0ead67f85b
* Bump the development-dependencies group across 1 directory with 3 updates Bumps the development-dependencies group with 3 updates in the / directory: [brakeman](https://github.com/presidentbeef/brakeman), [faker](https://github.com/faker-ruby/faker) and [selenium-webdriver](https://github.com/SeleniumHQ/selenium). Updates `brakeman` from 7.1.2 to 8.0.1 - [Release notes](https://github.com/presidentbeef/brakeman/releases) - [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md) - [Commits](https://github.com/presidentbeef/brakeman/compare/v7.1.2...v8.0.1) Updates `faker` from 3.5.3 to 3.6.0 - [Release notes](https://github.com/faker-ruby/faker/releases) - [Changelog](https://github.com/faker-ruby/faker/blob/main/CHANGELOG.md) - [Commits](https://github.com/faker-ruby/faker/compare/v3.5.3...v3.6.0) Updates `selenium-webdriver` from 4.39.0 to 4.40.0 - [Release notes](https://github.com/SeleniumHQ/selenium/releases) - [Changelog](https://github.com/SeleniumHQ/selenium/blob/trunk/rb/CHANGES) - [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.39.0...selenium-4.40.0) --- updated-dependencies: - dependency-name: brakeman dependency-version: 8.0.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: development-dependencies - dependency-name: faker dependency-version: 3.6.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: development-dependencies - dependency-name: selenium-webdriver dependency-version: 4.40.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: development-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> * Auto-sync Gemfile.saas.lock on Dependabot PRs Dependabot can't update custom-named Gemfiles, so Gemfile.saas.lock drifts whenever it bumps shared gems in Gemfile.lock. Add `bin/bundle-drift forward` to push oss lockfile changes into the saas lockfile (the reverse of `correct`), and a GitHub Actions workflow that runs it automatically on Dependabot bundler branches. * Update brakeman ignore fingerprint for 8.0.1 Brakeman 8.0.1 changed how it computes warning fingerprints, so the existing ignore entry for the safe_constantize warning in Notifier became obsolete. Update to the new fingerprint. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jeremy Daer <jeremy@37signals.com>
144 lines
5.7 KiB
Plaintext
144 lines
5.7 KiB
Plaintext
{
|
|
"ignored_warnings": [
|
|
{
|
|
"warning_type": "SQL Injection",
|
|
"warning_code": 0,
|
|
"fingerprint": "4ea2e6d704b817af1d896dcdf148a89da8b9e428b3327497631ef8d9ed587307",
|
|
"check_name": "SQL",
|
|
"message": "Possible SQL injection",
|
|
"file": "app/models/card/entropic.rb",
|
|
"line": 19,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
|
"code": "active.joins(:board => :account).left_outer_joins(:board => :entropy).joins(\"LEFT OUTER JOIN entropies AS account_entropies ON account_entropies.account_id = accounts.id AND account_entropies.container_type = 'Account' AND account_entropies.container_id = accounts.id\").where(\"last_active_at > #{connection.date_subtract(\"?\", \"COALESCE(entropies.auto_postpone_period, account_entropies.auto_postpone_period)\")}\", Time.now)",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Card::Entropic",
|
|
"method": null
|
|
},
|
|
"user_input": "connection.date_subtract(\"?\", \"COALESCE(entropies.auto_postpone_period, account_entropies.auto_postpone_period)\")",
|
|
"confidence": "Weak",
|
|
"cwe_id": [
|
|
89
|
|
],
|
|
"note": "No user input allowed"
|
|
},
|
|
{
|
|
"warning_type": "Dangerous Send",
|
|
"warning_code": 23,
|
|
"fingerprint": "746ab8227e04231f0002e099e2f670bcc2b8927af85cdc69fab1440002d5c2a6",
|
|
"check_name": "Send",
|
|
"message": "User controlled method execution",
|
|
"file": "app/controllers/events/day_timeline/columns_controller.rb",
|
|
"line": 19,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/dangerous_send/",
|
|
"code": "Current.user.timeline_for(day, :filter => ((Current.user.filters.find(params[:filter_id]) or Current.user.filters.from_params(filter_params)))).public_send(\"#{params[:id]}_column\")",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Events::DayTimeline::ColumnsController",
|
|
"method": "set_column"
|
|
},
|
|
"user_input": "params[:id]",
|
|
"confidence": "High",
|
|
"cwe_id": [
|
|
77
|
|
],
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "SSL Verification Bypass",
|
|
"warning_code": 71,
|
|
"fingerprint": "8e566e1a52e48940c840541ea4e33f41a39dc0f2a97eb83c52e76f9582667a3c",
|
|
"check_name": "SSLVerify",
|
|
"message": "SSL certificate verification was bypassed",
|
|
"file": "app/models/zip_file/remote_io.rb",
|
|
"line": 41,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/ssl_verification_bypass/",
|
|
"code": "Net::HTTP.new(@uri.hostname, @uri.port).verify_mode = OpenSSL::SSL::VERIFY_NONE",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "ZipFile::RemoteIO",
|
|
"method": "with_http"
|
|
},
|
|
"user_input": null,
|
|
"confidence": "High",
|
|
"cwe_id": [
|
|
295
|
|
],
|
|
"note": "Required for internal PureStorage self-signed certificates. Only used for trusted internal storage URLs."
|
|
},
|
|
{
|
|
"warning_type": "Mass Assignment",
|
|
"warning_code": 70,
|
|
"fingerprint": "ac0fa1970dea215e2f47a5676ffd63d8728951e361da12a53dd424bf6dc46f2a",
|
|
"check_name": "MassAssignment",
|
|
"message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys",
|
|
"file": "app/helpers/pagination_helper.rb",
|
|
"line": 14,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
|
"code": "params.permit!",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "PaginationHelper",
|
|
"method": "pagination_link"
|
|
},
|
|
"user_input": null,
|
|
"confidence": "Medium",
|
|
"cwe_id": [
|
|
915
|
|
],
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "Remote Code Execution",
|
|
"warning_code": 24,
|
|
"fingerprint": "f13f9f972c3f026ab4509a66ac284b8b7c1ba6191a3c4c89d2e9fb4584478f6d",
|
|
"check_name": "UnsafeReflection",
|
|
"message": "Unsafe reflection method `safe_constantize` called on model attribute",
|
|
"file": "app/models/notifier.rb",
|
|
"line": 8,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
|
|
"code": "\"Notifier::#{Event.eventable.class}EventNotifier\".safe_constantize",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Notifier",
|
|
"method": "s(:self).for"
|
|
},
|
|
"user_input": "Event.eventable.class",
|
|
"confidence": "Medium",
|
|
"cwe_id": [
|
|
470
|
|
],
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "SQL Injection",
|
|
"warning_code": 0,
|
|
"fingerprint": "bbd8fe3cbbc6b393df770d3142d6fa46e2b9441b21f48a52175211acaae4efad",
|
|
"check_name": "SQL",
|
|
"message": "Possible SQL injection",
|
|
"file": "app/models/card/entropic.rb",
|
|
"line": 10,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
|
"code": "active.joins(:board => :account).left_outer_joins(:board => :entropy).joins(\"LEFT OUTER JOIN entropies AS account_entropies ON account_entropies.account_id = accounts.id AND account_entropies.container_type = 'Account' AND account_entropies.container_id = accounts.id\").where(\"last_active_at <= #{connection.date_subtract(\"?\", \"COALESCE(entropies.auto_postpone_period, account_entropies.auto_postpone_period)\")}\", Time.now)",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Card::Entropic",
|
|
"method": null
|
|
},
|
|
"user_input": "connection.date_subtract(\"?\", \"COALESCE(entropies.auto_postpone_period, account_entropies.auto_postpone_period)\")",
|
|
"confidence": "Weak",
|
|
"cwe_id": [
|
|
89
|
|
],
|
|
"note": "No user input allowed"
|
|
}
|
|
],
|
|
"brakeman_version": "8.0.1"
|
|
}
|