demarches-normaliennes/config/brakeman.ignore

{
  "ignored_warnings": [
    {
      "warning_type": "Command Injection",
      "warning_code": 14,
      "fingerprint": "02c4a46707ac4d1cb33b17847aad8fd9f2e1d4201ec9a93b27111d6a3ac1bd29",
      "check_name": "Execute",
      "message": "Possible command injection",
      "file": "app/services/procedure_archive_service.rb",
      "line": 131,
      "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
      "code": "`cd #{tmp_dir} && zip -r #{File.join(ARCHIVE_CREATION_DIR, \"#{zip_root_folder}.zip\")} #{zip_root_folder}`",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "ProcedureArchiveService",
        "method": "download_and_zip"
      },
      "user_input": "tmp_dir",
      "confidence": "Medium",
      "note": ""
    },
    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 2,
      "fingerprint": "42099f4550a8377f455e830e8ab645cecd5806248481c5c646b4e17548c3cb07",
      "check_name": "CrossSiteScripting",
      "message": "Unescaped model attribute",
      "file": "app/views/france_connect/particulier/merge.html.haml",
      "line": 6,
      "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
      "code": "t(\".subtitle\", :email => sanitize(FranceConnectInformation.find_by(:merge_token => merge_token_params).email_france_connect), :application_name => (APPLICATION_NAME))",
      "render_path": [
        {
          "type": "controller",
          "class": "FranceConnect::ParticulierController",
          "method": "merge",
          "line": 48,
          "file": "app/controllers/france_connect/particulier_controller.rb",
          "rendered": {
            "name": "france_connect/particulier/merge",
            "file": "app/views/france_connect/particulier/merge.html.haml"
          }
        }
      ],
      "location": {
        "type": "template",
        "template": "france_connect/particulier/merge"
      },
      "user_input": "FranceConnectInformation.find_by(:merge_token => merge_token_params).email_france_connect",
      "confidence": "Weak",
      "note": "explicitely sanitized even if we are using html_safe"
    },
    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 2,
      "fingerprint": "483ae8c038244eb3ed709e89846335e2c8ff6579260348ec31d3d03d1c94ad64",
      "check_name": "CrossSiteScripting",
      "message": "Unescaped model attribute",
      "file": "app/views/users/dossiers/merci.html.haml",
      "line": 28,
      "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
      "code": "current_user.dossiers.includes(:procedure).find(params[:id]).procedure.monavis_embed",
      "render_path": [
        {
          "type": "controller",
          "class": "Users::DossiersController",
          "method": "merci",
          "line": 195,
          "file": "app/controllers/users/dossiers_controller.rb",
          "rendered": {
            "name": "users/dossiers/merci",
            "file": "app/views/users/dossiers/merci.html.haml"
          }
        }
      ],
      "location": {
        "type": "template",
        "template": "users/dossiers/merci"
      },
      "user_input": "current_user.dossiers.includes(:procedure)",
      "confidence": "Weak",
      "note": ""
    },
    {
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "6c98e520dd368104bb0c81334875010711cd523afc28057ef86a10930f95c4b7",
      "check_name": "SQL",
      "message": "Possible SQL injection",
      "file": "app/models/stat.rb",
      "line": 83,
      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "association.where(date_attribute => ((3.months.ago.beginning_of_month.to_date..max_date))).group(\"DATE_TRUNC('month', #{date_attribute})\")",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "Stat",
        "method": "last_four_months_hash"
      },
      "user_input": "date_attribute",
      "confidence": "Weak",
      "note": "no user input, fixed value"
    },
    {
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "bd1df30f95135357b646e21a03d95498874faffa32e3804fc643e9b6b957ee14",
      "check_name": "SQL",
      "message": "Possible SQL injection",
      "file": "app/models/concerns/dossier_filtering_concern.rb",
      "line": 18,
      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "where(\"#{values.count} OR #{\"(#{ProcedurePresentation.sanitized_column(table, column)} ILIKE ?)\"}\", *values.map do\n \"%#{value}%\"\n end)",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "DossierFilteringConcern",
        "method": null
      },
      "user_input": "values.count",
      "confidence": "Medium",
      "note": "The table and column are escaped, which should make this safe"
    },
    {
      "warning_type": "Redirect",
      "warning_code": 18,
      "fingerprint": "c46b5c9cd6474ffae789f39a2280ba6b5a5a74d3ffa8a38cf8a409f9a027ed0e",
      "check_name": "Redirect",
      "message": "Possible unprotected redirect",
      "file": "app/controllers/instructeurs/procedures_controller.rb",
      "line": 195,
      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
      "code": "redirect_to(Export.find_or_create_export(params[:export_format], (params[:time_span_type] or \"everything\"), current_instructeur.groupe_instructeurs.where(:procedure => procedure)).file.service_url)",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "Instructeurs::ProceduresController",
        "method": "download_export"
      },
      "user_input": "Export.find_or_create_export(params[:export_format], (params[:time_span_type] or \"everything\"), current_instructeur.groupe_instructeurs.where(:procedure => procedure)).file.service_url",
      "confidence": "High",
      "note": ""
    },
    {
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "dc6d873aff3dc5e51e3349b17e1f35039b23d0bddbf04224b0f1bca3e4608c1e",
      "check_name": "SQL",
      "message": "Possible SQL injection",
      "file": "app/models/stat.rb",
      "line": 97,
      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "association.where(\"#{date_attribute} < ?\", max_date).group(\"DATE_TRUNC('month', #{date_attribute})\")",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "Stat",
        "method": "cumulative_hash"
      },
      "user_input": "date_attribute",
      "confidence": "Weak",
      "note": "no user input, fixed value"
    }
  ],
  "updated": "2021-12-10 16:34:44 +0100",
  "brakeman_version": "5.1.1"
}
Brakeman: make it happy 2018-01-11 15:54:39 +01:00			`{`
			`"ignored_warnings": [`
fix(brakeman): no code injection here 2021-12-10 16:23:34 +01:00			`{`
			`"warning_type": "Command Injection",`
			`"warning_code": 14,`
			`"fingerprint": "02c4a46707ac4d1cb33b17847aad8fd9f2e1d4201ec9a93b27111d6a3ac1bd29",`
			`"check_name": "Execute",`
			`"message": "Possible command injection",`
			`"file": "app/services/procedure_archive_service.rb",`
			`"line": 131,`
			`"link": "https://brakemanscanner.org/docs/warning_types/command_injection/",`
			"code": "`cd #{tmp_dir} && zip -r #{File.join(ARCHIVE_CREATION_DIR, \"#{zip_root_folder}.zip\")} #{zip_root_folder}`",
			`"render_path": null,`
			`"location": {`
			`"type": "method",`
			`"class": "ProcedureArchiveService",`
			`"method": "download_and_zip"`
			`},`
			`"user_input": "tmp_dir",`
			`"confidence": "Medium",`
			`"note": ""`
			`},`
fix(i18n): wrap text under i18n.t i18n(france_connect/*): replace wording with i18n fix(lint): i18n key issue secu(views/france_connect/particulier/merge.html.haml): sanitize france_connect_email just in case fix(brakeman): sanitize FCI.email_france_connect when used with html_safe via an I18n.t, also add exception to brakeman 2021-11-23 13:30:07 +01:00			`{`
			`"warning_type": "Cross-Site Scripting",`
			`"warning_code": 2,`
			`"fingerprint": "42099f4550a8377f455e830e8ab645cecd5806248481c5c646b4e17548c3cb07",`
			`"check_name": "CrossSiteScripting",`
			`"message": "Unescaped model attribute",`
			`"file": "app/views/france_connect/particulier/merge.html.haml",`
			`"line": 6,`
			`"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",`
			`"code": "t(\".subtitle\", :email => sanitize(FranceConnectInformation.find_by(:merge_token => merge_token_params).email_france_connect), :application_name => (APPLICATION_NAME))",`
			`"render_path": [`
			`{`
			`"type": "controller",`
			`"class": "FranceConnect::ParticulierController",`
			`"method": "merge",`
			`"line": 48,`
			`"file": "app/controllers/france_connect/particulier_controller.rb",`
			`"rendered": {`
			`"name": "france_connect/particulier/merge",`
			`"file": "app/views/france_connect/particulier/merge.html.haml"`
			`}`
			`}`
			`],`
			`"location": {`
			`"type": "template",`
			`"template": "france_connect/particulier/merge"`
			`},`
			`"user_input": "FranceConnectInformation.find_by(:merge_token => merge_token_params).email_france_connect",`
			`"confidence": "Weak",`
			`"note": "explicitely sanitized even if we are using html_safe"`
			`},`
update brakeman configuration 2019-07-17 16:04:05 +02:00			`{`
			`"warning_type": "Cross-Site Scripting",`
			`"warning_code": 2,`
			`"fingerprint": "483ae8c038244eb3ed709e89846335e2c8ff6579260348ec31d3d03d1c94ad64",`
			`"check_name": "CrossSiteScripting",`
			`"message": "Unescaped model attribute",`
			`"file": "app/views/users/dossiers/merci.html.haml",`
instructeurs: fix ProcedurePresentation to use instructeur.user.email The `joins` are declared explicitely in order to associate a predictable name to the joined table. Otherwise, when the query is joined with `:users`, ActiveRecord will alias the join automatically to solve the conflict. Unfortunately, the automatic resolution means that the table name becomes unpredictable, and thus unsuitable to perform queries on. 2019-10-16 13:02:42 +02:00			`"line": 28,`
update brakeman configuration 2019-07-17 16:04:05 +02:00			`"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",`
			`"code": "current_user.dossiers.includes(:procedure).find(params[:id]).procedure.monavis_embed",`
update brakeman 2020-10-30 15:07:58 +01:00			`"render_path": [`
			`{`
			`"type": "controller",`
			`"class": "Users::DossiersController",`
			`"method": "merci",`
feat(stats#index): update Stat model to also query DossierDeleted in stats computation tech(question): discard_and_keep_track! ; are we really keeping track with default_scope { kept } ? feat(stats): add DeletedDossier in Stat computations Revert "tech(question): discard_and_keep_track! ; are we really keeping track with default_scope { kept } ?" This reverts commit d1155b7eeaaf1a9f80189e59667e109541fcb089. feat(stats): support deleted_dossiers for last_four_months_hash and cumulative_hash. extract sanitize query & merge hashes in methdos clean(rubocop): lint with rubocop Update db/migrate/20211126080118_add_index_to_deleted_at_to_deleted_dossiers.rb Co-authored-by: LeSim <mail@simon.lehericey.net> fix(rubocop): avoid uneeded allocation fix(migration): add concurrent index with expected synthax fix(brakeman): add ignore message since group date_trunc evaluation is used by only ourself 2021-11-25 09:11:05 +01:00			`"line": 195,`
update brakeman 2020-10-30 15:07:58 +01:00			`"file": "app/controllers/users/dossiers_controller.rb",`
			`"rendered": {`
			`"name": "users/dossiers/merci",`
			`"file": "app/views/users/dossiers/merci.html.haml"`
			`}`
			`}`
			`],`
update brakeman configuration 2019-07-17 16:04:05 +02:00			`"location": {`
			`"type": "template",`
			`"template": "users/dossiers/merci"`
			`},`
			`"user_input": "current_user.dossiers.includes(:procedure)",`
			`"confidence": "Weak",`
			`"note": ""`
			`},`
feat(stats#index): update Stat model to also query DossierDeleted in stats computation tech(question): discard_and_keep_track! ; are we really keeping track with default_scope { kept } ? feat(stats): add DeletedDossier in Stat computations Revert "tech(question): discard_and_keep_track! ; are we really keeping track with default_scope { kept } ?" This reverts commit d1155b7eeaaf1a9f80189e59667e109541fcb089. feat(stats): support deleted_dossiers for last_four_months_hash and cumulative_hash. extract sanitize query & merge hashes in methdos clean(rubocop): lint with rubocop Update db/migrate/20211126080118_add_index_to_deleted_at_to_deleted_dossiers.rb Co-authored-by: LeSim <mail@simon.lehericey.net> fix(rubocop): avoid uneeded allocation fix(migration): add concurrent index with expected synthax fix(brakeman): add ignore message since group date_trunc evaluation is used by only ourself 2021-11-25 09:11:05 +01:00			`{`
			`"warning_type": "SQL Injection",`
			`"warning_code": 0,`
			`"fingerprint": "6c98e520dd368104bb0c81334875010711cd523afc28057ef86a10930f95c4b7",`
			`"check_name": "SQL",`
			`"message": "Possible SQL injection",`
			`"file": "app/models/stat.rb",`
			`"line": 83,`
			`"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",`
			`"code": "association.where(date_attribute => ((3.months.ago.beginning_of_month.to_date..max_date))).group(\"DATE_TRUNC('month', #{date_attribute})\")",`
			`"render_path": null,`
			`"location": {`
			`"type": "method",`
			`"class": "Stat",`
			`"method": "last_four_months_hash"`
			`},`
			`"user_input": "date_attribute",`
			`"confidence": "Weak",`
			`"note": "no user input, fixed value"`
			`},`
[#2750] SQL injection false positives 2018-10-05 16:15:19 +02:00			`{`
			`"warning_type": "SQL Injection",`
			`"warning_code": 0,`
[#3477] Update brakeman config 2019-02-14 19:02:34 +01:00			`"fingerprint": "bd1df30f95135357b646e21a03d95498874faffa32e3804fc643e9b6b957ee14",`
[#2750] SQL injection false positives 2018-10-05 16:15:19 +02:00			`"check_name": "SQL",`
			`"message": "Possible SQL injection",`
[#3477] Update brakeman config 2019-02-14 19:02:34 +01:00			`"file": "app/models/concerns/dossier_filtering_concern.rb",`
			`"line": 18,`
[#2750] SQL injection false positives 2018-10-05 16:15:19 +02:00			`"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",`
[#3477] Update brakeman config 2019-02-14 19:02:34 +01:00			`"code": "where(\"#{values.count} OR #{\"(#{ProcedurePresentation.sanitized_column(table, column)} ILIKE ?)\"}\", *values.map do\n \"%#{value}%\"\n end)",`
[#2750] SQL injection false positives 2018-10-05 16:15:19 +02:00			`"render_path": null,`
			`"location": {`
			`"type": "method",`
[#3477] Update brakeman config 2019-02-14 19:02:34 +01:00			`"class": "DossierFilteringConcern",`
			`"method": null`
[#2750] SQL injection false positives 2018-10-05 16:15:19 +02:00			`},`
[#3477] Update brakeman config 2019-02-14 19:02:34 +01:00			`"user_input": "values.count",`
			`"confidence": "Medium",`
			`"note": "The table and column are escaped, which should make this safe"`
[#2750] SQL injection false positives 2018-10-05 16:15:19 +02:00			`},`
gems: update brakeman This prevent a false-positive warning about a vulnerable loofah version. We also need to ignore a new warning, about an unsafe redirect. This is unsafe when the object given in redirect can be a hash that includes a `:host` key. But here we are redirecting to a plain string, which is definitely safe. 2021-09-02 23:09:18 +02:00			`{`
			`"warning_type": "Redirect",`
			`"warning_code": 18,`
			`"fingerprint": "c46b5c9cd6474ffae789f39a2280ba6b5a5a74d3ffa8a38cf8a409f9a027ed0e",`
			`"check_name": "Redirect",`
			`"message": "Possible unprotected redirect",`
			`"file": "app/controllers/instructeurs/procedures_controller.rb",`
fix(brakeman): no code injection here 2021-12-10 16:23:34 +01:00			`"line": 195,`
gems: update brakeman This prevent a false-positive warning about a vulnerable loofah version. We also need to ignore a new warning, about an unsafe redirect. This is unsafe when the object given in redirect can be a hash that includes a `:host` key. But here we are redirecting to a plain string, which is definitely safe. 2021-09-02 23:09:18 +02:00			`"link": "https://brakemanscanner.org/docs/warning_types/redirect/",`
			`"code": "redirect_to(Export.find_or_create_export(params[:export_format], (params[:time_span_type] or \"everything\"), current_instructeur.groupe_instructeurs.where(:procedure => procedure)).file.service_url)",`
			`"render_path": null,`
			`"location": {`
			`"type": "method",`
			`"class": "Instructeurs::ProceduresController",`
			`"method": "download_export"`
			`},`
			`"user_input": "Export.find_or_create_export(params[:export_format], (params[:time_span_type] or \"everything\"), current_instructeur.groupe_instructeurs.where(:procedure => procedure)).file.service_url",`
			`"confidence": "High",`
			`"note": ""`
feat(stats#index): update Stat model to also query DossierDeleted in stats computation tech(question): discard_and_keep_track! ; are we really keeping track with default_scope { kept } ? feat(stats): add DeletedDossier in Stat computations Revert "tech(question): discard_and_keep_track! ; are we really keeping track with default_scope { kept } ?" This reverts commit d1155b7eeaaf1a9f80189e59667e109541fcb089. feat(stats): support deleted_dossiers for last_four_months_hash and cumulative_hash. extract sanitize query & merge hashes in methdos clean(rubocop): lint with rubocop Update db/migrate/20211126080118_add_index_to_deleted_at_to_deleted_dossiers.rb Co-authored-by: LeSim <mail@simon.lehericey.net> fix(rubocop): avoid uneeded allocation fix(migration): add concurrent index with expected synthax fix(brakeman): add ignore message since group date_trunc evaluation is used by only ourself 2021-11-25 09:11:05 +01:00			`},`
			`{`
			`"warning_type": "SQL Injection",`
			`"warning_code": 0,`
			`"fingerprint": "dc6d873aff3dc5e51e3349b17e1f35039b23d0bddbf04224b0f1bca3e4608c1e",`
			`"check_name": "SQL",`
			`"message": "Possible SQL injection",`
			`"file": "app/models/stat.rb",`
			`"line": 97,`
			`"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",`
			`"code": "association.where(\"#{date_attribute} < ?\", max_date).group(\"DATE_TRUNC('month', #{date_attribute})\")",`
			`"render_path": null,`
			`"location": {`
			`"type": "method",`
			`"class": "Stat",`
			`"method": "cumulative_hash"`
			`},`
			`"user_input": "date_attribute",`
			`"confidence": "Weak",`
			`"note": "no user input, fixed value"`
[#2750] SQL injection false positives 2018-10-05 16:15:19 +02:00			`}`
Brakeman: make it happy 2018-01-11 15:54:39 +01:00			`],`
fix(brakeman): no code injection here 2021-12-10 16:23:34 +01:00			`"updated": "2021-12-10 16:34:44 +0100",`
gems: update brakeman This prevent a false-positive warning about a vulnerable loofah version. We also need to ignore a new warning, about an unsafe redirect. This is unsafe when the object given in redirect can be a hash that includes a `:host` key. But here we are redirecting to a plain string, which is definitely safe. 2021-09-02 23:09:18 +02:00			`"brakeman_version": "5.1.1"`
Brakeman: make it happy 2018-01-11 15:54:39 +01:00			`}`