + "location": { + "type": "method", + "class": "Api::V1::Crypto::DeliveriesController", + "method": "resource_params" + }, + "user_input": ":account_id", + "confidence": "High", "note": "" }, { @@ -204,10 +209,22 @@ "check_name": "Render", "message": "Render path contains parameter value", "file": "app/views/admin/accounts/index.html.haml", - "line": 47, + "line": 54, "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", "code": "render(action => filtered_accounts.page(params[:page]), {})", - "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"index","line":12,"file":"app/controllers/admin/accounts_controller.rb","rendered":{"name":"admin/accounts/index","file":"/home/eugr/Projects/mastodon/app/views/admin/accounts/index.html.haml"}}], + "render_path": [ + { + "type": "controller", + "class": "Admin::AccountsController", + "method": "index", + "line": 12, + "file": "app/controllers/admin/accounts_controller.rb", + "rendered": { + "name": "admin/accounts/index", + "file": "app/views/admin/accounts/index.html.haml" + } + } + ], "location": { "type": "template", "template": "admin/accounts/index" @@ -219,40 +236,40 @@ { "warning_type": "Redirect", "warning_code": 18, - "fingerprint": "ba699ddcc6552c422c4ecd50d2cd217f616a2446659e185a50b05a0f2dad8d33", + "fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50", "check_name": "Redirect", "message": "Possible unprotected redirect", - "file": "app/controllers/media_controller.rb", - "line": 14, + "file": "app/controllers/remote_follow_controller.rb", + "line": 21, "link": "https://brakemanscanner.org/docs/warning_types/redirect/", - "code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))", + "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))", "render_path": null, "location": { "type": "method", - "class": "MediaController", - "method": "show" + "class": "RemoteFollowController", + "method": "create" }, - "user_input": "MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original)", + "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)", "confidence": "High", "note": "" }, { "warning_type": "Redirect", "warning_code": 18, - "fingerprint": "bb7e94e60af41decb811bb32171f1b27e9bf3f4d01e9e511127362e22510eb11", + "fingerprint": "ba699ddcc6552c422c4ecd50d2cd217f616a2446659e185a50b05a0f2dad8d33", "check_name": "Redirect", "message": "Possible unprotected redirect", - "file": "app/controllers/remote_follow_controller.rb", - "line": 19, + "file": "app/controllers/media_controller.rb", + "line": 20, "link": "https://brakemanscanner.org/docs/warning_types/redirect/", - "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username])))", + "code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))", "render_path": null, "location": { "type": "method", - "class": "RemoteFollowController", - "method": "create" + "class": "MediaController", + "method": "show" }, - "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username]))", + "user_input": "MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original)", "confidence": "High", "note": "" }, @@ -275,27 +292,8 @@ "user_input": ":account_id", "confidence": "High", "note": "" - }, - { - "warning_type": "Dynamic Render Path", - "warning_code": 15, - "fingerprint": "fbd0fc59adb5c6d44b60e02debb31d3af11719f534c9881e21435bbff87404d6", - "check_name": "Render", - "message": "Render path contains parameter value", - "file": "app/views/stream_entries/show.html.haml", - "line": 23, - "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", - "code": "render(partial => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { :locals => ({ Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :include_threads => true }) })", - "render_path": [{"type":"controller","class":"StatusesController","method":"show","line":34,"file":"app/controllers/statuses_controller.rb","rendered":{"name":"stream_entries/show","file":"/home/eugr/Projects/mastodon/app/views/stream_entries/show.html.haml"}}], - "location": { - "type": "template", - "template": "stream_entries/show" - }, - "user_input": "params[:id]", - "confidence": "Weak", - "note": "" } ], - "updated": "2019-02-21 02:30:29 +0100", - "brakeman_version": "4.4.0" + "updated": "2020-06-01 18:18:02 +0200", + "brakeman_version": "4.8.0" } |