closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4472 Commits
4 Branches
567 MiB
Tree: a2a4bf4e78
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a2a4bf4e78'
${ noResults }
mastodon/config/brakeman.ignore

274 lines
14 KiB
Raw Normal View History

Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Improve admin UI for custom emojis, add copy/disable/enable (#5231)
6 years ago
Update status embeds (#4742) - Use statuses controller for embeds instead of stream entries controller - Prefer /@:username/:id/embed URL for embeds - Use /@:username as author_url in OEmbed - Add follow link to embeds which opens web intent in new window - Use redis cache in development - Cache entire embed
6 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
6 years ago
Update status embeds (#4742) - Use statuses controller for embeds instead of stream entries controller - Prefer /@:username/:id/embed URL for embeds - Use /@:username as author_url in OEmbed - Add follow link to embeds which opens web intent in new window - Use redis cache in development - Cache entire embed
6 years ago
Improve admin UI for custom emojis, add copy/disable/enable (#5231)
6 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Improve admin UI for custom emojis, add copy/disable/enable (#5231)
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Update status embeds (#4742) - Use statuses controller for embeds instead of stream entries controller - Prefer /@:username/:id/embed URL for embeds - Use /@:username as author_url in OEmbed - Add follow link to embeds which opens web intent in new window - Use redis cache in development - Cache entire embed
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Improve admin UI for custom emojis, add copy/disable/enable (#5231)
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Improve admin UI for custom emojis, add copy/disable/enable (#5231)
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Improve admin UI for custom emojis, add copy/disable/enable (#5231)
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Improve admin UI for custom emojis, add copy/disable/enable (#5231)
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Update status embeds (#4742) - Use statuses controller for embeds instead of stream entries controller - Prefer /@:username/:id/embed URL for embeds - Use /@:username as author_url in OEmbed - Add follow link to embeds which opens web intent in new window - Use redis cache in development - Cache entire embed
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
6 years ago
Improve admin UI for custom emojis, add copy/disable/enable (#5231)
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
 
  1. {
  2.   "ignored_warnings": [
  3.     {
  4.       "warning_type": "Cross-Site Scripting",
  5.       "warning_code": 4,
  6.       "fingerprint": "0adbe361b91afff22ba51e5fc2275ec703cc13255a0cb3eecd8dab223ab9f61e",
  7.       "check_name": "LinkToHref",
  8.       "message": "Potentially unsafe model attribute in link_to href",
  9.       "file": "app/views/admin/accounts/show.html.haml",
  10.       "line": 122,
  11.       "link": "http://brakemanscanner.org/docs/warning_types/link_to_href",
  12.       "code": "link_to(Account.find(params[:id]).inbox_url, Account.find(params[:id]).inbox_url)",
  13.       "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"show","line":13,"file":"app/controllers/admin/accounts_controller.rb"}],
  14.       "location": {
  15.         "type": "template",
  16.         "template": "admin/accounts/show"
  17.       },
  18.       "user_input": "Account.find(params[:id]).inbox_url",
  19.       "confidence": "Weak",
  20.       "note": ""
  21.     },
  22.     {
  23.       "warning_type": "Cross-Site Scripting",
  24.       "warning_code": 4,
  25.       "fingerprint": "1fc29c578d0c89bf13bd5476829d272d54cd06b92ccf6df18568fa1f2674926e",
  26.       "check_name": "LinkToHref",
  27.       "message": "Potentially unsafe model attribute in link_to href",
  28.       "file": "app/views/admin/accounts/show.html.haml",
  29.       "line": 128,
  30.       "link": "http://brakemanscanner.org/docs/warning_types/link_to_href",
  31.       "code": "link_to(Account.find(params[:id]).shared_inbox_url, Account.find(params[:id]).shared_inbox_url)",
  32.       "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"show","line":13,"file":"app/controllers/admin/accounts_controller.rb"}],
  33.       "location": {
  34.         "type": "template",
  35.         "template": "admin/accounts/show"
  36.       },
  37.       "user_input": "Account.find(params[:id]).shared_inbox_url",
  38.       "confidence": "Weak",
  39.       "note": ""
  40.     },
  41.     {
  42.       "warning_type": "Cross-Site Scripting",
  43.       "warning_code": 4,
  44.       "fingerprint": "2129d4c1e63a351d28d8d2937ff0b50237809c3df6725c0c5ef82b881dbb2086",
  45.       "check_name": "LinkToHref",
  46.       "message": "Potentially unsafe model attribute in link_to href",
  47.       "file": "app/views/admin/accounts/show.html.haml",
  48.       "line": 35,
  49.       "link": "http://brakemanscanner.org/docs/warning_types/link_to_href",
  50.       "code": "link_to(Account.find(params[:id]).url, Account.find(params[:id]).url)",
  51.       "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"show","line":13,"file":"app/controllers/admin/accounts_controller.rb"}],
  52.       "location": {
  53.         "type": "template",
  54.         "template": "admin/accounts/show"
  55.       },
  56.       "user_input": "Account.find(params[:id]).url",
  57.       "confidence": "Weak",
  58.       "note": ""
  59.     },
  60.     {
  61.       "warning_type": "Dynamic Render Path",
  62.       "warning_code": 15,
  63.       "fingerprint": "3b0a20b08aef13cf8cf865384fae0cfd3324d8200a83262bf4abbc8091b5fec5",
  64.       "check_name": "Render",
  65.       "message": "Render path contains parameter value",
  66.       "file": "app/views/admin/custom_emojis/index.html.haml",
  67.       "line": 31,
  68.       "link": "http://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  69.       "code": "render(action => filtered_custom_emojis.page(params[:page]), {})",
  70.       "render_path": [{"type":"controller","class":"Admin::CustomEmojisController","method":"index","line":9,"file":"app/controllers/admin/custom_emojis_controller.rb"}],
  71.       "location": {
  72.         "type": "template",
  73.         "template": "admin/custom_emojis/index"
  74.       },
  75.       "user_input": "params[:page]",
  76.       "confidence": "Weak",
  77.       "note": ""
  78.     },
  79.     {
  80.       "warning_type": "Dynamic Render Path",
  81.       "warning_code": 15,
  82.       "fingerprint": "44d3f14e05d8fbb5b23e13ac02f15aa38b2a2f0f03b9ba76bab7f98e155a4a4e",
  83.       "check_name": "Render",
  84.       "message": "Render path contains parameter value",
  85.       "file": "app/views/stream_entries/embed.html.haml",
  86.       "line": 3,
  87.       "link": "http://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  88.       "code": "render(action => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :centered => true })",
  89.       "render_path": [{"type":"controller","class":"StatusesController","method":"embed","line":41,"file":"app/controllers/statuses_controller.rb"}],
  90.       "location": {
  91.         "type": "template",
  92.         "template": "stream_entries/embed"
  93.       },
  94.       "user_input": "params[:id]",
  95.       "confidence": "Weak",
  96.       "note": ""
  97.     },
  98.     {
  99.       "warning_type": "Cross-Site Scripting",
  100.       "warning_code": 4,
  101.       "fingerprint": "64b5b2a02ede9c2b3598881eb5a466d63f7d27fe0946aa00d570111ec7338d2e",
  102.       "check_name": "LinkToHref",
  103.       "message": "Potentially unsafe model attribute in link_to href",
  104.       "file": "app/views/admin/accounts/show.html.haml",
  105.       "line": 131,
  106.       "link": "http://brakemanscanner.org/docs/warning_types/link_to_href",
  107.       "code": "link_to(Account.find(params[:id]).followers_url, Account.find(params[:id]).followers_url)",
  108.       "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"show","line":13,"file":"app/controllers/admin/accounts_controller.rb"}],
  109.       "location": {
  110.         "type": "template",
  111.         "template": "admin/accounts/show"
  112.       },
  113.       "user_input": "Account.find(params[:id]).followers_url",
  114.       "confidence": "Weak",
  115.       "note": ""
  116.     },
  117.     {
  118.       "warning_type": "Cross-Site Scripting",
  119.       "warning_code": 4,
  120.       "fingerprint": "82f7b0d09beb3ab68e0fa16be63cedf4e820f2490326e9a1cec05761d92446cd",
  121.       "check_name": "LinkToHref",
  122.       "message": "Potentially unsafe model attribute in link_to href",
  123.       "file": "app/views/admin/accounts/show.html.haml",
  124.       "line": 106,
  125.       "link": "http://brakemanscanner.org/docs/warning_types/link_to_href",
  126.       "code": "link_to(Account.find(params[:id]).salmon_url, Account.find(params[:id]).salmon_url)",
  127.       "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"show","line":13,"file":"app/controllers/admin/accounts_controller.rb"}],
  128.       "location": {
  129.         "type": "template",
  130.         "template": "admin/accounts/show"
  131.       },
  132.       "user_input": "Account.find(params[:id]).salmon_url",
  133.       "confidence": "Weak",
  134.       "note": ""
  135.     },
  136.     {
  137.       "warning_type": "SQL Injection",
  138.       "warning_code": 0,
  139.       "fingerprint": "9ccb9ba6a6947400e187d515e0bf719d22993d37cfc123c824d7fafa6caa9ac3",
  140.       "check_name": "SQL",
  141.       "message": "Possible SQL injection",
  142.       "file": "lib/mastodon/snowflake.rb",
  143.       "line": 86,
  144.       "link": "http://brakemanscanner.org/docs/warning_types/sql_injection/",
  145.       "code": "connection.execute(\"        CREATE OR REPLACE FUNCTION timestamp_id(table_name text)\\n        RETURNS bigint AS\\n        $$\\n          DECLARE\\n            time_part bigint;\\n            sequence_base bigint;\\n            tail bigint;\\n          BEGIN\\n            time_part := (\\n              -- Get the time in milliseconds\\n              ((date_part('epoch', now()) * 1000))::bigint\\n              -- And shift it over two bytes\\n              << 16);\\n\\n            sequence_base := (\\n              'x' ||\\n              -- Take the first two bytes (four hex characters)\\n              substr(\\n                -- Of the MD5 hash of the data we documented\\n                md5(table_name ||\\n                  '#{SecureRandom.hex(16)}' ||\\n                  time_part::text\\n                ),\\n                1, 4\\n              )\\n            -- And turn it into a bigint\\n            )::bit(16)::bigint;\\n\\n            -- Finally, add our sequence number to our base, and chop\\n            -- it to the last two bytes\\n            tail := (\\n              (sequence_base + nextval(table_name || '_id_seq'))\\n              & 65535);\\n\\n            -- Return the time part and the sequence part. OR appears\\n            -- faster here than addition, but they're equivalent:\\n            -- time_part has no trailing two bytes, and tail is only\\n            -- the last two bytes.\\n            RETURN time_part | tail;\\n          END\\n        $$ LANGUAGE plpgsql VOLATILE;\\n\")",
  146.       "render_path": null,
  147.       "location": {
  148.         "type": "method",
  149.         "class": "Mastodon::Snowflake",
  150.         "method": "define_timestamp_id"
  151.       },
  152.       "user_input": "SecureRandom.hex(16)",
  153.       "confidence": "Medium",
  154.       "note": ""
  155.     },
  156.     {
  157.       "warning_type": "Dynamic Render Path",
  158.       "warning_code": 15,
  159.       "fingerprint": "9f31d941f3910dba2e9bfcd81aef4513249bd24c02d0f98e13ad44fdeeccd0e8",
  160.       "check_name": "Render",
  161.       "message": "Render path contains parameter value",
  162.       "file": "app/views/admin/accounts/index.html.haml",
  163.       "line": 64,
  164.       "link": "http://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  165.       "code": "render(action => filtered_accounts.page(params[:page]), {})",
  166.       "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"index","line":10,"file":"app/controllers/admin/accounts_controller.rb"}],
  167.       "location": {
  168.         "type": "template",
  169.         "template": "admin/accounts/index"
  170.       },
  171.       "user_input": "params[:page]",
  172.       "confidence": "Weak",
  173.       "note": ""
  174.     },
  175.     {
  176.       "warning_type": "Cross-Site Scripting",
  177.       "warning_code": 4,
  178.       "fingerprint": "bb0ad5c4a42e06e3846c2089ff5269c17f65483a69414f6ce65eecf2bb11fab7",
  179.       "check_name": "LinkToHref",
  180.       "message": "Potentially unsafe model attribute in link_to href",
  181.       "file": "app/views/admin/accounts/show.html.haml",
  182.       "line": 95,
  183.       "link": "http://brakemanscanner.org/docs/warning_types/link_to_href",
  184.       "code": "link_to(Account.find(params[:id]).remote_url, Account.find(params[:id]).remote_url)",
  185.       "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"show","line":13,"file":"app/controllers/admin/accounts_controller.rb"}],
  186.       "location": {
  187.         "type": "template",
  188.         "template": "admin/accounts/show"
  189.       },
  190.       "user_input": "Account.find(params[:id]).remote_url",
  191.       "confidence": "Weak",
  192.       "note": ""
  193.     },
  194.     {
  195.       "warning_type": "Redirect",
  196.       "warning_code": 18,
  197.       "fingerprint": "bb7e94e60af41decb811bb32171f1b27e9bf3f4d01e9e511127362e22510eb11",
  198.       "check_name": "Redirect",
  199.       "message": "Possible unprotected redirect",
  200.       "file": "app/controllers/remote_follow_controller.rb",
  201.       "line": 18,
  202.       "link": "http://brakemanscanner.org/docs/warning_types/redirect/",
  203.       "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username])))",
  204.       "render_path": null,
  205.       "location": {
  206.         "type": "method",
  207.         "class": "RemoteFollowController",
  208.         "method": "create"
  209.       },
  210.       "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username]))",
  211.       "confidence": "High",
  212.       "note": ""
  213.     },
  214.     {
  215.       "warning_type": "Dynamic Render Path",
  216.       "warning_code": 15,
  217.       "fingerprint": "c5d6945d63264af106d49367228d206aa2f176699ecdce2b98fac101bc6a96cf",
  218.       "check_name": "Render",
  219.       "message": "Render path contains parameter value",
  220.       "file": "app/views/admin/reports/index.html.haml",
  221.       "line": 25,
  222.       "link": "http://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  223.       "code": "render(action => filtered_reports.page(params[:page]), {})",
  224.       "render_path": [{"type":"controller","class":"Admin::ReportsController","method":"index","line":9,"file":"app/controllers/admin/reports_controller.rb"}],
  225.       "location": {
  226.         "type": "template",
  227.         "template": "admin/reports/index"
  228.       },
  229.       "user_input": "params[:page]",
  230.       "confidence": "Weak",
  231.       "note": ""
  232.     },
  233.     {
  234.       "warning_type": "Cross-Site Scripting",
  235.       "warning_code": 4,
  236.       "fingerprint": "e04aafe1e06cf8317fb6ac0a7f35783e45aa1274272ee6eaf28d39adfdad489b",
  237.       "check_name": "LinkToHref",
  238.       "message": "Potentially unsafe model attribute in link_to href",
  239.       "file": "app/views/admin/accounts/show.html.haml",
  240.       "line": 125,
  241.       "link": "http://brakemanscanner.org/docs/warning_types/link_to_href",
  242.       "code": "link_to(Account.find(params[:id]).outbox_url, Account.find(params[:id]).outbox_url)",
  243.       "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"show","line":13,"file":"app/controllers/admin/accounts_controller.rb"}],
  244.       "location": {
  245.         "type": "template",
  246.         "template": "admin/accounts/show"
  247.       },
  248.       "user_input": "Account.find(params[:id]).outbox_url",
  249.       "confidence": "Weak",
  250.       "note": ""
  251.     },
  252.     {
  253.       "warning_type": "Dynamic Render Path",
  254.       "warning_code": 15,
  255.       "fingerprint": "fbd0fc59adb5c6d44b60e02debb31d3af11719f534c9881e21435bbff87404d6",
  256.       "check_name": "Render",
  257.       "message": "Render path contains parameter value",
  258.       "file": "app/views/stream_entries/show.html.haml",
  259.       "line": 21,
  260.       "link": "http://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  261.       "code": "render(partial => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { :locals => ({ Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :include_threads => true }) })",
  262.       "render_path": [{"type":"controller","class":"StatusesController","method":"show","line":20,"file":"app/controllers/statuses_controller.rb"}],
  263.       "location": {
  264.         "type": "template",
  265.         "template": "stream_entries/show"
  266.       },
  267.       "user_input": "params[:id]",
  268.       "confidence": "Weak",
  269.       "note": ""
  270.     }
  271.   ],
  272.   "updated": "2017-10-07 19:24:02 +0200",
  273.   "brakeman_version": "4.0.1"
  274. }