You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

301 lines
15 KiB

  1. {
  2. "ignored_warnings": [
  3. {
  4. "warning_type": "Mass Assignment",
  5. "warning_code": 105,
  6. "fingerprint": "0117d2be5947ea4e4fbed9c15f23c6615b12c6892973411820c83d079808819d",
  7. "check_name": "PermitAttributes",
  8. "message": "Potentially dangerous key allowed for mass assignment",
  9. "file": "app/controllers/api/v1/search_controller.rb",
  10. "line": 30,
  11. "link": "",
  12. "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
  13. "render_path": null,
  14. "location": {
  15. "type": "method",
  16. "class": "Api::V1::SearchController",
  17. "method": "search_params"
  18. },
  19. "user_input": ":account_id",
  20. "confidence": "High",
  21. "note": ""
  22. },
  23. {
  24. "warning_type": "SQL Injection",
  25. "warning_code": 0,
  26. "fingerprint": "04dbbc249b989db2e0119bbb0f59c9818e12889d2b97c529cdc0b1526002ba4b",
  27. "check_name": "SQL",
  28. "message": "Possible SQL injection",
  29. "file": "app/models/report.rb",
  30. "line": 90,
  31. "link": "",
  32. "code": "Admin::ActionLog.from(\"(#{[Admin::ActionLog.where(:target_type => \"Report\", :target_id => id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Account\", :target_id => target_account_id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)].map do\n \"(#{query.to_sql})\"\n end.join(\" UNION ALL \")}) AS admin_action_logs\")",
  33. "render_path": null,
  34. "location": {
  35. "type": "method",
  36. "class": "Report",
  37. "method": "history"
  38. },
  39. "user_input": "Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)",
  40. "confidence": "High",
  41. "note": ""
  42. },
  43. {
  44. "warning_type": "SQL Injection",
  45. "warning_code": 0,
  46. "fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d",
  47. "check_name": "SQL",
  48. "message": "Possible SQL injection",
  49. "file": "app/models/status.rb",
  50. "line": 87,
  51. "link": "",
  52. "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = AND t#{id}.tag_id = #{id}\")",
  53. "render_path": null,
  54. "location": {
  55. "type": "method",
  56. "class": "Status",
  57. "method": null
  58. },
  59. "user_input": "id",
  60. "confidence": "Weak",
  61. "note": ""
  62. },
  63. {
  64. "warning_type": "Mass Assignment",
  65. "warning_code": 105,
  66. "fingerprint": "28d81cc22580ef76e912b077b245f353499aa27b3826476667224c00227af2a9",
  67. "check_name": "PermitAttributes",
  68. "message": "Potentially dangerous key allowed for mass assignment",
  69. "file": "app/controllers/admin/reports_controller.rb",
  70. "line": 56,
  71. "link": "",
  72. "code": "params.permit(:account_id, :resolved, :target_account_id)",
  73. "render_path": null,
  74. "location": {
  75. "type": "method",
  76. "class": "Admin::ReportsController",
  77. "method": "filter_params"
  78. },
  79. "user_input": ":account_id",
  80. "confidence": "High",
  81. "note": ""
  82. },
  83. {
  84. "warning_type": "Dynamic Render Path",
  85. "warning_code": 15,
  86. "fingerprint": "4b6a895e2805578d03ceedbe1d469cc75a0c759eba093722523edb4b8683c873",
  87. "check_name": "Render",
  88. "message": "Render path contains parameter value",
  89. "file": "app/views/admin/action_logs/index.html.haml",
  90. "line": 4,
  91. "link": "",
  92. "code": "render(action =>[:page]), {})",
  93. "render_path": [{"type":"controller","class":"Admin::ActionLogsController","method":"index","line":7,"file":"app/controllers/admin/action_logs_controller.rb","rendered":{"name":"admin/action_logs/index","file":"/home/eugr/Projects/mastodon/app/views/admin/action_logs/index.html.haml"}}],
  94. "location": {
  95. "type": "template",
  96. "template": "admin/action_logs/index"
  97. },
  98. "user_input": "params[:page]",
  99. "confidence": "Weak",
  100. "note": ""
  101. },
  102. {
  103. "warning_type": "Redirect",
  104. "warning_code": 18,
  105. "fingerprint": "5fad11cd67f905fab9b1d5739d01384a1748ebe78c5af5ac31518201925265a7",
  106. "check_name": "Redirect",
  107. "message": "Possible unprotected redirect",
  108. "file": "app/controllers/remote_interaction_controller.rb",
  109. "line": 21,
  110. "link": "",
  111. "code": "redirect_to([:id])))",
  112. "render_path": null,
  113. "location": {
  114. "type": "method",
  115. "class": "RemoteInteractionController",
  116. "method": "create"
  117. },
  118. "user_input": "[:id]))",
  119. "confidence": "High",
  120. "note": ""
  121. },
  122. {
  123. "warning_type": "Dynamic Render Path",
  124. "warning_code": 15,
  125. "fingerprint": "67afc0d5f7775fa5bd91d1912e1b5505aeedef61876347546fa20f92fd6915e6",
  126. "check_name": "Render",
  127. "message": "Render path contains parameter value",
  128. "file": "app/views/stream_entries/embed.html.haml",
  129. "line": 3,
  130. "link": "",
  131. "code": "render(action => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :centered => true, :autoplay =>[:autoplay]) })",
  132. "render_path": [{"type":"controller","class":"StatusesController","method":"embed","line":63,"file":"app/controllers/statuses_controller.rb","rendered":{"name":"stream_entries/embed","file":"/home/eugr/Projects/mastodon/app/views/stream_entries/embed.html.haml"}}],
  133. "location": {
  134. "type": "template",
  135. "template": "stream_entries/embed"
  136. },
  137. "user_input": "params[:id]",
  138. "confidence": "Weak",
  139. "note": ""
  140. },
  141. {
  142. "warning_type": "SQL Injection",
  143. "warning_code": 0,
  144. "fingerprint": "6f075c1484908e3ec9bed21ab7cf3c7866be8da3881485d1c82e13093aefcbd7",
  145. "check_name": "SQL",
  146. "message": "Possible SQL injection",
  147. "file": "app/models/status.rb",
  148. "line": 92,
  149. "link": "",
  150. "code": "result.joins(\"LEFT OUTER JOIN statuses_tags t#{id} ON t#{id}.status_id = AND t#{id}.tag_id = #{id}\")",
  151. "render_path": null,
  152. "location": {
  153. "type": "method",
  154. "class": "Status",
  155. "method": null
  156. },
  157. "user_input": "id",
  158. "confidence": "Weak",
  159. "note": ""
  160. },
  161. {
  162. "warning_type": "Dynamic Render Path",
  163. "warning_code": 15,
  164. "fingerprint": "8d843713d99e8403f7992f3e72251b633817cf9076ffcbbad5613859d2bbc127",
  165. "check_name": "Render",
  166. "message": "Render path contains parameter value",
  167. "file": "app/views/admin/custom_emojis/index.html.haml",
  168. "line": 45,
  169. "link": "",
  170. "code": "render(action => filtered_custom_emojis.eager_load(:local_counterpart).page(params[:page]), {})",
  171. "render_path": [{"type":"controller","class":"Admin::CustomEmojisController","method":"index","line":11,"file":"app/controllers/admin/custom_emojis_controller.rb","rendered":{"name":"admin/custom_emojis/index","file":"/home/eugr/Projects/mastodon/app/views/admin/custom_emojis/index.html.haml"}}],
  172. "location": {
  173. "type": "template",
  174. "template": "admin/custom_emojis/index"
  175. },
  176. "user_input": "params[:page]",
  177. "confidence": "Weak",
  178. "note": ""
  179. },
  180. {
  181. "warning_type": "SQL Injection",
  182. "warning_code": 0,
  183. "fingerprint": "9ccb9ba6a6947400e187d515e0bf719d22993d37cfc123c824d7fafa6caa9ac3",
  184. "check_name": "SQL",
  185. "message": "Possible SQL injection",
  186. "file": "lib/mastodon/snowflake.rb",
  187. "line": 87,
  188. "link": "",
  189. "code": "connection.execute(\" CREATE OR REPLACE FUNCTION timestamp_id(table_name text)\\n RETURNS bigint AS\\n $$\\n DECLARE\\n time_part bigint;\\n sequence_base bigint;\\n tail bigint;\\n BEGIN\\n time_part := (\\n -- Get the time in milliseconds\\n ((date_part('epoch', now()) * 1000))::bigint\\n -- And shift it over two bytes\\n << 16);\\n\\n sequence_base := (\\n 'x' ||\\n -- Take the first two bytes (four hex characters)\\n substr(\\n -- Of the MD5 hash of the data we documented\\n md5(table_name ||\\n '#{SecureRandom.hex(16)}' ||\\n time_part::text\\n ),\\n 1, 4\\n )\\n -- And turn it into a bigint\\n )::bit(16)::bigint;\\n\\n -- Finally, add our sequence number to our base, and chop\\n -- it to the last two bytes\\n tail := (\\n (sequence_base + nextval(table_name || '_id_seq'))\\n & 65535);\\n\\n -- Return the time part and the sequence part. OR appears\\n -- faster here than addition, but they're equivalent:\\n -- time_part has no trailing two bytes, and tail is only\\n -- the last two bytes.\\n RETURN time_part | tail;\\n END\\n $$ LANGUAGE plpgsql VOLATILE;\\n\")",
  190. "render_path": null,
  191. "location": {
  192. "type": "method",
  193. "class": "Mastodon::Snowflake",
  194. "method": "define_timestamp_id"
  195. },
  196. "user_input": "SecureRandom.hex(16)",
  197. "confidence": "Medium",
  198. "note": ""
  199. },
  200. {
  201. "warning_type": "Dynamic Render Path",
  202. "warning_code": 15,
  203. "fingerprint": "9f31d941f3910dba2e9bfcd81aef4513249bd24c02d0f98e13ad44fdeeccd0e8",
  204. "check_name": "Render",
  205. "message": "Render path contains parameter value",
  206. "file": "app/views/admin/accounts/index.html.haml",
  207. "line": 47,
  208. "link": "",
  209. "code": "render(action =>[:page]), {})",
  210. "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"index","line":12,"file":"app/controllers/admin/accounts_controller.rb","rendered":{"name":"admin/accounts/index","file":"/home/eugr/Projects/mastodon/app/views/admin/accounts/index.html.haml"}}],
  211. "location": {
  212. "type": "template",
  213. "template": "admin/accounts/index"
  214. },
  215. "user_input": "params[:page]",
  216. "confidence": "Weak",
  217. "note": ""
  218. },
  219. {
  220. "warning_type": "Redirect",
  221. "warning_code": 18,
  222. "fingerprint": "ba699ddcc6552c422c4ecd50d2cd217f616a2446659e185a50b05a0f2dad8d33",
  223. "check_name": "Redirect",
  224. "message": "Possible unprotected redirect",
  225. "file": "app/controllers/media_controller.rb",
  226. "line": 14,
  227. "link": "",
  228. "code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))",
  229. "render_path": null,
  230. "location": {
  231. "type": "method",
  232. "class": "MediaController",
  233. "method": "show"
  234. },
  235. "user_input": "MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original)",
  236. "confidence": "High",
  237. "note": ""
  238. },
  239. {
  240. "warning_type": "Redirect",
  241. "warning_code": 18,
  242. "fingerprint": "bb7e94e60af41decb811bb32171f1b27e9bf3f4d01e9e511127362e22510eb11",
  243. "check_name": "Redirect",
  244. "message": "Possible unprotected redirect",
  245. "file": "app/controllers/remote_follow_controller.rb",
  246. "line": 19,
  247. "link": "",
  248. "code": "redirect_to(!(params[:account_username])))",
  249. "render_path": null,
  250. "location": {
  251. "type": "method",
  252. "class": "RemoteFollowController",
  253. "method": "create"
  254. },
  255. "user_input": "!(params[:account_username]))",
  256. "confidence": "High",
  257. "note": ""
  258. },
  259. {
  260. "warning_type": "Mass Assignment",
  261. "warning_code": 105,
  262. "fingerprint": "e867661b2c9812bc8b75a5df12b28e2a53ab97015de0638b4e732fe442561b28",
  263. "check_name": "PermitAttributes",
  264. "message": "Potentially dangerous key allowed for mass assignment",
  265. "file": "app/controllers/api/v1/reports_controller.rb",
  266. "line": 36,
  267. "link": "",
  268. "code": "params.permit(:account_id, :comment, :forward, :status_ids => ([]))",
  269. "render_path": null,
  270. "location": {
  271. "type": "method",
  272. "class": "Api::V1::ReportsController",
  273. "method": "report_params"
  274. },
  275. "user_input": ":account_id",
  276. "confidence": "High",
  277. "note": ""
  278. },
  279. {
  280. "warning_type": "Dynamic Render Path",
  281. "warning_code": 15,
  282. "fingerprint": "fbd0fc59adb5c6d44b60e02debb31d3af11719f534c9881e21435bbff87404d6",
  283. "check_name": "Render",
  284. "message": "Render path contains parameter value",
  285. "file": "app/views/stream_entries/show.html.haml",
  286. "line": 23,
  287. "link": "",
  288. "code": "render(partial => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { :locals => ({ Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :include_threads => true }) })",
  289. "render_path": [{"type":"controller","class":"StatusesController","method":"show","line":34,"file":"app/controllers/statuses_controller.rb","rendered":{"name":"stream_entries/show","file":"/home/eugr/Projects/mastodon/app/views/stream_entries/show.html.haml"}}],
  290. "location": {
  291. "type": "template",
  292. "template": "stream_entries/show"
  293. },
  294. "user_input": "params[:id]",
  295. "confidence": "Weak",
  296. "note": ""
  297. }
  298. ],
  299. "updated": "2019-02-21 02:30:29 +0100",
  300. "brakeman_version": "4.4.0"
  301. }