closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11274 Commits
4 Branches
567 MiB
Tree: bd53dd5210
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bd53dd5210'
${ noResults }
mastodon/config/brakeman.ignore

226 lines
9.5 KiB
Raw Normal View History

Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
6 years ago
Add trending statuses (#17431) * Add trending statuses * Fix dangling items with stale scores in localized sets * Various fixes and improvements - Change approve_all/reject_all to approve_accounts/reject_accounts - Change Trends::Query methods to not mutate the original query - Change Trends::Query#skip to offset - Change follow recommendations to be refreshed in a transaction * Add tests for trending statuses filtering behaviour * Fix not applying filtering scope in controller
2 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
6 years ago
Add trending statuses (#17431) * Add trending statuses * Fix dangling items with stale scores in localized sets * Various fixes and improvements - Change approve_all/reject_all to approve_accounts/reject_accounts - Change Trends::Query methods to not mutate the original query - Change Trends::Query#skip to offset - Change follow recommendations to be refreshed in a transaction * Add tests for trending statuses filtering behaviour * Fix not applying filtering scope in controller
2 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Add E2EE API (#13820)
4 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
7 years ago
Add E2EE API (#13820)
4 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
7 years ago
Add E2EE API (#13820)
4 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
7 years ago
Add E2EE API (#13820)
4 years ago
Ignore brakeman false positive warning (#16213)
3 years ago
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2 years ago
Ignore brakeman false positive warning (#16213)
3 years ago
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2 years ago
Add trending statuses (#17431) * Add trending statuses * Fix dangling items with stale scores in localized sets * Various fixes and improvements - Change approve_all/reject_all to approve_accounts/reject_accounts - Change Trends::Query methods to not mutate the original query - Change Trends::Query#skip to offset - Change follow recommendations to be refreshed in a transaction * Add tests for trending statuses filtering behaviour * Fix not applying filtering scope in controller
2 years ago
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
4 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
4 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Add E2EE API (#13820)
4 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
4 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
4 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Add trending statuses (#17431) * Add trending statuses * Fix dangling items with stale scores in localized sets * Various fixes and improvements - Change approve_all/reject_all to approve_accounts/reject_accounts - Change Trends::Query methods to not mutate the original query - Change Trends::Query#skip to offset - Change follow recommendations to be refreshed in a transaction * Add tests for trending statuses filtering behaviour * Fix not applying filtering scope in controller
2 years ago
Add trending links (#16917) * Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Add type, limit, offset, min_id, max_id, account_id to search API (#10091) * Add type, limit, offset, min_id, max_id, account_id to search API Fix #8939 * Make the offset work on accounts and hashtags search as well * Assure brakeman we are not doing mass assignment here * Do not allow paginating unless a type is chosen * Fix search query and index id field on statuses instead of created_at
5 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add trending statuses (#17431) * Add trending statuses * Fix dangling items with stale scores in localized sets * Various fixes and improvements - Change approve_all/reject_all to approve_accounts/reject_accounts - Change Trends::Query methods to not mutate the original query - Change Trends::Query#skip to offset - Change follow recommendations to be refreshed in a transaction * Add tests for trending statuses filtering behaviour * Fix not applying filtering scope in controller
2 years ago
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
 
  1. {
  2.   "ignored_warnings": [
  3.     {
  4.       "warning_type": "SQL Injection",
  5.       "warning_code": 0,
  6.       "fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d",
  7.       "check_name": "SQL",
  8.       "message": "Possible SQL injection",
  9.       "file": "app/models/status.rb",
  10.       "line": 105,
  11.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  12.       "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
  13.       "render_path": null,
  14.       "location": {
  15.         "type": "method",
  16.         "class": "Status",
  17.         "method": null
  18.       },
  19.       "user_input": "id",
  20.       "confidence": "Weak",
  21.       "note": ""
  22.     },
  23.     {
  24.       "warning_type": "SQL Injection",
  25.       "warning_code": 0,
  26.       "fingerprint": "30dfe36e87fe1b8f239df9a33d576e44a9863f73b680198d4713be6540ae61d3",
  27.       "check_name": "SQL",
  28.       "message": "Possible SQL injection",
  29.       "file": "app/models/trends/query.rb",
  30.       "line": 60,
  31.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  32.       "code": "klass.joins(\"join unnest(array[#{ids.join(\",\")}]) with ordinality as x (id, ordering) on #{klass.table_name}.id = x.id\")",
  33.       "render_path": null,
  34.       "location": {
  35.         "type": "method",
  36.         "class": "Trends::Query",
  37.         "method": "to_arel"
  38.       },
  39.       "user_input": "ids.join(\",\")",
  40.       "confidence": "Weak",
  41.       "note": ""
  42.     },
  43.     {
  44.       "warning_type": "Redirect",
  45.       "warning_code": 18,
  46.       "fingerprint": "5fad11cd67f905fab9b1d5739d01384a1748ebe78c5af5ac31518201925265a7",
  47.       "check_name": "Redirect",
  48.       "message": "Possible unprotected redirect",
  49.       "file": "app/controllers/remote_interaction_controller.rb",
  50.       "line": 24,
  51.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  52.       "code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))",
  53.       "render_path": null,
  54.       "location": {
  55.         "type": "method",
  56.         "class": "RemoteInteractionController",
  57.         "method": "create"
  58.       },
  59.       "user_input": "RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id]))",
  60.       "confidence": "High",
  61.       "note": ""
  62.     },
  63.     {
  64.       "warning_type": "SQL Injection",
  65.       "warning_code": 0,
  66.       "fingerprint": "75fcd147b7611763ab6915faf8c5b0709e612b460f27c05c72d8b9bd0a6a77f8",
  67.       "check_name": "SQL",
  68.       "message": "Possible SQL injection",
  69.       "file": "lib/mastodon/snowflake.rb",
  70.       "line": 87,
  71.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  72.       "code": "connection.execute(\"CREATE OR REPLACE FUNCTION timestamp_id(table_name text)\\nRETURNS bigint AS\\n$$\\n  DECLARE\\n    time_part bigint;\\n    sequence_base bigint;\\n    tail bigint;\\n  BEGIN\\n    time_part := (\\n      -- Get the time in milliseconds\\n      ((date_part('epoch', now()) * 1000))::bigint\\n      -- And shift it over two bytes\\n      << 16);\\n\\n    sequence_base := (\\n      'x' ||\\n      -- Take the first two bytes (four hex characters)\\n      substr(\\n        -- Of the MD5 hash of the data we documented\\n        md5(table_name || '#{SecureRandom.hex(16)}' || time_part::text),\\n        1, 4\\n      )\\n    -- And turn it into a bigint\\n    )::bit(16)::bigint;\\n\\n    -- Finally, add our sequence number to our base, and chop\\n    -- it to the last two bytes\\n    tail := (\\n      (sequence_base + nextval(table_name || '_id_seq'))\\n      & 65535);\\n\\n    -- Return the time part and the sequence part. OR appears\\n    -- faster here than addition, but they're equivalent:\\n    -- time_part has no trailing two bytes, and tail is only\\n    -- the last two bytes.\\n    RETURN time_part | tail;\\n  END\\n$$ LANGUAGE plpgsql VOLATILE;\\n\")",
  73.       "render_path": null,
  74.       "location": {
  75.         "type": "method",
  76.         "class": "Mastodon::Snowflake",
  77.         "method": "define_timestamp_id"
  78.       },
  79.       "user_input": "SecureRandom.hex(16)",
  80.       "confidence": "Medium",
  81.       "note": ""
  82.     },
  83.     {
  84.       "warning_type": "Mass Assignment",
  85.       "warning_code": 105,
  86.       "fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a",
  87.       "check_name": "PermitAttributes",
  88.       "message": "Potentially dangerous key allowed for mass assignment",
  89.       "file": "app/controllers/api/v2/search_controller.rb",
  90.       "line": 28,
  91.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  92.       "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
  93.       "render_path": null,
  94.       "location": {
  95.         "type": "method",
  96.         "class": "Api::V2::SearchController",
  97.         "method": "search_params"
  98.       },
  99.       "user_input": ":account_id",
  100.       "confidence": "High",
  101.       "note": ""
  102.     },
  103.     {
  104.       "warning_type": "Mass Assignment",
  105.       "warning_code": 105,
  106.       "fingerprint": "874be88fedf4c680926845e9a588d3197765a6ccbfdd76466b44cc00151c612e",
  107.       "check_name": "PermitAttributes",
  108.       "message": "Potentially dangerous key allowed for mass assignment",
  109.       "file": "app/controllers/api/v1/admin/reports_controller.rb",
  110.       "line": 90,
  111.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  112.       "code": "params.permit(:resolved, :account_id, :target_account_id)",
  113.       "render_path": null,
  114.       "location": {
  115.         "type": "method",
  116.         "class": "Api::V1::Admin::ReportsController",
  117.         "method": "filter_params"
  118.       },
  119.       "user_input": ":account_id",
  120.       "confidence": "High",
  121.       "note": ""
  122.     },
  123.     {
  124.       "warning_type": "Cross-Site Scripting",
  125.       "warning_code": 2,
  126.       "fingerprint": "afad51718ae373b2f19d2513029fd2afccf58b9148e475934bc6a162ee33c352",
  127.       "check_name": "CrossSiteScripting",
  128.       "message": "Unescaped model attribute",
  129.       "file": "app/views/admin/disputes/appeals/_appeal.html.haml",
  130.       "line": 7,
  131.       "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
  132.       "code": "t((Unresolved Model).new.strike.action, :scope => \"admin.strikes.actions\", :name => content_tag(:span, (Unresolved Model).new.strike.account.username, :class => \"username\"), :target => content_tag(:span, (Unresolved Model).new.account.acct, :class => \"target\"))",
  133.       "render_path": [
  134.         {
  135.           "type": "template",
  136.           "name": "admin/disputes/appeals/index",
  137.           "line": 20,
  138.           "file": "app/views/admin/disputes/appeals/index.html.haml",
  139.           "rendered": {
  140.             "name": "admin/disputes/appeals/_appeal",
  141.             "file": "app/views/admin/disputes/appeals/_appeal.html.haml"
  142.           }
  143.         }
  144.       ],
  145.       "location": {
  146.         "type": "template",
  147.         "template": "admin/disputes/appeals/_appeal"
  148.       },
  149.       "user_input": "(Unresolved Model).new.strike",
  150.       "confidence": "Weak",
  151.       "note": ""
  152.     },
  153.     {
  154.       "warning_type": "Redirect",
  155.       "warning_code": 18,
  156.       "fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50",
  157.       "check_name": "Redirect",
  158.       "message": "Possible unprotected redirect",
  159.       "file": "app/controllers/remote_follow_controller.rb",
  160.       "line": 21,
  161.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  162.       "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))",
  163.       "render_path": null,
  164.       "location": {
  165.         "type": "method",
  166.         "class": "RemoteFollowController",
  167.         "method": "create"
  168.       },
  169.       "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)",
  170.       "confidence": "High",
  171.       "note": ""
  172.     },
  173.     {
  174.       "warning_type": "Cross-Site Scripting",
  175.       "warning_code": 4,
  176.       "fingerprint": "cd5cfd7f40037fbfa753e494d7129df16e358bfc43ef0da3febafbf4ee1ed3ac",
  177.       "check_name": "LinkToHref",
  178.       "message": "Potentially unsafe model attribute in `link_to` href",
  179.       "file": "app/views/admin/trends/links/_preview_card.html.haml",
  180.       "line": 7,
  181.       "link": "https://brakemanscanner.org/docs/warning_types/link_to_href",
  182.       "code": "link_to((Unresolved Model).new.title, (Unresolved Model).new.url)",
  183.       "render_path": [
  184.         {
  185.           "type": "template",
  186.           "name": "admin/trends/links/index",
  187.           "line": 45,
  188.           "file": "app/views/admin/trends/links/index.html.haml",
  189.           "rendered": {
  190.             "name": "admin/trends/links/_preview_card",
  191.             "file": "app/views/admin/trends/links/_preview_card.html.haml"
  192.           }
  193.         }
  194.       ],
  195.       "location": {
  196.         "type": "template",
  197.         "template": "admin/trends/links/_preview_card"
  198.       },
  199.       "user_input": "(Unresolved Model).new.url",
  200.       "confidence": "Weak",
  201.       "note": ""
  202.     },
  203.     {
  204.       "warning_type": "Mass Assignment",
  205.       "warning_code": 105,
  206.       "fingerprint": "f9de0ca4b04ae4b51b74d98db14dcbb6dae6809e627b58e711019cf9b4a47866",
  207.       "check_name": "PermitAttributes",
  208.       "message": "Potentially dangerous key allowed for mass assignment",
  209.       "file": "app/controllers/api/v1/reports_controller.rb",
  210.       "line": 36,
  211.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  212.       "code": "params.permit(:account_id, :comment, :category, :forward, :status_ids => ([]), :rule_ids => ([]))",
  213.       "render_path": null,
  214.       "location": {
  215.         "type": "method",
  216.         "class": "Api::V1::ReportsController",
  217.         "method": "report_params"
  218.       },
  219.       "user_input": ":account_id",
  220.       "confidence": "High",
  221.       "note": ""
  222.     }
  223.   ],
  224.   "updated": "2022-02-15 03:48:53 +0100",
  225.   "brakeman_version": "5.2.1"
  226. }