DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

chore(breakman): ignore injection warnings – table and column names com from our code not user input

Browse source
This commit is contained in:
Paul Chavard 2023-08-28 12:16:24 +02:00
parent 71d5470100
commit 82322e8874
1 changed files with 52 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

89
config/brakeman.ignore
View file

@ -15,7 +15,7 @@
"type": "controller", "type": "controller",
"class": "Users::DossiersController", "class": "Users::DossiersController",
"method": "merci", "method": "merci",
"line": 232, "line": 291,
"file": "app/controllers/users/dossiers_controller.rb", "file": "app/controllers/users/dossiers_controller.rb",
"rendered": { "rendered": {
"name": "users/dossiers/merci", "name": "users/dossiers/merci",
@ -39,6 +39,9 @@
}, },
"user_input": "current_user.dossiers.includes(:procedure)", "user_input": "current_user.dossiers.includes(:procedure)",
"confidence": "Weak", "confidence": "Weak",
"cwe_id": [
79
],
"note": "" "note": ""
}, },
{ {
@ -70,26 +73,55 @@
}, },
"user_input": "FranceConnectInformation.find_by(:merge_token => merge_token_params).email_france_connect", "user_input": "FranceConnectInformation.find_by(:merge_token => merge_token_params).email_france_connect",
"confidence": "Weak", "confidence": "Weak",
"cwe_id": [
79
],
"note": "explicitely sanitized even if we are using html_safe" "note": "explicitely sanitized even if we are using html_safe"
}, },
{ {
"warning_type": "Redirect", "warning_type": "SQL Injection",
"warning_code": 18, "warning_code": 0,
"fingerprint": "8a1ccc92988486094b2c89e586902a3b6fcbd43910d6363dce14b9981ca8ddeb", "fingerprint": "737aa4f7931ece068cce98d7cc66057a1ec81b9be43e469c3569ff1be91bbf09",
"check_name": "Redirect", "check_name": "SQL",
"message": "Possible unprotected redirect", "message": "Possible SQL injection",
"file": "app/controllers/instructeurs/procedures_controller.rb", "file": "app/graphql/connections/cursor_connection.rb",
"line": 175, "line": 66,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/", "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "redirect_to(Export.find_or_create_export(export_format, current_instructeur.groupe_instructeurs.where(:procedure => procedure), :force => force_export?, **export_options).file.service_url)", "code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) < (?, ?)\", timestamp, id)",
"render_path": null, "render_path": null,
"location": { "location": {
"type": "method", "type": "method",
"class": "Instructeurs::ProceduresController", "class": "Connections::CursorConnection",
"method": "download_export" "method": "resolve_nodes"
}, },
"user_input": "Export.find_or_create_export(export_format, current_instructeur.groupe_instructeurs.where(:procedure => procedure), :force => force_export?, **export_options).file.service_url", "user_input": "order_table",
"confidence": "High", "confidence": "Weak",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "a94939cb1e551341f443c6414634816e335bbfb03f0836ebd8b3ad8564d7f343",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/graphql/connections/cursor_connection.rb",
"line": 69,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) > (?, ?)\", timestamp, id)",
"render_path": null,
"location": {
"type": "method",
"class": "Connections::CursorConnection",
"method": "resolve_nodes"
},
"user_input": "order_table",
"confidence": "Weak",
"cwe_id": [
89
],
"note": "" "note": ""
}, },
{ {
@ -99,7 +131,7 @@
"check_name": "SQL", "check_name": "SQL",
"message": "Possible SQL injection", "message": "Possible SQL injection",
"file": "app/models/concerns/dossier_filtering_concern.rb", "file": "app/models/concerns/dossier_filtering_concern.rb",
"line": 30, "line": 32,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"#{values.count} OR #{\"(#{ProcedurePresentation.sanitized_column(table, column)} ILIKE ?)\"}\", *values.map do\n \"%#{value}%\"\n end)", "code": "where(\"#{values.count} OR #{\"(#{ProcedurePresentation.sanitized_column(table, column)} ILIKE ?)\"}\", *values.map do\n \"%#{value}%\"\n end)",
"render_path": null, "render_path": null,
@ -110,29 +142,12 @@
}, },
"user_input": "values.count", "user_input": "values.count",
"confidence": "Medium", "confidence": "Medium",
"cwe_id": [
89
],
"note": "The table and column are escaped, which should make this safe" "note": "The table and column are escaped, which should make this safe"
},
{
"warning_type": "Redirect",
"warning_code": 18,
"fingerprint": "e2220b7cda7df5d02de77e7c3ce137653126e0d8e91ce445676b63ec4c94bbcb",
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/administrateurs/exports_controller.rb",
"line": 18,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to(Export.find_or_create_export(export_format, all_groupe_instructeurs, :force => force_export?, **export_options).file.service_url)",
"render_path": null,
"location": {
"type": "method",
"class": "Administrateurs::ExportsController",
"method": "download"
},
"user_input": "Export.find_or_create_export(export_format, all_groupe_instructeurs, :force => force_export?, **export_options).file.service_url",
"confidence": "High",
"note": ""
} }
], ],
"updated": "2022-11-15 23:04:53 +0100", "updated": "2023-08-28 12:16:04 +0200",
"brakeman_version": "5.2.2" "brakeman_version": "5.4.1"
} }