closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10750 Commits
4 Branches
567 MiB
Branch: closed-social-v3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'closed-social-v3'
${ noResults }
mastodon/config/brakeman.ignore

266 lines
13 KiB
Raw Permalink Normal View History

Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Ignore brakeman false positive warning (#16213)
2 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Add E2EE API (#13820)
3 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Ignore brakeman false positive warning (#16213)
2 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Add E2EE API (#13820)
3 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add E2EE API (#13820)
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add E2EE API (#13820)
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add E2EE API (#13820)
3 years ago
Ignore brakeman false positive warning (#16213)
2 years ago
Add E2EE API (#13820)
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Ignore brakeman false positive warning (#16213)
2 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add E2EE API (#13820)
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add E2EE API (#13820)
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
6 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
6 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Ignore brakeman false positive warning (#16213)
2 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add type, limit, offset, min_id, max_id, account_id to search API (#10091) * Add type, limit, offset, min_id, max_id, account_id to search API Fix #8939 * Make the offset work on accounts and hashtags search as well * Assure brakeman we are not doing mass assignment here * Do not allow paginating unless a type is chosen * Fix search query and index id field on statuses instead of created_at
5 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Ignore brakeman false positive warning (#16213)
2 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
 
  1. {
  2.   "ignored_warnings": [
  3.     {
  4.       "warning_type": "SQL Injection",
  5.       "warning_code": 0,
  6.       "fingerprint": "04dbbc249b989db2e0119bbb0f59c9818e12889d2b97c529cdc0b1526002ba4b",
  7.       "check_name": "SQL",
  8.       "message": "Possible SQL injection",
  9.       "file": "app/models/report.rb",
  10.       "line": 113,
  11.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  12.       "code": "Admin::ActionLog.from(\"(#{[Admin::ActionLog.where(:target_type => \"Report\", :target_id => id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Account\", :target_id => target_account_id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)].map do\n \"(#{query.to_sql})\"\n end.join(\" UNION ALL \")}) AS admin_action_logs\")",
  13.       "render_path": null,
  14.       "location": {
  15.         "type": "method",
  16.         "class": "Report",
  17.         "method": "history"
  18.       },
  19.       "user_input": "Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)",
  20.       "confidence": "High",
  21.       "note": ""
  22.     },
  23.     {
  24.       "warning_type": "SQL Injection",
  25.       "warning_code": 0,
  26.       "fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d",
  27.       "check_name": "SQL",
  28.       "message": "Possible SQL injection",
  29.       "file": "app/models/status.rb",
  30.       "line": 100,
  31.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  32.       "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
  33.       "render_path": null,
  34.       "location": {
  35.         "type": "method",
  36.         "class": "Status",
  37.         "method": null
  38.       },
  39.       "user_input": "id",
  40.       "confidence": "Weak",
  41.       "note": ""
  42.     },
  43.     {
  44.       "warning_type": "Redirect",
  45.       "warning_code": 18,
  46.       "fingerprint": "5fad11cd67f905fab9b1d5739d01384a1748ebe78c5af5ac31518201925265a7",
  47.       "check_name": "Redirect",
  48.       "message": "Possible unprotected redirect",
  49.       "file": "app/controllers/remote_interaction_controller.rb",
  50.       "line": 24,
  51.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  52.       "code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))",
  53.       "render_path": null,
  54.       "location": {
  55.         "type": "method",
  56.         "class": "RemoteInteractionController",
  57.         "method": "create"
  58.       },
  59.       "user_input": "RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id]))",
  60.       "confidence": "High",
  61.       "note": ""
  62.     },
  63.     {
  64.       "warning_type": "SQL Injection",
  65.       "warning_code": 0,
  66.       "fingerprint": "6e4051854bb62e2ddbc671f82d6c2328892e1134b8b28105ecba9b0122540714",
  67.       "check_name": "SQL",
  68.       "message": "Possible SQL injection",
  69.       "file": "app/models/account.rb",
  70.       "line": 479,
  71.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  72.       "code": "find_by_sql([\"          WITH first_degree AS (\\n            SELECT target_account_id\\n            FROM follows\\n            WHERE account_id = ?\\n            UNION ALL\\n            SELECT ?\\n          )\\n          SELECT\\n            accounts.*,\\n            (count(f.id) + 1) * ts_rank_cd(#{textsearch}, #{query}, 32) AS rank\\n          FROM accounts\\n          LEFT OUTER JOIN follows AS f ON (accounts.id = f.account_id AND f.target_account_id = ?)\\n          WHERE accounts.id IN (SELECT * FROM first_degree)\\n            AND #{query} @@ #{textsearch}\\n            AND accounts.suspended_at IS NULL\\n            AND accounts.moved_to_account_id IS NULL\\n          GROUP BY accounts.id\\n          ORDER BY rank DESC\\n          LIMIT ? OFFSET ?\\n\".squish, account.id, account.id, account.id, limit, offset])",
  73.       "render_path": null,
  74.       "location": {
  75.         "type": "method",
  76.         "class": "Account",
  77.         "method": "advanced_search_for"
  78.       },
  79.       "user_input": "textsearch",
  80.       "confidence": "Medium",
  81.       "note": ""
  82.     },
  83.     {
  84.       "warning_type": "SQL Injection",
  85.       "warning_code": 0,
  86.       "fingerprint": "6f075c1484908e3ec9bed21ab7cf3c7866be8da3881485d1c82e13093aefcbd7",
  87.       "check_name": "SQL",
  88.       "message": "Possible SQL injection",
  89.       "file": "app/models/status.rb",
  90.       "line": 105,
  91.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  92.       "code": "result.joins(\"LEFT OUTER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
  93.       "render_path": null,
  94.       "location": {
  95.         "type": "method",
  96.         "class": "Status",
  97.         "method": null
  98.       },
  99.       "user_input": "id",
  100.       "confidence": "Weak",
  101.       "note": ""
  102.     },
  103.     {
  104.       "warning_type": "Mass Assignment",
  105.       "warning_code": 105,
  106.       "fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a",
  107.       "check_name": "PermitAttributes",
  108.       "message": "Potentially dangerous key allowed for mass assignment",
  109.       "file": "app/controllers/api/v2/search_controller.rb",
  110.       "line": 28,
  111.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  112.       "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
  113.       "render_path": null,
  114.       "location": {
  115.         "type": "method",
  116.         "class": "Api::V2::SearchController",
  117.         "method": "search_params"
  118.       },
  119.       "user_input": ":account_id",
  120.       "confidence": "High",
  121.       "note": ""
  122.     },
  123.     {
  124.       "warning_type": "Mass Assignment",
  125.       "warning_code": 105,
  126.       "fingerprint": "874be88fedf4c680926845e9a588d3197765a6ccbfdd76466b44cc00151c612e",
  127.       "check_name": "PermitAttributes",
  128.       "message": "Potentially dangerous key allowed for mass assignment",
  129.       "file": "app/controllers/api/v1/admin/reports_controller.rb",
  130.       "line": 78,
  131.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  132.       "code": "params.permit(:resolved, :account_id, :target_account_id)",
  133.       "render_path": null,
  134.       "location": {
  135.         "type": "method",
  136.         "class": "Api::V1::Admin::ReportsController",
  137.         "method": "filter_params"
  138.       },
  139.       "user_input": ":account_id",
  140.       "confidence": "High",
  141.       "note": ""
  142.     },
  143.     {
  144.       "warning_type": "SQL Injection",
  145.       "warning_code": 0,
  146.       "fingerprint": "9251d682c4e2840e1b2fea91e7d758efe2097ecb7f6255c065e3750d25eb178c",
  147.       "check_name": "SQL",
  148.       "message": "Possible SQL injection",
  149.       "file": "app/models/account.rb",
  150.       "line": 448,
  151.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  152.       "code": "find_by_sql([\"        SELECT\\n          accounts.*,\\n          ts_rank_cd(#{textsearch}, #{query}, 32) AS rank\\n        FROM accounts\\n        WHERE #{query} @@ #{textsearch}\\n          AND accounts.suspended_at IS NULL\\n          AND accounts.moved_to_account_id IS NULL\\n        ORDER BY rank DESC\\n        LIMIT ? OFFSET ?\\n\".squish, limit, offset])",
  153.       "render_path": null,
  154.       "location": {
  155.         "type": "method",
  156.         "class": "Account",
  157.         "method": "search_for"
  158.       },
  159.       "user_input": "textsearch",
  160.       "confidence": "Medium",
  161.       "note": ""
  162.     },
  163.     {
  164.       "warning_type": "SQL Injection",
  165.       "warning_code": 0,
  166.       "fingerprint": "9ccb9ba6a6947400e187d515e0bf719d22993d37cfc123c824d7fafa6caa9ac3",
  167.       "check_name": "SQL",
  168.       "message": "Possible SQL injection",
  169.       "file": "lib/mastodon/snowflake.rb",
  170.       "line": 87,
  171.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  172.       "code": "connection.execute(\"        CREATE OR REPLACE FUNCTION timestamp_id(table_name text)\\n        RETURNS bigint AS\\n        $$\\n          DECLARE\\n            time_part bigint;\\n            sequence_base bigint;\\n            tail bigint;\\n          BEGIN\\n            time_part := (\\n              -- Get the time in milliseconds\\n              ((date_part('epoch', now()) * 1000))::bigint\\n              -- And shift it over two bytes\\n              << 16);\\n\\n            sequence_base := (\\n              'x' ||\\n              -- Take the first two bytes (four hex characters)\\n              substr(\\n                -- Of the MD5 hash of the data we documented\\n                md5(table_name ||\\n                  '#{SecureRandom.hex(16)}' ||\\n                  time_part::text\\n                ),\\n                1, 4\\n              )\\n            -- And turn it into a bigint\\n            )::bit(16)::bigint;\\n\\n            -- Finally, add our sequence number to our base, and chop\\n            -- it to the last two bytes\\n            tail := (\\n              (sequence_base + nextval(table_name || '_id_seq'))\\n              & 65535);\\n\\n            -- Return the time part and the sequence part. OR appears\\n            -- faster here than addition, but they're equivalent:\\n            -- time_part has no trailing two bytes, and tail is only\\n            -- the last two bytes.\\n            RETURN time_part | tail;\\n          END\\n        $$ LANGUAGE plpgsql VOLATILE;\\n\")",
  173.       "render_path": null,
  174.       "location": {
  175.         "type": "method",
  176.         "class": "Mastodon::Snowflake",
  177.         "method": "define_timestamp_id"
  178.       },
  179.       "user_input": "SecureRandom.hex(16)",
  180.       "confidence": "Medium",
  181.       "note": ""
  182.     },
  183.     {
  184.       "warning_type": "Redirect",
  185.       "warning_code": 18,
  186.       "fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50",
  187.       "check_name": "Redirect",
  188.       "message": "Possible unprotected redirect",
  189.       "file": "app/controllers/remote_follow_controller.rb",
  190.       "line": 21,
  191.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  192.       "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))",
  193.       "render_path": null,
  194.       "location": {
  195.         "type": "method",
  196.         "class": "RemoteFollowController",
  197.         "method": "create"
  198.       },
  199.       "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)",
  200.       "confidence": "High",
  201.       "note": ""
  202.     },
  203.     {
  204.       "warning_type": "Redirect",
  205.       "warning_code": 18,
  206.       "fingerprint": "ba699ddcc6552c422c4ecd50d2cd217f616a2446659e185a50b05a0f2dad8d33",
  207.       "check_name": "Redirect",
  208.       "message": "Possible unprotected redirect",
  209.       "file": "app/controllers/media_controller.rb",
  210.       "line": 20,
  211.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  212.       "code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))",
  213.       "render_path": null,
  214.       "location": {
  215.         "type": "method",
  216.         "class": "MediaController",
  217.         "method": "show"
  218.       },
  219.       "user_input": "MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original)",
  220.       "confidence": "High",
  221.       "note": ""
  222.     },
  223.     {
  224.       "warning_type": "SQL Injection",
  225.       "warning_code": 0,
  226.       "fingerprint": "e21d8fee7a5805761679877ca35ed1029c64c45ef3b4012a30262623e1ba8bb9",
  227.       "check_name": "SQL",
  228.       "message": "Possible SQL injection",
  229.       "file": "app/models/account.rb",
  230.       "line": 495,
  231.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  232.       "code": "find_by_sql([\"          SELECT\\n            accounts.*,\\n            (count(f.id) + 1) * ts_rank_cd(#{textsearch}, #{query}, 32) AS rank\\n          FROM accounts\\n          LEFT OUTER JOIN follows AS f ON (accounts.id = f.account_id AND f.target_account_id = ?) OR (accounts.id = f.target_account_id AND f.account_id = ?)\\n          WHERE #{query} @@ #{textsearch}\\n            AND accounts.suspended_at IS NULL\\n            AND accounts.moved_to_account_id IS NULL\\n          GROUP BY accounts.id\\n          ORDER BY rank DESC\\n          LIMIT ? OFFSET ?\\n\".squish, account.id, account.id, limit, offset])",
  233.       "render_path": null,
  234.       "location": {
  235.         "type": "method",
  236.         "class": "Account",
  237.         "method": "advanced_search_for"
  238.       },
  239.       "user_input": "textsearch",
  240.       "confidence": "Medium",
  241.       "note": ""
  242.     },
  243.     {
  244.       "warning_type": "Mass Assignment",
  245.       "warning_code": 105,
  246.       "fingerprint": "e867661b2c9812bc8b75a5df12b28e2a53ab97015de0638b4e732fe442561b28",
  247.       "check_name": "PermitAttributes",
  248.       "message": "Potentially dangerous key allowed for mass assignment",
  249.       "file": "app/controllers/api/v1/reports_controller.rb",
  250.       "line": 36,
  251.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  252.       "code": "params.permit(:account_id, :comment, :forward, :status_ids => ([]))",
  253.       "render_path": null,
  254.       "location": {
  255.         "type": "method",
  256.         "class": "Api::V1::ReportsController",
  257.         "method": "report_params"
  258.       },
  259.       "user_input": ":account_id",
  260.       "confidence": "High",
  261.       "note": ""
  262.     }
  263.   ],
  264.   "updated": "2021-05-11 20:22:27 +0900",
  265.   "brakeman_version": "5.0.1"
  266. }