DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

gems: update brakeman

Browse source 
This prevent a false-positive warning about a vulnerable loofah version.

We also need to ignore a new warning, about an unsafe redirect. This is
unsafe when the object given in redirect can be a hash that includes
a `:host` key. But here we are redirecting to a plain string, which is
definitely safe.
This commit is contained in:
Pierre de La Morinerie 2021-09-02 21:09:18 +00:00
parent 27376c00b0
commit f9529da8bd
2 changed files with 23 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Gemfile.lock
View file

@ -134,7 +134,7 @@ GEM
bindex (0.8.1)
bootsnap (1.7.2)
msgpack (~> 1.0)
brakeman (5.0.0)
brakeman (5.1.1)
browser (5.3.1)
builder (3.2.4)
byebug (11.1.3)

24
config/brakeman.ignore
View file

@ -91,6 +91,26 @@
"confidence": "Medium",
"note": "The table and column are escaped, which should make this safe"
},
{
"warning_type": "Redirect",
"warning_code": 18,
"fingerprint": "c46b5c9cd6474ffae789f39a2280ba6b5a5a74d3ffa8a38cf8a409f9a027ed0e",
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/instructeurs/procedures_controller.rb",
"line": 180,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to(Export.find_or_create_export(params[:export_format], (params[:time_span_type] or \"everything\"), current_instructeur.groupe_instructeurs.where(:procedure => procedure)).file.service_url)",
"render_path": null,
"location": {
"type": "method",
"class": "Instructeurs::ProceduresController",
"method": "download_export"
},
"user_input": "Export.find_or_create_export(params[:export_format], (params[:time_span_type] or \"everything\"), current_instructeur.groupe_instructeurs.where(:procedure => procedure)).file.service_url",
"confidence": "High",
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
@ -152,6 +172,6 @@
"note": "`table`, `column` and `order` come from the model, which is validated to prevent injection attacks. Furthermore, `table` and `column` are escaped."
}
],
"updated": "2021-06-17 09:26:40 +0200",
"brakeman_version": "5.0.0"
"updated": "2021-09-02 16:10:12 -0500",
"brakeman_version": "5.1.1"
}