closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10937 Commits
4 Branches
567 MiB
Tree: 4a109ec1ba
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4a109ec1ba'
${ noResults }
mastodon/config/brakeman.ignore

316 lines
15 KiB
Raw Normal View History

Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Ignore brakeman false positive warning (#16213)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
6 years ago
Add E2EE API (#13820)
4 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
6 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Add E2EE API (#13820)
4 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
6 years ago
Add E2EE API (#13820)
4 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
6 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
7 years ago
Add E2EE API (#13820)
4 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
7 years ago
Add E2EE API (#13820)
4 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
7 years ago
Add E2EE API (#13820)
4 years ago
Ignore brakeman false positive warning (#16213)
3 years ago
Add E2EE API (#13820)
4 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Add E2EE API (#13820)
4 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Add E2EE API (#13820)
4 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
7 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
7 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
7 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
7 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
7 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
7 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
4 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
4 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Add E2EE API (#13820)
4 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
4 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
4 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Add type, limit, offset, min_id, max_id, account_id to search API (#10091) * Add type, limit, offset, min_id, max_id, account_id to search API Fix #8939 * Make the offset work on accounts and hashtags search as well * Assure brakeman we are not doing mass assignment here * Do not allow paginating unless a type is chosen * Fix search query and index id field on statuses instead of created_at
5 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
 
  1. {
  2.   "ignored_warnings": [
  3.     {
  4.       "warning_type": "SQL Injection",
  5.       "warning_code": 0,
  6.       "fingerprint": "04dbbc249b989db2e0119bbb0f59c9818e12889d2b97c529cdc0b1526002ba4b",
  7.       "check_name": "SQL",
  8.       "message": "Possible SQL injection",
  9.       "file": "app/models/report.rb",
  10.       "line": 113,
  11.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  12.       "code": "Admin::ActionLog.from(\"(#{[Admin::ActionLog.where(:target_type => \"Report\", :target_id => id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Account\", :target_id => target_account_id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)].map do\n \"(#{query.to_sql})\"\n end.join(\" UNION ALL \")}) AS admin_action_logs\")",
  13.       "render_path": null,
  14.       "location": {
  15.         "type": "method",
  16.         "class": "Report",
  17.         "method": "history"
  18.       },
  19.       "user_input": "Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)",
  20.       "confidence": "High",
  21.       "note": ""
  22.     },
  23.     {
  24.       "warning_type": "SQL Injection",
  25.       "warning_code": 0,
  26.       "fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d",
  27.       "check_name": "SQL",
  28.       "message": "Possible SQL injection",
  29.       "file": "app/models/status.rb",
  30.       "line": 100,
  31.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  32.       "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
  33.       "render_path": null,
  34.       "location": {
  35.         "type": "method",
  36.         "class": "Status",
  37.         "method": null
  38.       },
  39.       "user_input": "id",
  40.       "confidence": "Weak",
  41.       "note": ""
  42.     },
  43.     {
  44.       "warning_type": "Redirect",
  45.       "warning_code": 18,
  46.       "fingerprint": "5fad11cd67f905fab9b1d5739d01384a1748ebe78c5af5ac31518201925265a7",
  47.       "check_name": "Redirect",
  48.       "message": "Possible unprotected redirect",
  49.       "file": "app/controllers/remote_interaction_controller.rb",
  50.       "line": 24,
  51.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  52.       "code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))",
  53.       "render_path": null,
  54.       "location": {
  55.         "type": "method",
  56.         "class": "RemoteInteractionController",
  57.         "method": "create"
  58.       },
  59.       "user_input": "RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id]))",
  60.       "confidence": "High",
  61.       "note": ""
  62.     },
  63.     {
  64.       "warning_type": "SQL Injection",
  65.       "warning_code": 0,
  66.       "fingerprint": "6e4051854bb62e2ddbc671f82d6c2328892e1134b8b28105ecba9b0122540714",
  67.       "check_name": "SQL",
  68.       "message": "Possible SQL injection",
  69.       "file": "app/models/account.rb",
  70.       "line": 484,
  71.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  72.       "code": "find_by_sql([\"          WITH first_degree AS (\\n            SELECT target_account_id\\n            FROM follows\\n            WHERE account_id = ?\\n            UNION ALL\\n            SELECT ?\\n          )\\n          SELECT\\n            accounts.*,\\n            (count(f.id) + 1) * ts_rank_cd(#{textsearch}, #{query}, 32) AS rank\\n          FROM accounts\\n          LEFT OUTER JOIN follows AS f ON (accounts.id = f.account_id AND f.target_account_id = ?)\\n          WHERE accounts.id IN (SELECT * FROM first_degree)\\n            AND #{query} @@ #{textsearch}\\n            AND accounts.suspended_at IS NULL\\n            AND accounts.moved_to_account_id IS NULL\\n          GROUP BY accounts.id\\n          ORDER BY rank DESC\\n          LIMIT ? OFFSET ?\\n\".squish, account.id, account.id, account.id, limit, offset])",
  73.       "render_path": null,
  74.       "location": {
  75.         "type": "method",
  76.         "class": "Account",
  77.         "method": "advanced_search_for"
  78.       },
  79.       "user_input": "textsearch",
  80.       "confidence": "Medium",
  81.       "note": ""
  82.     },
  83.     {
  84.       "warning_type": "SQL Injection",
  85.       "warning_code": 0,
  86.       "fingerprint": "6f075c1484908e3ec9bed21ab7cf3c7866be8da3881485d1c82e13093aefcbd7",
  87.       "check_name": "SQL",
  88.       "message": "Possible SQL injection",
  89.       "file": "app/models/status.rb",
  90.       "line": 105,
  91.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  92.       "code": "result.joins(\"LEFT OUTER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
  93.       "render_path": null,
  94.       "location": {
  95.         "type": "method",
  96.         "class": "Status",
  97.         "method": null
  98.       },
  99.       "user_input": "id",
  100.       "confidence": "Weak",
  101.       "note": ""
  102.     },
  103.     {
  104.       "warning_type": "SQL Injection",
  105.       "warning_code": 0,
  106.       "fingerprint": "75fcd147b7611763ab6915faf8c5b0709e612b460f27c05c72d8b9bd0a6a77f8",
  107.       "check_name": "SQL",
  108.       "message": "Possible SQL injection",
  109.       "file": "lib/mastodon/snowflake.rb",
  110.       "line": 87,
  111.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  112.       "code": "connection.execute(\"CREATE OR REPLACE FUNCTION timestamp_id(table_name text)\\nRETURNS bigint AS\\n$$\\n  DECLARE\\n    time_part bigint;\\n    sequence_base bigint;\\n    tail bigint;\\n  BEGIN\\n    time_part := (\\n      -- Get the time in milliseconds\\n      ((date_part('epoch', now()) * 1000))::bigint\\n      -- And shift it over two bytes\\n      << 16);\\n\\n    sequence_base := (\\n      'x' ||\\n      -- Take the first two bytes (four hex characters)\\n      substr(\\n        -- Of the MD5 hash of the data we documented\\n        md5(table_name || '#{SecureRandom.hex(16)}' || time_part::text),\\n        1, 4\\n      )\\n    -- And turn it into a bigint\\n    )::bit(16)::bigint;\\n\\n    -- Finally, add our sequence number to our base, and chop\\n    -- it to the last two bytes\\n    tail := (\\n      (sequence_base + nextval(table_name || '_id_seq'))\\n      & 65535);\\n\\n    -- Return the time part and the sequence part. OR appears\\n    -- faster here than addition, but they're equivalent:\\n    -- time_part has no trailing two bytes, and tail is only\\n    -- the last two bytes.\\n    RETURN time_part | tail;\\n  END\\n$$ LANGUAGE plpgsql VOLATILE;\\n\")",
  113.       "render_path": null,
  114.       "location": {
  115.         "type": "method",
  116.         "class": "Mastodon::Snowflake",
  117.         "method": "define_timestamp_id"
  118.       },
  119.       "user_input": "SecureRandom.hex(16)",
  120.       "confidence": "Medium",
  121.       "note": ""
  122.     },
  123.     {
  124.       "warning_type": "Mass Assignment",
  125.       "warning_code": 105,
  126.       "fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a",
  127.       "check_name": "PermitAttributes",
  128.       "message": "Potentially dangerous key allowed for mass assignment",
  129.       "file": "app/controllers/api/v2/search_controller.rb",
  130.       "line": 28,
  131.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  132.       "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
  133.       "render_path": null,
  134.       "location": {
  135.         "type": "method",
  136.         "class": "Api::V2::SearchController",
  137.         "method": "search_params"
  138.       },
  139.       "user_input": ":account_id",
  140.       "confidence": "High",
  141.       "note": ""
  142.     },
  143.     {
  144.       "warning_type": "Mass Assignment",
  145.       "warning_code": 105,
  146.       "fingerprint": "874be88fedf4c680926845e9a588d3197765a6ccbfdd76466b44cc00151c612e",
  147.       "check_name": "PermitAttributes",
  148.       "message": "Potentially dangerous key allowed for mass assignment",
  149.       "file": "app/controllers/api/v1/admin/reports_controller.rb",
  150.       "line": 78,
  151.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  152.       "code": "params.permit(:resolved, :account_id, :target_account_id)",
  153.       "render_path": null,
  154.       "location": {
  155.         "type": "method",
  156.         "class": "Api::V1::Admin::ReportsController",
  157.         "method": "filter_params"
  158.       },
  159.       "user_input": ":account_id",
  160.       "confidence": "High",
  161.       "note": ""
  162.     },
  163.     {
  164.       "warning_type": "SQL Injection",
  165.       "warning_code": 0,
  166.       "fingerprint": "8c1d8c4b76c1cd3960e90dff999f854a6ff742fcfd8de6c7184ac5a1b1a4d7dd",
  167.       "check_name": "SQL",
  168.       "message": "Possible SQL injection",
  169.       "file": "app/models/preview_card_filter.rb",
  170.       "line": 50,
  171.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  172.       "code": "PreviewCard.joins(\"join unnest(array[#{(Trends.links.currently_trending_ids(true, -1) or Trends.links.currently_trending_ids(false, -1)).map(&:to_i).join(\",\")}]::integer[]) with ordinality as x (id, ordering) on preview_cards.id = x.id\")",
  173.       "render_path": null,
  174.       "location": {
  175.         "type": "method",
  176.         "class": "PreviewCardFilter",
  177.         "method": "trending_scope"
  178.       },
  179.       "user_input": "(Trends.links.currently_trending_ids(true, -1) or Trends.links.currently_trending_ids(false, -1)).map(&:to_i).join(\",\")",
  180.       "confidence": "Medium",
  181.       "note": ""
  182.     },
  183.     {
  184.       "warning_type": "SQL Injection",
  185.       "warning_code": 0,
  186.       "fingerprint": "9251d682c4e2840e1b2fea91e7d758efe2097ecb7f6255c065e3750d25eb178c",
  187.       "check_name": "SQL",
  188.       "message": "Possible SQL injection",
  189.       "file": "app/models/account.rb",
  190.       "line": 453,
  191.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  192.       "code": "find_by_sql([\"        SELECT\\n          accounts.*,\\n          ts_rank_cd(#{textsearch}, #{query}, 32) AS rank\\n        FROM accounts\\n        WHERE #{query} @@ #{textsearch}\\n          AND accounts.suspended_at IS NULL\\n          AND accounts.moved_to_account_id IS NULL\\n        ORDER BY rank DESC\\n        LIMIT ? OFFSET ?\\n\".squish, limit, offset])",
  193.       "render_path": null,
  194.       "location": {
  195.         "type": "method",
  196.         "class": "Account",
  197.         "method": "search_for"
  198.       },
  199.       "user_input": "textsearch",
  200.       "confidence": "Medium",
  201.       "note": ""
  202.     },
  203.     {
  204.       "warning_type": "Redirect",
  205.       "warning_code": 18,
  206.       "fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50",
  207.       "check_name": "Redirect",
  208.       "message": "Possible unprotected redirect",
  209.       "file": "app/controllers/remote_follow_controller.rb",
  210.       "line": 21,
  211.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  212.       "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))",
  213.       "render_path": null,
  214.       "location": {
  215.         "type": "method",
  216.         "class": "RemoteFollowController",
  217.         "method": "create"
  218.       },
  219.       "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)",
  220.       "confidence": "High",
  221.       "note": ""
  222.     },
  223.     {
  224.       "warning_type": "SQL Injection",
  225.       "warning_code": 0,
  226.       "fingerprint": "c32a484ccd9da46abd3bc93d08b72029d7dbc0576ccf4e878a9627e9a83cad2e",
  227.       "check_name": "SQL",
  228.       "message": "Possible SQL injection",
  229.       "file": "app/models/tag_filter.rb",
  230.       "line": 50,
  231.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  232.       "code": "Tag.joins(\"join unnest(array[#{Trends.tags.currently_trending_ids(false, -1).map(&:to_i).join(\",\")}]::integer[]) with ordinality as x (id, ordering) on tags.id = x.id\")",
  233.       "render_path": null,
  234.       "location": {
  235.         "type": "method",
  236.         "class": "TagFilter",
  237.         "method": "trending_scope"
  238.       },
  239.       "user_input": "Trends.tags.currently_trending_ids(false, -1).map(&:to_i).join(\",\")",
  240.       "confidence": "Medium",
  241.       "note": ""
  242.     },
  243.     {
  244.       "warning_type": "Cross-Site Scripting",
  245.       "warning_code": 4,
  246.       "fingerprint": "cd5cfd7f40037fbfa753e494d7129df16e358bfc43ef0da3febafbf4ee1ed3ac",
  247.       "check_name": "LinkToHref",
  248.       "message": "Potentially unsafe model attribute in `link_to` href",
  249.       "file": "app/views/admin/trends/links/_preview_card.html.haml",
  250.       "line": 7,
  251.       "link": "https://brakemanscanner.org/docs/warning_types/link_to_href",
  252.       "code": "link_to((Unresolved Model).new.title, (Unresolved Model).new.url)",
  253.       "render_path": [
  254.         {
  255.           "type": "template",
  256.           "name": "admin/trends/links/index",
  257.           "line": 37,
  258.           "file": "app/views/admin/trends/links/index.html.haml",
  259.           "rendered": {
  260.             "name": "admin/trends/links/_preview_card",
  261.             "file": "app/views/admin/trends/links/_preview_card.html.haml"
  262.           }
  263.         }
  264.       ],
  265.       "location": {
  266.         "type": "template",
  267.         "template": "admin/trends/links/_preview_card"
  268.       },
  269.       "user_input": "(Unresolved Model).new.url",
  270.       "confidence": "Weak",
  271.       "note": ""
  272.     },
  273.     {
  274.       "warning_type": "SQL Injection",
  275.       "warning_code": 0,
  276.       "fingerprint": "e21d8fee7a5805761679877ca35ed1029c64c45ef3b4012a30262623e1ba8bb9",
  277.       "check_name": "SQL",
  278.       "message": "Possible SQL injection",
  279.       "file": "app/models/account.rb",
  280.       "line": 500,
  281.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  282.       "code": "find_by_sql([\"          SELECT\\n            accounts.*,\\n            (count(f.id) + 1) * ts_rank_cd(#{textsearch}, #{query}, 32) AS rank\\n          FROM accounts\\n          LEFT OUTER JOIN follows AS f ON (accounts.id = f.account_id AND f.target_account_id = ?) OR (accounts.id = f.target_account_id AND f.account_id = ?)\\n          WHERE #{query} @@ #{textsearch}\\n            AND accounts.suspended_at IS NULL\\n            AND accounts.moved_to_account_id IS NULL\\n          GROUP BY accounts.id\\n          ORDER BY rank DESC\\n          LIMIT ? OFFSET ?\\n\".squish, account.id, account.id, limit, offset])",
  283.       "render_path": null,
  284.       "location": {
  285.         "type": "method",
  286.         "class": "Account",
  287.         "method": "advanced_search_for"
  288.       },
  289.       "user_input": "textsearch",
  290.       "confidence": "Medium",
  291.       "note": ""
  292.     },
  293.     {
  294.       "warning_type": "Mass Assignment",
  295.       "warning_code": 105,
  296.       "fingerprint": "e867661b2c9812bc8b75a5df12b28e2a53ab97015de0638b4e732fe442561b28",
  297.       "check_name": "PermitAttributes",
  298.       "message": "Potentially dangerous key allowed for mass assignment",
  299.       "file": "app/controllers/api/v1/reports_controller.rb",
  300.       "line": 36,
  301.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  302.       "code": "params.permit(:account_id, :comment, :forward, :status_ids => ([]))",
  303.       "render_path": null,
  304.       "location": {
  305.         "type": "method",
  306.         "class": "Api::V1::ReportsController",
  307.         "method": "report_params"
  308.       },
  309.       "user_input": ":account_id",
  310.       "confidence": "High",
  311.       "note": ""
  312.     }
  313.   ],
  314.   "updated": "2021-11-14 05:26:09 +0100",
  315.   "brakeman_version": "5.1.2"
  316. }