DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

tech(brakeman): bypass sec warning, indead, rails sanitize queries when using where("anything = ?", value) synthax

Browse source
This commit is contained in:
mfo 2024-09-24 20:57:13 +02:00
parent 75063ae31e
commit c02e4fff57
No known key found for this signature in database
GPG key ID: 7CE3E1F5B794A8EC
1 changed files with 29 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
config/brakeman.ignore
View file

@ -15,7 +15,7 @@
"type": "controller",
"class": "Users::DossiersController",
"method": "merci",
"line": 329,
"line": 323,
"file": "app/controllers/users/dossiers_controller.rb",
"rendered": {
"name": "users/dossiers/merci",
@ -44,6 +44,29 @@
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "31693060072e27c02ca4f884f2a07f4f1c1247b7a6f5cc5c724e88e6ca9b4873",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/concerns/dossier_filtering_concern.rb",
"line": 40,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"#{values.count} OR #{\"(#{ProcedurePresentation.sanitized_column(table, column)} = ?)\"}\", *values)",
"render_path": null,
"location": {
"type": "method",
"class": "DossierFilteringConcern",
"method": null
},
"user_input": "values.count",
"confidence": "Medium",
"cwe_id": [
89
],
"note": "filtered by rails query params where(something: ?, values)"
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
@ -51,7 +74,7 @@
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/columns/json_path_column.rb",
"line": 10,
"line": 11,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "dossiers.with_type_de_champ(stable_id).where(\"#{search_occurences.count} OR #{\"(#{json_path_query_part} ILIKE ?)\"}\", *search_occurences.map do\n \"%#{value}%\"\n end)",
"render_path": null,
@ -74,7 +97,7 @@
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/graphql/connections/cursor_connection.rb",
"line": 150,
"line": 152,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) < (?, ?)\", timestamp, id)",
"render_path": null,
@ -131,7 +154,7 @@
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/graphql/connections/cursor_connection.rb",
"line": 153,
"line": 155,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) > (?, ?)\", timestamp, id)",
"render_path": null,
@ -154,7 +177,7 @@
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/concerns/dossier_filtering_concern.rb",
"line": 32,
"line": 34,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"#{values.count} OR #{\"(#{ProcedurePresentation.sanitized_column(table, column)} ILIKE ?)\"}\", *values.map do\n \"%#{value}%\"\n end)",
"render_path": null,
@ -226,6 +249,6 @@
"note": "Current is not a model"
}
],
"updated": "2024-08-20 14:34:27 +0200",
"updated": "2024-09-24 20:56:24 +0200",
"brakeman_version": "6.1.2"
}