Commit graph

28 commits

Author SHA1 Message Date
Colin Darie
965afbd18c
fix(brakeman): false positive params not rendered 2024-05-16 11:43:59 +02:00
Colin Darie
16766d7395
fix(brakerman): update brakeman with Current false positive 2024-04-02 18:47:50 +02:00
Paul Chavard
82322e8874 chore(breakman): ignore injection warnings – table and column names com from our code not user input 2023-10-18 13:01:07 +02:00
Paul Chavard
6f6b3896de refactor(export): reduce repetition in export code hopefully making it more readable 2022-11-16 08:49:37 +01:00
Martin
87af7f3261 feat(exports): implement admin export 2022-07-20 14:08:33 +02:00
Martin
274b5eab2e feat(invite): wrap invitation with targeted_user_links 2022-06-17 16:44:37 +02:00
Martin
cb890343ff feat(targeted_user_link): add targeted user link to wrap expert invitation in order to avoid access issue when the expert is connected with another account
feat(user.merge): ensure to merge user.targeted_user_link

Update app/models/targeted_user_link.rb

Co-authored-by: LeSim <mail@simon.lehericey.net>

Update app/models/targeted_user_link.rb

Co-authored-by: LeSim <mail@simon.lehericey.net>

Update app/models/targeted_user_link.rb

Co-authored-by: LeSim <mail@simon.lehericey.net>

feat(db/create_targeted_user_links): ensure not null with fk
2022-05-31 14:50:31 +02:00
Paul Chavard
e82dc9c8b5 feat(exports): add ability to create exports with filters 2022-04-06 17:08:38 +02:00
Martin
567d01478e fix(brakeman): prune absolete and ad a new one [surprise] 2022-02-25 14:01:18 +01:00
maatinito
573b3d39e2 Fix date_trunc sql queries for timezoned forks 2021-12-14 08:50:09 +01:00
Martin
cf5794eebf clean(brakeman): remove unwanted warning 2021-12-13 17:09:20 +01:00
Martin
1795084dce fix(brakeman): no code injection here 2021-12-13 16:37:04 +01:00
Martin
970e43efb8 feat(stats#index): update Stat model to also query DossierDeleted in stats computation
tech(question): discard_and_keep_track! ; are we really keeping track with default_scope { kept } ?

feat(stats): add DeletedDossier in Stat computations

Revert "tech(question): discard_and_keep_track! ; are we really keeping track with default_scope { kept } ?"

This reverts commit d1155b7eeaaf1a9f80189e59667e109541fcb089.

feat(stats): support deleted_dossiers for last_four_months_hash and cumulative_hash. extract sanitize query & merge hashes in methdos

clean(rubocop): lint with rubocop

Update db/migrate/20211126080118_add_index_to_deleted_at_to_deleted_dossiers.rb

Co-authored-by: LeSim <mail@simon.lehericey.net>

fix(rubocop): avoid uneeded allocation

fix(migration): add concurrent index with expected synthax

fix(brakeman): add ignore message since group date_trunc evaluation is used by only ourself
2021-11-26 13:29:40 +01:00
Martin
fdf0f18fda fix(i18n): wrap text under i18n.t
i18n(france_connect/*): replace wording with i18n

fix(lint): i18n key issue

secu(views/france_connect/particulier/merge.html.haml): sanitize france_connect_email just in case

fix(brakeman): sanitize FCI.email_france_connect when used with html_safe via an I18n.t, also add exception to brakeman
2021-11-25 17:34:37 +01:00
Pierre de La Morinerie
d4d0c0b1f3 gems: clean brakeman obsolete false-positives
These were made obsolete by the new brakeman version.
2021-09-02 16:12:52 -05:00
Pierre de La Morinerie
f9529da8bd gems: update brakeman
This prevent a false-positive warning about a vulnerable loofah version.

We also need to ignore a new warning, about an unsafe redirect. This is
unsafe when the object given in redirect can be a hash that includes
a `:host` key. But here we are redirecting to a plain string, which is
definitely safe.
2021-09-02 16:11:23 -05:00
Paul Chavard
f238710044 Add last_month export 2021-06-23 09:23:10 +02:00
simon lehericey
9848dc2295 update brakeman 2020-12-17 10:51:09 +01:00
simon lehericey
c95b7a33fa Add brakeman exception for a export.file.service_url 2019-12-18 13:13:15 +01:00
Pierre de La Morinerie
8e6930d257 instructeurs: fix ProcedurePresentation to use instructeur.user.email
The `joins` are declared explicitely in order to associate a predictable
name to the joined table.

Otherwise, when the query is joined with `:users`, ActiveRecord will
alias the join automatically  to solve the conflict. Unfortunately, the
automatic resolution means that the table name becomes unpredictable,
and thus unsuitable to perform queries on.
2019-11-04 10:44:24 +01:00
maatinito
8d3e3baabc #3928 administrator new & edit pwd pages 2019-08-01 17:12:14 +02:00
clemkeirua
92ec627425 update brakeman configuration 2019-07-17 18:04:32 +02:00
Frederic Merizen
b3c3541725 [#3477] Update brakeman config 2019-03-11 17:14:17 +01:00
Paul Chavard
99e1a20d98 Add champ carte endpoint 2018-10-23 09:35:25 +02:00
Frederic Merizen
3dca3c7dee [Fix #1961] Check that sorted_ids works for individual 2018-10-11 12:13:03 +02:00
Frederic Merizen
9086f99e2e [#2750] SQL injection false positives 2018-10-10 09:07:57 +02:00
Frederic Merizen
d5398a12a9 [#2750] Remove obsolete brakeman ignore 2018-10-10 09:07:57 +02:00
simon lehericey
4294c8eec7 Brakeman: make it happy 2018-01-15 17:14:12 +01:00