2018-01-11 15:54:39 +01:00
|
|
|
{
|
|
|
|
"ignored_warnings": [
|
2022-02-22 15:46:57 +01:00
|
|
|
{
|
|
|
|
"warning_type": "Cross-Site Scripting",
|
|
|
|
"warning_code": 2,
|
|
|
|
"fingerprint": "1b805585567775589825c0eda58cb84c074fc760d0a7afb101c023a51427f2b5",
|
|
|
|
"check_name": "CrossSiteScripting",
|
|
|
|
"message": "Unescaped model attribute",
|
|
|
|
"file": "app/views/users/dossiers/_merci.html.haml",
|
|
|
|
"line": 26,
|
|
|
|
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
|
|
|
|
"code": "current_user.dossiers.includes(:procedure).find(params[:id]).procedure.monavis_embed",
|
|
|
|
"render_path": [
|
|
|
|
{
|
|
|
|
"type": "controller",
|
|
|
|
"class": "Users::DossiersController",
|
|
|
|
"method": "merci",
|
2024-03-27 11:16:29 +01:00
|
|
|
"line": 302,
|
2022-02-22 15:46:57 +01:00
|
|
|
"file": "app/controllers/users/dossiers_controller.rb",
|
|
|
|
"rendered": {
|
|
|
|
"name": "users/dossiers/merci",
|
|
|
|
"file": "app/views/users/dossiers/merci.html.haml"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "template",
|
|
|
|
"name": "users/dossiers/merci",
|
|
|
|
"line": 6,
|
|
|
|
"file": "app/views/users/dossiers/merci.html.haml",
|
|
|
|
"rendered": {
|
|
|
|
"name": "users/dossiers/_merci",
|
|
|
|
"file": "app/views/users/dossiers/_merci.html.haml"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"location": {
|
|
|
|
"type": "template",
|
|
|
|
"template": "users/dossiers/_merci"
|
|
|
|
},
|
|
|
|
"user_input": "current_user.dossiers.includes(:procedure)",
|
|
|
|
"confidence": "Weak",
|
2023-08-28 12:16:24 +02:00
|
|
|
"cwe_id": [
|
|
|
|
79
|
|
|
|
],
|
2022-02-22 15:46:57 +01:00
|
|
|
"note": ""
|
|
|
|
},
|
2022-07-04 16:13:15 +02:00
|
|
|
{
|
2023-08-28 12:16:24 +02:00
|
|
|
"warning_type": "SQL Injection",
|
|
|
|
"warning_code": 0,
|
|
|
|
"fingerprint": "737aa4f7931ece068cce98d7cc66057a1ec81b9be43e469c3569ff1be91bbf09",
|
|
|
|
"check_name": "SQL",
|
|
|
|
"message": "Possible SQL injection",
|
|
|
|
"file": "app/graphql/connections/cursor_connection.rb",
|
2024-03-27 11:16:29 +01:00
|
|
|
"line": 150,
|
2023-08-28 12:16:24 +02:00
|
|
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
|
|
|
"code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) < (?, ?)\", timestamp, id)",
|
2022-07-04 16:13:15 +02:00
|
|
|
"render_path": null,
|
|
|
|
"location": {
|
|
|
|
"type": "method",
|
2023-08-28 12:16:24 +02:00
|
|
|
"class": "Connections::CursorConnection",
|
|
|
|
"method": "resolve_nodes"
|
2022-07-04 16:13:15 +02:00
|
|
|
},
|
2023-08-28 12:16:24 +02:00
|
|
|
"user_input": "order_table",
|
|
|
|
"confidence": "Weak",
|
|
|
|
"cwe_id": [
|
|
|
|
89
|
|
|
|
],
|
|
|
|
"note": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"warning_type": "SQL Injection",
|
|
|
|
"warning_code": 0,
|
|
|
|
"fingerprint": "a94939cb1e551341f443c6414634816e335bbfb03f0836ebd8b3ad8564d7f343",
|
|
|
|
"check_name": "SQL",
|
|
|
|
"message": "Possible SQL injection",
|
|
|
|
"file": "app/graphql/connections/cursor_connection.rb",
|
2024-03-27 11:16:29 +01:00
|
|
|
"line": 153,
|
2023-08-28 12:16:24 +02:00
|
|
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
|
|
|
"code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) > (?, ?)\", timestamp, id)",
|
|
|
|
"render_path": null,
|
|
|
|
"location": {
|
|
|
|
"type": "method",
|
|
|
|
"class": "Connections::CursorConnection",
|
|
|
|
"method": "resolve_nodes"
|
|
|
|
},
|
|
|
|
"user_input": "order_table",
|
|
|
|
"confidence": "Weak",
|
|
|
|
"cwe_id": [
|
|
|
|
89
|
|
|
|
],
|
2022-07-04 16:13:15 +02:00
|
|
|
"note": ""
|
|
|
|
},
|
2021-11-25 09:11:05 +01:00
|
|
|
{
|
|
|
|
"warning_type": "SQL Injection",
|
|
|
|
"warning_code": 0,
|
2021-12-02 03:15:00 +01:00
|
|
|
"fingerprint": "bd1df30f95135357b646e21a03d95498874faffa32e3804fc643e9b6b957ee14",
|
2021-11-25 09:11:05 +01:00
|
|
|
"check_name": "SQL",
|
|
|
|
"message": "Possible SQL injection",
|
2021-12-02 03:15:00 +01:00
|
|
|
"file": "app/models/concerns/dossier_filtering_concern.rb",
|
2023-08-28 12:16:24 +02:00
|
|
|
"line": 32,
|
2021-11-25 09:11:05 +01:00
|
|
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
2021-12-02 03:15:00 +01:00
|
|
|
"code": "where(\"#{values.count} OR #{\"(#{ProcedurePresentation.sanitized_column(table, column)} ILIKE ?)\"}\", *values.map do\n \"%#{value}%\"\n end)",
|
2021-11-25 09:11:05 +01:00
|
|
|
"render_path": null,
|
|
|
|
"location": {
|
|
|
|
"type": "method",
|
2021-12-02 03:15:00 +01:00
|
|
|
"class": "DossierFilteringConcern",
|
|
|
|
"method": null
|
2021-11-25 09:11:05 +01:00
|
|
|
},
|
2021-12-02 03:15:00 +01:00
|
|
|
"user_input": "values.count",
|
|
|
|
"confidence": "Medium",
|
2023-08-28 12:16:24 +02:00
|
|
|
"cwe_id": [
|
|
|
|
89
|
|
|
|
],
|
2021-12-02 03:15:00 +01:00
|
|
|
"note": "The table and column are escaped, which should make this safe"
|
2024-03-27 11:16:29 +01:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"warning_type": "Cross-Site Scripting",
|
|
|
|
"warning_code": 2,
|
|
|
|
"fingerprint": "c97049798ff05438dcca6f3ee1a714f2336041837411ab001a7e3caf1bfb75c8",
|
|
|
|
"check_name": "CrossSiteScripting",
|
|
|
|
"message": "Unescaped model attribute",
|
|
|
|
"file": "app/views/layouts/mailers/_signature.html.haml",
|
|
|
|
"line": 9,
|
|
|
|
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
|
|
|
|
"code": "Current.application_name.gsub(\".\", \"⁠.\")",
|
|
|
|
"render_path": [
|
|
|
|
{
|
|
|
|
"type": "template",
|
|
|
|
"name": "administrateur_mailer/api_token_expiration",
|
|
|
|
"line": 19,
|
|
|
|
"file": "app/views/administrateur_mailer/api_token_expiration.haml",
|
|
|
|
"rendered": {
|
|
|
|
"name": "layouts/mailers/_signature",
|
|
|
|
"file": "app/views/layouts/mailers/_signature.html.haml"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"location": {
|
|
|
|
"type": "template",
|
|
|
|
"template": "layouts/mailers/_signature"
|
|
|
|
},
|
|
|
|
"user_input": null,
|
|
|
|
"confidence": "Medium",
|
|
|
|
"cwe_id": [
|
|
|
|
79
|
|
|
|
],
|
|
|
|
"note": "Current is not a model"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"warning_type": "Cross-Site Scripting",
|
|
|
|
"warning_code": 2,
|
|
|
|
"fingerprint": "f74cfb12b3183f456594e809f222bb2723cc232aa5b8f5f7d9bd6d493c1521fb",
|
|
|
|
"check_name": "CrossSiteScripting",
|
|
|
|
"message": "Unescaped model attribute",
|
|
|
|
"file": "app/views/notification_mailer/send_notification_for_tiers.html.haml",
|
|
|
|
"line": 29,
|
|
|
|
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
|
|
|
|
"code": "Current.application_name.gsub(\".\", \"⁠.\")",
|
|
|
|
"render_path": null,
|
|
|
|
"location": {
|
|
|
|
"type": "template",
|
|
|
|
"template": "notification_mailer/send_notification_for_tiers"
|
|
|
|
},
|
|
|
|
"user_input": null,
|
|
|
|
"confidence": "Medium",
|
|
|
|
"cwe_id": [
|
|
|
|
79
|
|
|
|
],
|
|
|
|
"note": "Current is not a model"
|
2018-10-05 16:15:19 +02:00
|
|
|
}
|
2018-01-11 15:54:39 +01:00
|
|
|
],
|
2024-03-27 11:16:29 +01:00
|
|
|
"updated": "2024-03-27 17:15:54 +0100",
|
|
|
|
"brakeman_version": "6.1.2"
|
2018-01-11 15:54:39 +01:00
|
|
|
}
|