demarches-normaliennes/config/brakeman.ignore

301 lines
10 KiB
Text
Raw Normal View History

2018-01-11 15:54:39 +01:00
{
"ignored_warnings": [
{
"warning_type": "Cross-Site Scripting",
"warning_code": 2,
"fingerprint": "26f504696b074d18ef3f5568dc8f6a46d1283a67fe37822498fa25d0409664ab",
"check_name": "CrossSiteScripting",
"message": "Unescaped model attribute",
"file": "app/views/users/dossiers/_merci.html.haml",
"line": 34,
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
"code": "current_user.dossiers.includes(:procedure).find(params[:id]).procedure.monavis_embed_html_source(\"site\")",
"render_path": [
{
"type": "controller",
"class": "Users::DossiersController",
"method": "merci",
"line": 323,
"file": "app/controllers/users/dossiers_controller.rb",
"rendered": {
"name": "users/dossiers/merci",
"file": "app/views/users/dossiers/merci.html.haml"
}
},
{
"type": "template",
"name": "users/dossiers/merci",
"line": 6,
"file": "app/views/users/dossiers/merci.html.haml",
"rendered": {
"name": "users/dossiers/_merci",
"file": "app/views/users/dossiers/_merci.html.haml"
}
}
],
"location": {
"type": "template",
"template": "users/dossiers/_merci"
},
"user_input": "current_user.dossiers.includes(:procedure)",
"confidence": "Weak",
"cwe_id": [
79
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "5092b33433aef8fe42b688a780325f3791a77b39e55131256c78cebc3c14c0a3",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/concerns/dossier_filtering_concern.rb",
"line": 46,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"#{values.count} OR #{\"(#{DossierFilterService.sanitized_column(table, column)} = ?)\"}\", *values.map do\n \"[\\\"#{value}\\\"]\"\n end)",
"render_path": null,
"location": {
"type": "method",
"class": "DossierFilteringConcern",
"method": null
},
"user_input": "values.count",
"confidence": "Medium",
"cwe_id": [
89
],
"note": "filtered by rails query params where(something: ?, values)"
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "5ba3f5d525b15c710215829e0db49f58e8cca06d68eff5931ebfd7d0ca0e35de",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/columns/json_path_column.rb",
"line": 11,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "dossiers.with_type_de_champ(stable_id).where(\"#{search_occurences.count} OR #{\"(#{json_path_query_part} ILIKE ?)\"}\", *search_occurences.map do\n \"%#{value}%\"\n end)",
"render_path": null,
"location": {
"type": "method",
"class": "Columns::JSONPathColumn",
"method": "filtered_ids"
},
"user_input": "search_occurences.count",
"confidence": "Weak",
"cwe_id": [
89
],
"note": "already sanitized"
},
2022-07-04 16:13:15 +02:00
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "737aa4f7931ece068cce98d7cc66057a1ec81b9be43e469c3569ff1be91bbf09",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/graphql/connections/cursor_connection.rb",
"line": 152,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) < (?, ?)\", timestamp, id)",
2022-07-04 16:13:15 +02:00
"render_path": null,
"location": {
"type": "method",
"class": "Connections::CursorConnection",
"method": "resolve_nodes"
2022-07-04 16:13:15 +02:00
},
"user_input": "order_table",
"confidence": "Weak",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "7dc4935d5b68365bedb8f6b953f01b396cff4daa533c98ee56a84249ca5a1f90",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/tasks/maintenance/concerns/statements_helpers_concern.rb",
"line": 19,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "ApplicationRecord.connection.execute(\"SET LOCAL statement_timeout = '#{timeout}'\")",
"render_path": null,
"location": {
"type": "method",
"class": "Maintenance::StatementsHelpersConcern",
"method": "with_statement_timeout"
},
"user_input": "timeout",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "91ff8031e7c639c95fe6c244867349a72078ef456d8b3507deaf2bdb9bf62fe2",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/concerns/dossier_filtering_concern.rb",
"line": 34,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"#{values.count} OR #{\"(#{DossierFilterService.sanitized_column(table, column)} ILIKE ?)\"}\", *values.map do\n \"%#{value}%\"\n end)",
"render_path": null,
"location": {
"type": "method",
"class": "DossierFilteringConcern",
"method": null
},
"user_input": "values.count",
"confidence": "Medium",
"cwe_id": [
89
],
"note": "filtered by rails query params where(something: ?, values)"
},
{
"warning_type": "Cross-Site Scripting",
"warning_code": 2,
"fingerprint": "a7d18cc3434b4428a884f1217791f9a9db67839e73fb499f1ccd0f686f08eccc",
"check_name": "CrossSiteScripting",
"message": "Unescaped parameter value",
"file": "app/views/faq/show.html.haml",
"line": 13,
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
"code": "Redcarpet::Markdown.new(Redcarpet::TrustedRenderer.new(view_context), :autolink => true).render(loader_service.find(\"#{params[:category]}/#{params[:slug]}\").content)",
"render_path": [
{
"type": "controller",
"class": "FAQController",
"method": "show",
"line": 14,
"file": "app/controllers/faq_controller.rb",
"rendered": {
"name": "faq/show",
"file": "app/views/faq/show.html.haml"
}
}
],
"location": {
"type": "template",
"template": "faq/show"
},
"user_input": "params[:category]",
"confidence": "Weak",
"cwe_id": [
79
],
"note": "Theses params are not rendered"
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "a94939cb1e551341f443c6414634816e335bbfb03f0836ebd8b3ad8564d7f343",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/graphql/connections/cursor_connection.rb",
"line": 155,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) > (?, ?)\", timestamp, id)",
"render_path": null,
"location": {
"type": "method",
"class": "Connections::CursorConnection",
"method": "resolve_nodes"
},
"user_input": "order_table",
"confidence": "Weak",
"cwe_id": [
89
],
2022-07-04 16:13:15 +02:00
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "aaff41afa7bd5a551cd2e3a385071090cb53c95caa40fad3785cd3d68c9b939c",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/concerns/dossier_filtering_concern.rb",
"line": 40,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"#{values.count} OR #{\"(#{DossierFilterService.sanitized_column(table, column)} = ?)\"}\", *values)",
"render_path": null,
"location": {
"type": "method",
"class": "DossierFilteringConcern",
"method": null
},
"user_input": "values.count",
"confidence": "Medium",
"cwe_id": [
89
],
"note": "The table and column are escaped, which should make this safe"
},
{
"warning_type": "Cross-Site Scripting",
"warning_code": 2,
"fingerprint": "c97049798ff05438dcca6f3ee1a714f2336041837411ab001a7e3caf1bfb75c8",
"check_name": "CrossSiteScripting",
"message": "Unescaped model attribute",
"file": "app/views/layouts/mailers/_signature.html.haml",
"line": 9,
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
"code": "Current.application_name.gsub(\".\", \"&#8288;.\")",
"render_path": [
{
"type": "template",
"name": "administrateur_mailer/api_token_expiration",
"line": 19,
"file": "app/views/administrateur_mailer/api_token_expiration.haml",
"rendered": {
"name": "layouts/mailers/_signature",
"file": "app/views/layouts/mailers/_signature.html.haml"
}
}
],
"location": {
"type": "template",
"template": "layouts/mailers/_signature"
},
"user_input": null,
"confidence": "Medium",
"cwe_id": [
79
],
"note": "Current is not a model"
},
{
"warning_type": "Cross-Site Scripting",
"warning_code": 2,
"fingerprint": "f74cfb12b3183f456594e809f222bb2723cc232aa5b8f5f7d9bd6d493c1521fb",
"check_name": "CrossSiteScripting",
"message": "Unescaped model attribute",
"file": "app/views/notification_mailer/send_notification_for_tiers.html.haml",
"line": 31,
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
"code": "Current.application_name.gsub(\".\", \"&#8288;.\")",
"render_path": null,
"location": {
"type": "template",
"template": "notification_mailer/send_notification_for_tiers"
},
"user_input": null,
"confidence": "Medium",
"cwe_id": [
79
],
"note": "Current is not a model"
2018-10-05 16:15:19 +02:00
}
2018-01-11 15:54:39 +01:00
],
"updated": "2024-10-16 18:07:17 +0200",
"brakeman_version": "6.1.2"
2018-01-11 15:54:39 +01:00
}