{ "ignored_warnings": [ { "warning_type": "Cross-Site Scripting", "warning_code": 2, "fingerprint": "26f504696b074d18ef3f5568dc8f6a46d1283a67fe37822498fa25d0409664ab", "check_name": "CrossSiteScripting", "message": "Unescaped model attribute", "file": "app/views/users/dossiers/_merci.html.haml", "line": 34, "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting", "code": "current_user.dossiers.includes(:procedure).find(params[:id]).procedure.monavis_embed_html_source(\"site\")", "render_path": [ { "type": "controller", "class": "Users::DossiersController", "method": "merci", "line": 323, "file": "app/controllers/users/dossiers_controller.rb", "rendered": { "name": "users/dossiers/merci", "file": "app/views/users/dossiers/merci.html.haml" } }, { "type": "template", "name": "users/dossiers/merci", "line": 6, "file": "app/views/users/dossiers/merci.html.haml", "rendered": { "name": "users/dossiers/_merci", "file": "app/views/users/dossiers/_merci.html.haml" } } ], "location": { "type": "template", "template": "users/dossiers/_merci" }, "user_input": "current_user.dossiers.includes(:procedure)", "confidence": "Weak", "cwe_id": [ 79 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "5092b33433aef8fe42b688a780325f3791a77b39e55131256c78cebc3c14c0a3", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/concerns/dossier_filtering_concern.rb", "line": 46, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "where(\"#{values.count} OR #{\"(#{DossierFilterService.sanitized_column(table, column)} = ?)\"}\", *values.map do\n \"[\\\"#{value}\\\"]\"\n end)", "render_path": null, "location": { "type": "method", "class": "DossierFilteringConcern", "method": null }, "user_input": "values.count", "confidence": "Medium", "cwe_id": [ 89 ], "note": "filtered by rails query params where(something: ?, values)" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "737aa4f7931ece068cce98d7cc66057a1ec81b9be43e469c3569ff1be91bbf09", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/graphql/connections/cursor_connection.rb", "line": 152, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) < (?, ?)\", timestamp, id)", "render_path": null, "location": { "type": "method", "class": "Connections::CursorConnection", "method": "resolve_nodes" }, "user_input": "order_table", "confidence": "Weak", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "7dc4935d5b68365bedb8f6b953f01b396cff4daa533c98ee56a84249ca5a1f90", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/tasks/maintenance/concerns/statements_helpers_concern.rb", "line": 19, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "ApplicationRecord.connection.execute(\"SET LOCAL statement_timeout = '#{timeout}'\")", "render_path": null, "location": { "type": "method", "class": "Maintenance::StatementsHelpersConcern", "method": "with_statement_timeout" }, "user_input": "timeout", "confidence": "Medium", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "83b5a474065af330c47603d1f60fc31edaab55be162825385d53b77c1c98a6d7", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/columns/json_path_column.rb", "line": 24, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "dossiers.with_type_de_champ(stable_id).where(\"champs.value_json @? '#{jsonpath} ? (@ like_regex \\\"#{quote_string(search_terms.join(\"|\"))}\\\" flag \\\"i\\\")'\")", "render_path": null, "location": { "type": "method", "class": "Columns::JSONPathColumn", "method": "filtered_ids" }, "user_input": "jsonpath", "confidence": "Weak", "cwe_id": [ 89 ], "note": "escaped by hand" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "91ff8031e7c639c95fe6c244867349a72078ef456d8b3507deaf2bdb9bf62fe2", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/concerns/dossier_filtering_concern.rb", "line": 34, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "where(\"#{values.count} OR #{\"(#{DossierFilterService.sanitized_column(table, column)} ILIKE ?)\"}\", *values.map do\n \"%#{value}%\"\n end)", "render_path": null, "location": { "type": "method", "class": "DossierFilteringConcern", "method": null }, "user_input": "values.count", "confidence": "Medium", "cwe_id": [ 89 ], "note": "filtered by rails query params where(something: ?, values)" }, { "warning_type": "Cross-Site Scripting", "warning_code": 2, "fingerprint": "a7d18cc3434b4428a884f1217791f9a9db67839e73fb499f1ccd0f686f08eccc", "check_name": "CrossSiteScripting", "message": "Unescaped parameter value", "file": "app/views/faq/show.html.haml", "line": 13, "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting", "code": "Redcarpet::Markdown.new(Redcarpet::TrustedRenderer.new(view_context), :autolink => true).render(loader_service.find(\"#{params[:category]}/#{params[:slug]}\").content)", "render_path": [ { "type": "controller", "class": "FAQController", "method": "show", "line": 14, "file": "app/controllers/faq_controller.rb", "rendered": { "name": "faq/show", "file": "app/views/faq/show.html.haml" } } ], "location": { "type": "template", "template": "faq/show" }, "user_input": "params[:category]", "confidence": "Weak", "cwe_id": [ 79 ], "note": "Theses params are not rendered" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "a94939cb1e551341f443c6414634816e335bbfb03f0836ebd8b3ad8564d7f343", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/graphql/connections/cursor_connection.rb", "line": 155, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) > (?, ?)\", timestamp, id)", "render_path": null, "location": { "type": "method", "class": "Connections::CursorConnection", "method": "resolve_nodes" }, "user_input": "order_table", "confidence": "Weak", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "aaff41afa7bd5a551cd2e3a385071090cb53c95caa40fad3785cd3d68c9b939c", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/concerns/dossier_filtering_concern.rb", "line": 40, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "where(\"#{values.count} OR #{\"(#{DossierFilterService.sanitized_column(table, column)} = ?)\"}\", *values)", "render_path": null, "location": { "type": "method", "class": "DossierFilteringConcern", "method": null }, "user_input": "values.count", "confidence": "Medium", "cwe_id": [ 89 ], "note": "The table and column are escaped, which should make this safe" }, { "warning_type": "Cross-Site Scripting", "warning_code": 2, "fingerprint": "c97049798ff05438dcca6f3ee1a714f2336041837411ab001a7e3caf1bfb75c8", "check_name": "CrossSiteScripting", "message": "Unescaped model attribute", "file": "app/views/layouts/mailers/_signature.html.haml", "line": 9, "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting", "code": "Current.application_name.gsub(\".\", \"⁠.\")", "render_path": [ { "type": "template", "name": "administrateur_mailer/api_token_expiration", "line": 19, "file": "app/views/administrateur_mailer/api_token_expiration.haml", "rendered": { "name": "layouts/mailers/_signature", "file": "app/views/layouts/mailers/_signature.html.haml" } } ], "location": { "type": "template", "template": "layouts/mailers/_signature" }, "user_input": null, "confidence": "Medium", "cwe_id": [ 79 ], "note": "Current is not a model" }, { "warning_type": "Cross-Site Scripting", "warning_code": 2, "fingerprint": "f74cfb12b3183f456594e809f222bb2723cc232aa5b8f5f7d9bd6d493c1521fb", "check_name": "CrossSiteScripting", "message": "Unescaped model attribute", "file": "app/views/notification_mailer/send_notification_for_tiers.html.haml", "line": 31, "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting", "code": "Current.application_name.gsub(\".\", \"⁠.\")", "render_path": null, "location": { "type": "template", "template": "notification_mailer/send_notification_for_tiers" }, "user_input": null, "confidence": "Medium", "cwe_id": [ 79 ], "note": "Current is not a model" } ], "updated": "2024-11-04 09:56:55 +0100", "brakeman_version": "6.1.2" }