Fix date_trunc sql queries for timezoned forks

2021-12-01 16:15:00 -10:00 · 2021-12-01 16:15:00 -10:00 · 573b3d39e2
commit 573b3d39e2
parent 776f531804
4 changed files with 51 additions and 31 deletions
--- a/app/controllers/stats_controller.rb
+++ b/app/controllers/stats_controller.rb
@ -141,7 +141,7 @@ class StatsController < ApplicationController

    association
      .where(date_attribute => min_date..max_date)
-      .group("DATE_TRUNC('month', #{date_attribute})")
+      .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)")
      .count
      .to_a
      .sort_by { |a| a[0] }
@ -152,7 +152,7 @@ class StatsController < ApplicationController
    sum = 0
    association
      .where("#{date_attribute} < ?", max_date)
-      .group("DATE_TRUNC('month', #{date_attribute})")
+      .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)")
      .count
      .to_a
      .sort_by { |a| a[0] }
--- a/app/models/stat.rb
+++ b/app/models/stat.rb
@ -76,11 +76,11 @@ class Stat < ApplicationRecord
    end

    def last_four_months_hash(associations_with_date_attribute)
-      min_date = 3.months.ago.beginning_of_month.to_date
+      min_date = 3.months.ago.beginning_of_month
      timeseries = associations_with_date_attribute.map do |association, date_attribute|
        association
          .where(date_attribute => min_date..max_date)
-          .group("DATE_TRUNC('month', #{date_attribute})")
+          .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)")
          .count
      end

@ -94,7 +94,7 @@ class Stat < ApplicationRecord
      timeseries = associations_with_date_attribute.map do |association, date_attribute|
        association
          .where("#{date_attribute} < ?", max_date)
-          .group("DATE_TRUNC('month', #{date_attribute})")
+          .group("DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)")
          .count
      end

--- a/app/models/traitement.rb
+++ b/app/models/traitement.rb
@ -43,9 +43,9 @@ class Traitement < ApplicationRecord
      .to_sql

    sql = <<~EOF
-      select date_trunc('month', r1.processed_at) as month, count(r1.processed_at)
+      select date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL) as month, count(r1.processed_at)
      from (#{last_traitements_per_dossier}) as r1
-      group by date_trunc('month', r1.processed_at)
+      group by date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)
      order by month desc
    EOF

--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@ -31,6 +31,26 @@
      "confidence": "Weak",
      "note": "explicitely sanitized even if we are using html_safe"
    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "4254ed68100af9b496883716b1fd658e1943b2385a0d08de5a6ef5c600c1a8f9",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/traitement.rb",
+      "line": 51,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "ActiveRecord::Base.connection.execute(\"select date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL) as month, count(r1.processed_at)\\nfrom (#{Traitement.select(\"max(traitements.processed_at) as processed_at\").termine.where(:dossier => Dossier.state_termine.where(:groupe_instructeur => groupe_instructeurs)).group(:dossier_id).to_sql}) as r1\\ngroup by date_trunc('month', r1.processed_at::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)\\norder by month desc\\n\")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Traitement",
+        "method": "Traitement.count_dossiers_termines_by_month"
+      },
+      "user_input": "Time.zone.formatted_offset",
+      "confidence": "Medium",
+      "note": ""
+    },
    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 2,
@ -62,26 +82,6 @@
      "confidence": "Weak",
      "note": ""
    },
-    {
-      "warning_type": "SQL Injection",
-      "warning_code": 0,
-      "fingerprint": "6c98e520dd368104bb0c81334875010711cd523afc28057ef86a10930f95c4b7",
-      "check_name": "SQL",
-      "message": "Possible SQL injection",
-      "file": "app/models/stat.rb",
-      "line": 83,
-      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
-      "code": "association.where(date_attribute => ((3.months.ago.beginning_of_month.to_date..max_date))).group(\"DATE_TRUNC('month', #{date_attribute})\")",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Stat",
-        "method": "last_four_months_hash"
-      },
-      "user_input": "date_attribute",
-      "confidence": "Weak",
-      "note": "no user input, fixed value"
-    },
    {
      "warning_type": "SQL Injection",
      "warning_code": 0,
@ -102,6 +102,26 @@
      "confidence": "Medium",
      "note": "The table and column are escaped, which should make this safe"
    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "c0f93612a68c32da58f327e0b5fa33dd42fd8beb2984cf023338c5aadbbdacca",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/stat.rb",
+      "line": 83,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "association.where(date_attribute => ((3.months.ago.beginning_of_month..max_date))).group(\"DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)\")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Stat",
+        "method": "last_four_months_hash"
+      },
+      "user_input": "date_attribute",
+      "confidence": "Weak",
+      "note": ""
+    },
    {
      "warning_type": "Redirect",
      "warning_code": 18,
@ -125,13 +145,13 @@
    {
      "warning_type": "SQL Injection",
      "warning_code": 0,
-      "fingerprint": "dc6d873aff3dc5e51e3349b17e1f35039b23d0bddbf04224b0f1bca3e4608c1e",
+      "fingerprint": "f2bb9bc6a56e44ab36ee18152c657395841cff354baed0a302b8d18650551529",
      "check_name": "SQL",
      "message": "Possible SQL injection",
      "file": "app/models/stat.rb",
      "line": 97,
      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
-      "code": "association.where(\"#{date_attribute} < ?\", max_date).group(\"DATE_TRUNC('month', #{date_attribute})\")",
+      "code": "association.where(\"#{date_attribute} < ?\", max_date).group(\"DATE_TRUNC('month', #{date_attribute}::TIMESTAMPTZ AT TIME ZONE '#{Time.zone.formatted_offset}'::INTERVAL)\")",
      "render_path": null,
      "location": {
        "type": "method",
@ -140,9 +160,9 @@
      },
      "user_input": "date_attribute",
      "confidence": "Weak",
-      "note": "no user input, fixed value"
+      "note": ""
    }
  ],
-  "updated": "2021-12-13 17:09:07 +0100",
+  "updated": "2021-12-01 17:39:08 -1000",
  "brakeman_version": "5.1.1"
 }