You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

246 lines
10 KiB

  1. {
  2. "ignored_warnings": [
  3. {
  4. "warning_type": "SQL Injection",
  5. "warning_code": 0,
  6. "fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d",
  7. "check_name": "SQL",
  8. "message": "Possible SQL injection",
  9. "file": "app/models/status.rb",
  10. "line": 106,
  11. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  12. "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
  13. "render_path": null,
  14. "location": {
  15. "type": "method",
  16. "class": "Status",
  17. "method": null
  18. },
  19. "user_input": "id",
  20. "confidence": "Weak",
  21. "note": ""
  22. },
  23. {
  24. "warning_type": "SQL Injection",
  25. "warning_code": 0,
  26. "fingerprint": "30dfe36e87fe1b8f239df9a33d576e44a9863f73b680198d4713be6540ae61d3",
  27. "check_name": "SQL",
  28. "message": "Possible SQL injection",
  29. "file": "app/models/trends/query.rb",
  30. "line": 76,
  31. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  32. "code": "klass.joins(\"join unnest(array[#{ids.join(\",\")}]) with ordinality as x (id, ordering) on #{klass.table_name}.id = x.id\")",
  33. "render_path": null,
  34. "location": {
  35. "type": "method",
  36. "class": "Trends::Query",
  37. "method": "to_arel"
  38. },
  39. "user_input": "ids.join(\",\")",
  40. "confidence": "Weak",
  41. "note": ""
  42. },
  43. {
  44. "warning_type": "Redirect",
  45. "warning_code": 18,
  46. "fingerprint": "5fad11cd67f905fab9b1d5739d01384a1748ebe78c5af5ac31518201925265a7",
  47. "check_name": "Redirect",
  48. "message": "Possible unprotected redirect",
  49. "file": "app/controllers/remote_interaction_controller.rb",
  50. "line": 24,
  51. "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  52. "code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))",
  53. "render_path": null,
  54. "location": {
  55. "type": "method",
  56. "class": "RemoteInteractionController",
  57. "method": "create"
  58. },
  59. "user_input": "RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id]))",
  60. "confidence": "High",
  61. "note": ""
  62. },
  63. {
  64. "warning_type": "Cross-Site Scripting",
  65. "warning_code": 2,
  66. "fingerprint": "71cf98c8235b5cfa9946b5db8fdc1a2f3a862566abb34e4542be6f3acae78233",
  67. "check_name": "CrossSiteScripting",
  68. "message": "Unescaped model attribute",
  69. "file": "app/views/admin/disputes/appeals/_appeal.html.haml",
  70. "line": 7,
  71. "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
  72. "code": "t((Unresolved Model).new.strike.action, :scope => \"admin.strikes.actions\", :name => content_tag(:span, (Unresolved Model).new.strike.account.username, :class => \"username\"), :target => content_tag(:span, (Unresolved Model).new.account.username, :class => \"target\"))",
  73. "render_path": [
  74. {
  75. "type": "template",
  76. "name": "admin/disputes/appeals/index",
  77. "line": 20,
  78. "file": "app/views/admin/disputes/appeals/index.html.haml",
  79. "rendered": {
  80. "name": "admin/disputes/appeals/_appeal",
  81. "file": "app/views/admin/disputes/appeals/_appeal.html.haml"
  82. }
  83. }
  84. ],
  85. "location": {
  86. "type": "template",
  87. "template": "admin/disputes/appeals/_appeal"
  88. },
  89. "user_input": "(Unresolved Model).new.strike",
  90. "confidence": "Weak",
  91. "note": ""
  92. },
  93. {
  94. "warning_type": "SQL Injection",
  95. "warning_code": 0,
  96. "fingerprint": "75fcd147b7611763ab6915faf8c5b0709e612b460f27c05c72d8b9bd0a6a77f8",
  97. "check_name": "SQL",
  98. "message": "Possible SQL injection",
  99. "file": "lib/mastodon/snowflake.rb",
  100. "line": 87,
  101. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  102. "code": "connection.execute(\"CREATE OR REPLACE FUNCTION timestamp_id(table_name text)\\nRETURNS bigint AS\\n$$\\n DECLARE\\n time_part bigint;\\n sequence_base bigint;\\n tail bigint;\\n BEGIN\\n time_part := (\\n -- Get the time in milliseconds\\n ((date_part('epoch', now()) * 1000))::bigint\\n -- And shift it over two bytes\\n << 16);\\n\\n sequence_base := (\\n 'x' ||\\n -- Take the first two bytes (four hex characters)\\n substr(\\n -- Of the MD5 hash of the data we documented\\n md5(table_name || '#{SecureRandom.hex(16)}' || time_part::text),\\n 1, 4\\n )\\n -- And turn it into a bigint\\n )::bit(16)::bigint;\\n\\n -- Finally, add our sequence number to our base, and chop\\n -- it to the last two bytes\\n tail := (\\n (sequence_base + nextval(table_name || '_id_seq'))\\n & 65535);\\n\\n -- Return the time part and the sequence part. OR appears\\n -- faster here than addition, but they're equivalent:\\n -- time_part has no trailing two bytes, and tail is only\\n -- the last two bytes.\\n RETURN time_part | tail;\\n END\\n$$ LANGUAGE plpgsql VOLATILE;\\n\")",
  103. "render_path": null,
  104. "location": {
  105. "type": "method",
  106. "class": "Mastodon::Snowflake",
  107. "method": "define_timestamp_id"
  108. },
  109. "user_input": "SecureRandom.hex(16)",
  110. "confidence": "Medium",
  111. "note": ""
  112. },
  113. {
  114. "warning_type": "Mass Assignment",
  115. "warning_code": 105,
  116. "fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a",
  117. "check_name": "PermitAttributes",
  118. "message": "Potentially dangerous key allowed for mass assignment",
  119. "file": "app/controllers/api/v2/search_controller.rb",
  120. "line": 28,
  121. "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  122. "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
  123. "render_path": null,
  124. "location": {
  125. "type": "method",
  126. "class": "Api::V2::SearchController",
  127. "method": "search_params"
  128. },
  129. "user_input": ":account_id",
  130. "confidence": "High",
  131. "note": ""
  132. },
  133. {
  134. "warning_type": "Mass Assignment",
  135. "warning_code": 105,
  136. "fingerprint": "874be88fedf4c680926845e9a588d3197765a6ccbfdd76466b44cc00151c612e",
  137. "check_name": "PermitAttributes",
  138. "message": "Potentially dangerous key allowed for mass assignment",
  139. "file": "app/controllers/api/v1/admin/reports_controller.rb",
  140. "line": 90,
  141. "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  142. "code": "params.permit(:resolved, :account_id, :target_account_id)",
  143. "render_path": null,
  144. "location": {
  145. "type": "method",
  146. "class": "Api::V1::Admin::ReportsController",
  147. "method": "filter_params"
  148. },
  149. "user_input": ":account_id",
  150. "confidence": "High",
  151. "note": ""
  152. },
  153. {
  154. "warning_type": "Mass Assignment",
  155. "warning_code": 105,
  156. "fingerprint": "ab5035dd1a9f8c3a8d92fb2c37e8fe86fede4f87c91b71aa32e89c9eede602fc",
  157. "check_name": "PermitAttributes",
  158. "message": "Potentially dangerous key allowed for mass assignment",
  159. "file": "app/controllers/api/v1/notifications_controller.rb",
  160. "line": 81,
  161. "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  162. "code": "params.permit(:account_id, :types => ([]), :exclude_types => ([]))",
  163. "render_path": null,
  164. "location": {
  165. "type": "method",
  166. "class": "Api::V1::NotificationsController",
  167. "method": "browserable_params"
  168. },
  169. "user_input": ":account_id",
  170. "confidence": "High",
  171. "note": ""
  172. },
  173. {
  174. "warning_type": "Redirect",
  175. "warning_code": 18,
  176. "fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50",
  177. "check_name": "Redirect",
  178. "message": "Possible unprotected redirect",
  179. "file": "app/controllers/remote_follow_controller.rb",
  180. "line": 21,
  181. "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  182. "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))",
  183. "render_path": null,
  184. "location": {
  185. "type": "method",
  186. "class": "RemoteFollowController",
  187. "method": "create"
  188. },
  189. "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)",
  190. "confidence": "High",
  191. "note": ""
  192. },
  193. {
  194. "warning_type": "Cross-Site Scripting",
  195. "warning_code": 4,
  196. "fingerprint": "cd5cfd7f40037fbfa753e494d7129df16e358bfc43ef0da3febafbf4ee1ed3ac",
  197. "check_name": "LinkToHref",
  198. "message": "Potentially unsafe model attribute in `link_to` href",
  199. "file": "app/views/admin/trends/links/_preview_card.html.haml",
  200. "line": 7,
  201. "link": "https://brakemanscanner.org/docs/warning_types/link_to_href",
  202. "code": "link_to((Unresolved Model).new.title, (Unresolved Model).new.url)",
  203. "render_path": [
  204. {
  205. "type": "template",
  206. "name": "admin/trends/links/index",
  207. "line": 49,
  208. "file": "app/views/admin/trends/links/index.html.haml",
  209. "rendered": {
  210. "name": "admin/trends/links/_preview_card",
  211. "file": "app/views/admin/trends/links/_preview_card.html.haml"
  212. }
  213. }
  214. ],
  215. "location": {
  216. "type": "template",
  217. "template": "admin/trends/links/_preview_card"
  218. },
  219. "user_input": "(Unresolved Model).new.url",
  220. "confidence": "Weak",
  221. "note": ""
  222. },
  223. {
  224. "warning_type": "Mass Assignment",
  225. "warning_code": 105,
  226. "fingerprint": "f9de0ca4b04ae4b51b74d98db14dcbb6dae6809e627b58e711019cf9b4a47866",
  227. "check_name": "PermitAttributes",
  228. "message": "Potentially dangerous key allowed for mass assignment",
  229. "file": "app/controllers/api/v1/reports_controller.rb",
  230. "line": 26,
  231. "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  232. "code": "params.permit(:account_id, :comment, :category, :forward, :status_ids => ([]), :rule_ids => ([]))",
  233. "render_path": null,
  234. "location": {
  235. "type": "method",
  236. "class": "Api::V1::ReportsController",
  237. "method": "report_params"
  238. },
  239. "user_input": ":account_id",
  240. "confidence": "High",
  241. "note": ""
  242. }
  243. ],
  244. "updated": "2022-03-22 07:48:32 +0100",
  245. "brakeman_version": "5.2.1"
  246. }