DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Fix date_trunc sql queries for timezoned forks

Browse source
This commit is contained in:
maatinito 2021-12-01 16:15:00 -10:00 committed by Pierre de La Morinerie
parent 776f531804
commit 573b3d39e2
4 changed files with 51 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/stats_controller.rb
View file

@ -141,7 +141,7 @@ class StatsController < ApplicationController
association association
.where(date_attribute => min_date..max_date) .where(date_attribute => min_date..max_date)
.group("DATE_TRUNC('month', #{date_attribute})") .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)")
.count .count
.to_a .to_a
.sort_by { |a| a[0] } .sort_by { |a| a[0] }
@ -152,7 +152,7 @@ class StatsController < ApplicationController
sum = 0 sum = 0
association association
.where("#{date_attribute} < ?", max_date) .where("#{date_attribute} < ?", max_date)
.group("DATE_TRUNC('month', #{date_attribute})") .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)")
.count .count
.to_a .to_a
.sort_by { |a| a[0] } .sort_by { |a| a[0] }

6
app/models/stat.rb
View file

@ -76,11 +76,11 @@ class Stat < ApplicationRecord
end end
def last_four_months_hash(associations_with_date_attribute) def last_four_months_hash(associations_with_date_attribute)
min_date = 3.months.ago.beginning_of_month.to_date min_date = 3.months.ago.beginning_of_month
timeseries = associations_with_date_attribute.map do |association, date_attribute| timeseries = associations_with_date_attribute.map do |association, date_attribute|
association association
.where(date_attribute => min_date..max_date) .where(date_attribute => min_date..max_date)
.group("DATE_TRUNC('month', #{date_attribute})") .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)")
.count .count
end end
@ -94,7 +94,7 @@ class Stat < ApplicationRecord
timeseries = associations_with_date_attribute.map do |association, date_attribute| timeseries = associations_with_date_attribute.map do |association, date_attribute|
association association
.where("#{date_attribute} < ?", max_date) .where("#{date_attribute} < ?", max_date)
.group("DATE_TRUNC('month', #{date_attribute})") .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)")
.count .count
end end

4
app/models/traitement.rb
View file

@ -43,9 +43,9 @@ class Traitement < ApplicationRecord
.to_sql .to_sql
sql = <<~EOF sql = <<~EOF
select date_trunc('month', r1.processed_at) as month, count(r1.processed_at) select date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL) as month, count(r1.processed_at)
from (#{last_traitements_per_dossier}) as r1 from (#{last_traitements_per_dossier}) as r1
group by date_trunc('month', r1.processed_at) group by date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)
order by month desc order by month desc
EOF EOF

68
config/brakeman.ignore
View file

@ -31,6 +31,26 @@
"confidence": "Weak", "confidence": "Weak",
"note": "explicitely sanitized even if we are using html_safe" "note": "explicitely sanitized even if we are using html_safe"
}, },
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "4254ed68100af9b496883716b1fd658e1943b2385a0d08de5a6ef5c600c1a8f9",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/traitement.rb",
"line": 51,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "ActiveRecord::Base.connection.execute(\"select date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL) as month, count(r1.processed_at)\\nfrom (#{Traitement.select(\"max(traitements.processed_at) as processed_at\").termine.where(:dossier => Dossier.state_termine.where(:groupe_instructeur => groupe_instructeurs)).group(:dossier_id).to_sql}) as r1\\ngroup by date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)\\norder by month desc\\n\")",
"render_path": null,
"location": {
"type": "method",
"class": "Traitement",
"method": "Traitement.count_dossiers_termines_by_month"
},
"user_input": "Time.zone.formatted_offset",
"confidence": "Medium",
"note": ""
},
{ {
"warning_type": "Cross-Site Scripting", "warning_type": "Cross-Site Scripting",
"warning_code": 2, "warning_code": 2,
@ -62,26 +82,6 @@
"confidence": "Weak", "confidence": "Weak",
"note": "" "note": ""
}, },
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "6c98e520dd368104bb0c81334875010711cd523afc28057ef86a10930f95c4b7",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/stat.rb",
"line": 83,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "association.where(date_attribute => ((3.months.ago.beginning_of_month.to_date..max_date))).group(\"DATE_TRUNC('month', #{date_attribute})\")",
"render_path": null,
"location": {
"type": "method",
"class": "Stat",
"method": "last_four_months_hash"
},
"user_input": "date_attribute",
"confidence": "Weak",
"note": "no user input, fixed value"
},
{ {
"warning_type": "SQL Injection", "warning_type": "SQL Injection",
"warning_code": 0, "warning_code": 0,
@ -102,6 +102,26 @@
"confidence": "Medium", "confidence": "Medium",
"note": "The table and column are escaped, which should make this safe" "note": "The table and column are escaped, which should make this safe"
}, },
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "c0f93612a68c32da58f327e0b5fa33dd42fd8beb2984cf023338c5aadbbdacca",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/stat.rb",
"line": 83,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "association.where(date_attribute => ((3.months.ago.beginning_of_month..max_date))).group(\"DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)\")",
"render_path": null,
"location": {
"type": "method",
"class": "Stat",
"method": "last_four_months_hash"
},
"user_input": "date_attribute",
"confidence": "Weak",
"note": ""
},
{ {
"warning_type": "Redirect", "warning_type": "Redirect",
"warning_code": 18, "warning_code": 18,
@ -125,13 +145,13 @@
{ {
"warning_type": "SQL Injection", "warning_type": "SQL Injection",
"warning_code": 0, "warning_code": 0,
"fingerprint": "dc6d873aff3dc5e51e3349b17e1f35039b23d0bddbf04224b0f1bca3e4608c1e", "fingerprint": "f2bb9bc6a56e44ab36ee18152c657395841cff354baed0a302b8d18650551529",
"check_name": "SQL", "check_name": "SQL",
"message": "Possible SQL injection", "message": "Possible SQL injection",
"file": "app/models/stat.rb", "file": "app/models/stat.rb",
"line": 97, "line": 97,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "association.where(\"#{date_attribute} < ?\", max_date).group(\"DATE_TRUNC('month', #{date_attribute})\")", "code": "association.where(\"#{date_attribute} < ?\", max_date).group(\"DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)\")",
"render_path": null, "render_path": null,
"location": { "location": {
"type": "method", "type": "method",
@ -140,9 +160,9 @@
}, },
"user_input": "date_attribute", "user_input": "date_attribute",
"confidence": "Weak", "confidence": "Weak",
"note": "no user input, fixed value" "note": ""
} }
], ],
"updated": "2021-12-13 17:09:07 +0100", "updated": "2021-12-01 17:39:08 -1000",
"brakeman_version": "5.1.1" "brakeman_version": "5.1.1"
} }