{ "ignored_warnings": [ { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "4ea2e6d704b817af1d896dcdf148a89da8b9e428b3327497631ef8d9ed587307", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/card/entropic.rb", "line": 19, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "active.joins(:board => :account).left_outer_joins(:board => :entropy).joins(\"LEFT OUTER JOIN entropies AS account_entropies ON account_entropies.account_id = accounts.id AND account_entropies.container_type = 'Account' AND account_entropies.container_id = accounts.id\").where(\"last_active_at > #{connection.date_subtract(\"?\", \"COALESCE(entropies.auto_postpone_period, account_entropies.auto_postpone_period)\")}\", Time.now)", "render_path": null, "location": { "type": "method", "class": "Card::Entropic", "method": null }, "user_input": "connection.date_subtract(\"?\", \"COALESCE(entropies.auto_postpone_period, account_entropies.auto_postpone_period)\")", "confidence": "Weak", "cwe_id": [ 89 ], "note": "No user input allowed" }, { "warning_type": "Dangerous Send", "warning_code": 23, "fingerprint": "746ab8227e04231f0002e099e2f670bcc2b8927af85cdc69fab1440002d5c2a6", "check_name": "Send", "message": "User controlled method execution", "file": "app/controllers/events/day_timeline/columns_controller.rb", "line": 19, "link": "https://brakemanscanner.org/docs/warning_types/dangerous_send/", "code": "Current.user.timeline_for(day, :filter => ((Current.user.filters.find(params[:filter_id]) or Current.user.filters.from_params(filter_params)))).public_send(\"#{params[:id]}_column\")", "render_path": null, "location": { "type": "method", "class": "Events::DayTimeline::ColumnsController", "method": "set_column" }, "user_input": "params[:id]", "confidence": "High", "cwe_id": [ 77 ], "note": "" }, { "warning_type": "SSL Verification Bypass", "warning_code": 71, "fingerprint": "8e566e1a52e48940c840541ea4e33f41a39dc0f2a97eb83c52e76f9582667a3c", "check_name": "SSLVerify", "message": "SSL certificate verification was bypassed", "file": "app/models/zip_file/remote_io.rb", "line": 41, "link": "https://brakemanscanner.org/docs/warning_types/ssl_verification_bypass/", "code": "Net::HTTP.new(@uri.hostname, @uri.port).verify_mode = OpenSSL::SSL::VERIFY_NONE", "render_path": null, "location": { "type": "method", "class": "ZipFile::RemoteIO", "method": "with_http" }, "user_input": null, "confidence": "High", "cwe_id": [ 295 ], "note": "Required for internal PureStorage self-signed certificates. Only used for trusted internal storage URLs." }, { "warning_type": "Mass Assignment", "warning_code": 70, "fingerprint": "ac0fa1970dea215e2f47a5676ffd63d8728951e361da12a53dd424bf6dc46f2a", "check_name": "MassAssignment", "message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys", "file": "app/helpers/pagination_helper.rb", "line": 14, "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", "code": "params.permit!", "render_path": null, "location": { "type": "method", "class": "PaginationHelper", "method": "pagination_link" }, "user_input": null, "confidence": "Medium", "cwe_id": [ 915 ], "note": "" }, { "warning_type": "Remote Code Execution", "warning_code": 24, "fingerprint": "f13f9f972c3f026ab4509a66ac284b8b7c1ba6191a3c4c89d2e9fb4584478f6d", "check_name": "UnsafeReflection", "message": "Unsafe reflection method `safe_constantize` called on model attribute", "file": "app/models/notifier.rb", "line": 8, "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/", "code": "\"Notifier::#{Event.eventable.class}EventNotifier\".safe_constantize", "render_path": null, "location": { "type": "method", "class": "Notifier", "method": "s(:self).for" }, "user_input": "Event.eventable.class", "confidence": "Medium", "cwe_id": [ 470 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "bbd8fe3cbbc6b393df770d3142d6fa46e2b9441b21f48a52175211acaae4efad", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/card/entropic.rb", "line": 10, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "active.joins(:board => :account).left_outer_joins(:board => :entropy).joins(\"LEFT OUTER JOIN entropies AS account_entropies ON account_entropies.account_id = accounts.id AND account_entropies.container_type = 'Account' AND account_entropies.container_id = accounts.id\").where(\"last_active_at <= #{connection.date_subtract(\"?\", \"COALESCE(entropies.auto_postpone_period, account_entropies.auto_postpone_period)\")}\", Time.now)", "render_path": null, "location": { "type": "method", "class": "Card::Entropic", "method": null }, "user_input": "connection.date_subtract(\"?\", \"COALESCE(entropies.auto_postpone_period, account_entropies.auto_postpone_period)\")", "confidence": "Weak", "cwe_id": [ 89 ], "note": "No user input allowed" } ], "brakeman_version": "8.0.1" }