From 573b3d39e233e0f18bc616d1359d85bfe534e653 Mon Sep 17 00:00:00 2001 From: maatinito <15379878+maatinito@users.noreply.github.com> Date: Wed, 1 Dec 2021 16:15:00 -1000 Subject: [PATCH] Fix date_trunc sql queries for timezoned forks --- app/controllers/stats_controller.rb | 4 +- app/models/stat.rb | 6 +-- app/models/traitement.rb | 4 +- config/brakeman.ignore | 68 +++++++++++++++++++---------- 4 files changed, 51 insertions(+), 31 deletions(-) diff --git a/app/controllers/stats_controller.rb b/app/controllers/stats_controller.rb index eec5c5b2f..3d4e9e66d 100644 --- a/app/controllers/stats_controller.rb +++ b/app/controllers/stats_controller.rb @@ -141,7 +141,7 @@ class StatsController < ApplicationController association .where(date_attribute => min_date..max_date) - .group("DATE_TRUNC('month', #{date_attribute})") + .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)") .count .to_a .sort_by { |a| a[0] } @@ -152,7 +152,7 @@ class StatsController < ApplicationController sum = 0 association .where("#{date_attribute} < ?", max_date) - .group("DATE_TRUNC('month', #{date_attribute})") + .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)") .count .to_a .sort_by { |a| a[0] } diff --git a/app/models/stat.rb b/app/models/stat.rb index 37e1c131e..7e2068e3e 100644 --- a/app/models/stat.rb +++ b/app/models/stat.rb @@ -76,11 +76,11 @@ class Stat < ApplicationRecord end def last_four_months_hash(associations_with_date_attribute) - min_date = 3.months.ago.beginning_of_month.to_date + min_date = 3.months.ago.beginning_of_month timeseries = associations_with_date_attribute.map do |association, date_attribute| association .where(date_attribute => min_date..max_date) - .group("DATE_TRUNC('month', #{date_attribute})") + .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)") .count end @@ -94,7 +94,7 @@ class Stat < ApplicationRecord timeseries = associations_with_date_attribute.map do |association, date_attribute| association .where("#{date_attribute} < ?", max_date) - .group("DATE_TRUNC('month', #{date_attribute})") + .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)") .count end diff --git a/app/models/traitement.rb b/app/models/traitement.rb index a407842d6..4975bbcc1 100644 --- a/app/models/traitement.rb +++ b/app/models/traitement.rb @@ -43,9 +43,9 @@ class Traitement < ApplicationRecord .to_sql sql = <<~EOF - select date_trunc('month', r1.processed_at) as month, count(r1.processed_at) + select date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL) as month, count(r1.processed_at) from (#{last_traitements_per_dossier}) as r1 - group by date_trunc('month', r1.processed_at) + group by date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL) order by month desc EOF diff --git a/config/brakeman.ignore b/config/brakeman.ignore index a21e71bf4..d1cd809da 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -31,6 +31,26 @@ "confidence": "Weak", "note": "explicitely sanitized even if we are using html_safe" }, + { + "warning_type": "SQL Injection", + "warning_code": 0, + "fingerprint": "4254ed68100af9b496883716b1fd658e1943b2385a0d08de5a6ef5c600c1a8f9", + "check_name": "SQL", + "message": "Possible SQL injection", + "file": "app/models/traitement.rb", + "line": 51, + "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", + "code": "ActiveRecord::Base.connection.execute(\"select date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL) as month, count(r1.processed_at)\\nfrom (#{Traitement.select(\"max(traitements.processed_at) as processed_at\").termine.where(:dossier => Dossier.state_termine.where(:groupe_instructeur => groupe_instructeurs)).group(:dossier_id).to_sql}) as r1\\ngroup by date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)\\norder by month desc\\n\")", + "render_path": null, + "location": { + "type": "method", + "class": "Traitement", + "method": "Traitement.count_dossiers_termines_by_month" + }, + "user_input": "Time.zone.formatted_offset", + "confidence": "Medium", + "note": "" + }, { "warning_type": "Cross-Site Scripting", "warning_code": 2, @@ -62,26 +82,6 @@ "confidence": "Weak", "note": "" }, - { - "warning_type": "SQL Injection", - "warning_code": 0, - "fingerprint": "6c98e520dd368104bb0c81334875010711cd523afc28057ef86a10930f95c4b7", - "check_name": "SQL", - "message": "Possible SQL injection", - "file": "app/models/stat.rb", - "line": 83, - "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", - "code": "association.where(date_attribute => ((3.months.ago.beginning_of_month.to_date..max_date))).group(\"DATE_TRUNC('month', #{date_attribute})\")", - "render_path": null, - "location": { - "type": "method", - "class": "Stat", - "method": "last_four_months_hash" - }, - "user_input": "date_attribute", - "confidence": "Weak", - "note": "no user input, fixed value" - }, { "warning_type": "SQL Injection", "warning_code": 0, @@ -102,6 +102,26 @@ "confidence": "Medium", "note": "The table and column are escaped, which should make this safe" }, + { + "warning_type": "SQL Injection", + "warning_code": 0, + "fingerprint": "c0f93612a68c32da58f327e0b5fa33dd42fd8beb2984cf023338c5aadbbdacca", + "check_name": "SQL", + "message": "Possible SQL injection", + "file": "app/models/stat.rb", + "line": 83, + "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", + "code": "association.where(date_attribute => ((3.months.ago.beginning_of_month..max_date))).group(\"DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)\")", + "render_path": null, + "location": { + "type": "method", + "class": "Stat", + "method": "last_four_months_hash" + }, + "user_input": "date_attribute", + "confidence": "Weak", + "note": "" + }, { "warning_type": "Redirect", "warning_code": 18, @@ -125,13 +145,13 @@ { "warning_type": "SQL Injection", "warning_code": 0, - "fingerprint": "dc6d873aff3dc5e51e3349b17e1f35039b23d0bddbf04224b0f1bca3e4608c1e", + "fingerprint": "f2bb9bc6a56e44ab36ee18152c657395841cff354baed0a302b8d18650551529", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/stat.rb", "line": 97, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", - "code": "association.where(\"#{date_attribute} < ?\", max_date).group(\"DATE_TRUNC('month', #{date_attribute})\")", + "code": "association.where(\"#{date_attribute} < ?\", max_date).group(\"DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)\")", "render_path": null, "location": { "type": "method", @@ -140,9 +160,9 @@ }, "user_input": "date_attribute", "confidence": "Weak", - "note": "no user input, fixed value" + "note": "" } ], - "updated": "2021-12-13 17:09:07 +0100", + "updated": "2021-12-01 17:39:08 -1000", "brakeman_version": "5.1.1" }