closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9274 Commits
4 Branches
567 MiB
Tree: ea13e80030
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ea13e80030'
${ noResults }
mastodon/config/brakeman.ignore

299 lines
13 KiB
Raw Normal View History

Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Add E2EE API (#13820)
3 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add logging of admin actions (#5757) * Add logging of admin actions * Update brakeman whitelist * Log creates, updates and destroys with history of changes * i18n: Update Polish translation (#5782) Signed-off-by: Marcin Mikołajczak <me@m4sk.in> * Split admin navigation into moderation and administration * Redesign audit log page * 🇵🇱 (#5795) * Add color coding to audit log * Change dismiss->resolve, log all outcomes of report as resolve * Update terminology (e-mail blacklist) (#5796) * Update terminology (e-mail blacklist) imho looks better * Update en.yml * Fix code style issues * i18n-tasks normalize
6 years ago
Add E2EE API (#13820)
3 years ago
Add logging of admin actions (#5757) * Add logging of admin actions * Update brakeman whitelist * Log creates, updates and destroys with history of changes * i18n: Update Polish translation (#5782) Signed-off-by: Marcin Mikołajczak <me@m4sk.in> * Split admin navigation into moderation and administration * Redesign audit log page * 🇵🇱 (#5795) * Add color coding to audit log * Change dismiss->resolve, log all outcomes of report as resolve * Update terminology (e-mail blacklist) (#5796) * Update terminology (e-mail blacklist) imho looks better * Update en.yml * Fix code style issues * i18n-tasks normalize
6 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add logging of admin actions (#5757) * Add logging of admin actions * Update brakeman whitelist * Log creates, updates and destroys with history of changes * i18n: Update Polish translation (#5782) Signed-off-by: Marcin Mikołajczak <me@m4sk.in> * Split admin navigation into moderation and administration * Redesign audit log page * 🇵🇱 (#5795) * Add color coding to audit log * Change dismiss->resolve, log all outcomes of report as resolve * Update terminology (e-mail blacklist) (#5796) * Update terminology (e-mail blacklist) imho looks better * Update en.yml * Fix code style issues * i18n-tasks normalize
6 years ago
Add E2EE API (#13820)
3 years ago
Add logging of admin actions (#5757) * Add logging of admin actions * Update brakeman whitelist * Log creates, updates and destroys with history of changes * i18n: Update Polish translation (#5782) Signed-off-by: Marcin Mikołajczak <me@m4sk.in> * Split admin navigation into moderation and administration * Redesign audit log page * 🇵🇱 (#5795) * Add color coding to audit log * Change dismiss->resolve, log all outcomes of report as resolve * Update terminology (e-mail blacklist) (#5796) * Update terminology (e-mail blacklist) imho looks better * Update en.yml * Fix code style issues * i18n-tasks normalize
6 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Add E2EE API (#13820)
3 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add E2EE API (#13820)
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add E2EE API (#13820)
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add E2EE API (#13820)
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
6 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add type, limit, offset, min_id, max_id, account_id to search API (#10091) * Add type, limit, offset, min_id, max_id, account_id to search API Fix #8939 * Make the offset work on accounts and hashtags search as well * Assure brakeman we are not doing mass assignment here * Do not allow paginating unless a type is chosen * Fix search query and index id field on statuses instead of created_at
5 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
 
  1. {
  2.   "ignored_warnings": [
  3.     {
  4.       "warning_type": "SQL Injection",
  5.       "warning_code": 0,
  6.       "fingerprint": "04dbbc249b989db2e0119bbb0f59c9818e12889d2b97c529cdc0b1526002ba4b",
  7.       "check_name": "SQL",
  8.       "message": "Possible SQL injection",
  9.       "file": "app/models/report.rb",
  10.       "line": 112,
  11.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  12.       "code": "Admin::ActionLog.from(\"(#{[Admin::ActionLog.where(:target_type => \"Report\", :target_id => id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Account\", :target_id => target_account_id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)].map do\n \"(#{query.to_sql})\"\n end.join(\" UNION ALL \")}) AS admin_action_logs\")",
  13.       "render_path": null,
  14.       "location": {
  15.         "type": "method",
  16.         "class": "Report",
  17.         "method": "history"
  18.       },
  19.       "user_input": "Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)",
  20.       "confidence": "High",
  21.       "note": ""
  22.     },
  23.     {
  24.       "warning_type": "SQL Injection",
  25.       "warning_code": 0,
  26.       "fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d",
  27.       "check_name": "SQL",
  28.       "message": "Possible SQL injection",
  29.       "file": "app/models/status.rb",
  30.       "line": 100,
  31.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  32.       "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
  33.       "render_path": null,
  34.       "location": {
  35.         "type": "method",
  36.         "class": "Status",
  37.         "method": null
  38.       },
  39.       "user_input": "id",
  40.       "confidence": "Weak",
  41.       "note": ""
  42.     },
  43.     {
  44.       "warning_type": "Dynamic Render Path",
  45.       "warning_code": 15,
  46.       "fingerprint": "20a660939f2bbf8c665e69f2844031c0564524689a9570a0091ed94846212020",
  47.       "check_name": "Render",
  48.       "message": "Render path contains parameter value",
  49.       "file": "app/views/admin/action_logs/index.html.haml",
  50.       "line": 26,
  51.       "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  52.       "code": "render(action => Admin::ActionLogFilter.new(filter_params).results.page(params[:page]), {})",
  53.       "render_path": [
  54.         {
  55.           "type": "controller",
  56.           "class": "Admin::ActionLogsController",
  57.           "method": "index",
  58.           "line": 8,
  59.           "file": "app/controllers/admin/action_logs_controller.rb",
  60.           "rendered": {
  61.             "name": "admin/action_logs/index",
  62.             "file": "app/views/admin/action_logs/index.html.haml"
  63.           }
  64.         }
  65.       ],
  66.       "location": {
  67.         "type": "template",
  68.         "template": "admin/action_logs/index"
  69.       },
  70.       "user_input": "params[:page]",
  71.       "confidence": "Weak",
  72.       "note": ""
  73.     },
  74.     {
  75.       "warning_type": "Dynamic Render Path",
  76.       "warning_code": 15,
  77.       "fingerprint": "371fe16dc4c9d6ab08a20437d65be4825776107a67c38f6d4780a9c703cd44a5",
  78.       "check_name": "Render",
  79.       "message": "Render path contains parameter value",
  80.       "file": "app/views/admin/email_domain_blocks/index.html.haml",
  81.       "line": 17,
  82.       "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  83.       "code": "render(action => EmailDomainBlock.where(:parent_id => nil).includes(:children).order(:id => :desc).page(params[:page]), {})",
  84.       "render_path": [
  85.         {
  86.           "type": "controller",
  87.           "class": "Admin::EmailDomainBlocksController",
  88.           "method": "index",
  89.           "line": 10,
  90.           "file": "app/controllers/admin/email_domain_blocks_controller.rb",
  91.           "rendered": {
  92.             "name": "admin/email_domain_blocks/index",
  93.             "file": "app/views/admin/email_domain_blocks/index.html.haml"
  94.           }
  95.         }
  96.       ],
  97.       "location": {
  98.         "type": "template",
  99.         "template": "admin/email_domain_blocks/index"
  100.       },
  101.       "user_input": "params[:page]",
  102.       "confidence": "Weak",
  103.       "note": ""
  104.     },
  105.     {
  106.       "warning_type": "Redirect",
  107.       "warning_code": 18,
  108.       "fingerprint": "5fad11cd67f905fab9b1d5739d01384a1748ebe78c5af5ac31518201925265a7",
  109.       "check_name": "Redirect",
  110.       "message": "Possible unprotected redirect",
  111.       "file": "app/controllers/remote_interaction_controller.rb",
  112.       "line": 24,
  113.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  114.       "code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))",
  115.       "render_path": null,
  116.       "location": {
  117.         "type": "method",
  118.         "class": "RemoteInteractionController",
  119.         "method": "create"
  120.       },
  121.       "user_input": "RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id]))",
  122.       "confidence": "High",
  123.       "note": ""
  124.     },
  125.     {
  126.       "warning_type": "SQL Injection",
  127.       "warning_code": 0,
  128.       "fingerprint": "6f075c1484908e3ec9bed21ab7cf3c7866be8da3881485d1c82e13093aefcbd7",
  129.       "check_name": "SQL",
  130.       "message": "Possible SQL injection",
  131.       "file": "app/models/status.rb",
  132.       "line": 105,
  133.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  134.       "code": "result.joins(\"LEFT OUTER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
  135.       "render_path": null,
  136.       "location": {
  137.         "type": "method",
  138.         "class": "Status",
  139.         "method": null
  140.       },
  141.       "user_input": "id",
  142.       "confidence": "Weak",
  143.       "note": ""
  144.     },
  145.     {
  146.       "warning_type": "Mass Assignment",
  147.       "warning_code": 105,
  148.       "fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a",
  149.       "check_name": "PermitAttributes",
  150.       "message": "Potentially dangerous key allowed for mass assignment",
  151.       "file": "app/controllers/api/v2/search_controller.rb",
  152.       "line": 28,
  153.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  154.       "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
  155.       "render_path": null,
  156.       "location": {
  157.         "type": "method",
  158.         "class": "Api::V2::SearchController",
  159.         "method": "search_params"
  160.       },
  161.       "user_input": ":account_id",
  162.       "confidence": "High",
  163.       "note": ""
  164.     },
  165.     {
  166.       "warning_type": "Mass Assignment",
  167.       "warning_code": 105,
  168.       "fingerprint": "8f63dec68951d9bcf7eddb15af9392b2e1333003089c41fb76688dfd3579f394",
  169.       "check_name": "PermitAttributes",
  170.       "message": "Potentially dangerous key allowed for mass assignment",
  171.       "file": "app/controllers/api/v1/crypto/deliveries_controller.rb",
  172.       "line": 23,
  173.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  174.       "code": "params.require(:device).permit(:account_id, :device_id, :type, :body, :hmac)",
  175.       "render_path": null,
  176.       "location": {
  177.         "type": "method",
  178.         "class": "Api::V1::Crypto::DeliveriesController",
  179.         "method": "resource_params"
  180.       },
  181.       "user_input": ":account_id",
  182.       "confidence": "High",
  183.       "note": ""
  184.     },
  185.     {
  186.       "warning_type": "SQL Injection",
  187.       "warning_code": 0,
  188.       "fingerprint": "9ccb9ba6a6947400e187d515e0bf719d22993d37cfc123c824d7fafa6caa9ac3",
  189.       "check_name": "SQL",
  190.       "message": "Possible SQL injection",
  191.       "file": "lib/mastodon/snowflake.rb",
  192.       "line": 87,
  193.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  194.       "code": "connection.execute(\"        CREATE OR REPLACE FUNCTION timestamp_id(table_name text)\\n        RETURNS bigint AS\\n        $$\\n          DECLARE\\n            time_part bigint;\\n            sequence_base bigint;\\n            tail bigint;\\n          BEGIN\\n            time_part := (\\n              -- Get the time in milliseconds\\n              ((date_part('epoch', now()) * 1000))::bigint\\n              -- And shift it over two bytes\\n              << 16);\\n\\n            sequence_base := (\\n              'x' ||\\n              -- Take the first two bytes (four hex characters)\\n              substr(\\n                -- Of the MD5 hash of the data we documented\\n                md5(table_name ||\\n                  '#{SecureRandom.hex(16)}' ||\\n                  time_part::text\\n                ),\\n                1, 4\\n              )\\n            -- And turn it into a bigint\\n            )::bit(16)::bigint;\\n\\n            -- Finally, add our sequence number to our base, and chop\\n            -- it to the last two bytes\\n            tail := (\\n              (sequence_base + nextval(table_name || '_id_seq'))\\n              & 65535);\\n\\n            -- Return the time part and the sequence part. OR appears\\n            -- faster here than addition, but they're equivalent:\\n            -- time_part has no trailing two bytes, and tail is only\\n            -- the last two bytes.\\n            RETURN time_part | tail;\\n          END\\n        $$ LANGUAGE plpgsql VOLATILE;\\n\")",
  195.       "render_path": null,
  196.       "location": {
  197.         "type": "method",
  198.         "class": "Mastodon::Snowflake",
  199.         "method": "define_timestamp_id"
  200.       },
  201.       "user_input": "SecureRandom.hex(16)",
  202.       "confidence": "Medium",
  203.       "note": ""
  204.     },
  205.     {
  206.       "warning_type": "Dynamic Render Path",
  207.       "warning_code": 15,
  208.       "fingerprint": "9f31d941f3910dba2e9bfcd81aef4513249bd24c02d0f98e13ad44fdeeccd0e8",
  209.       "check_name": "Render",
  210.       "message": "Render path contains parameter value",
  211.       "file": "app/views/admin/accounts/index.html.haml",
  212.       "line": 54,
  213.       "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  214.       "code": "render(action => filtered_accounts.page(params[:page]), {})",
  215.       "render_path": [
  216.         {
  217.           "type": "controller",
  218.           "class": "Admin::AccountsController",
  219.           "method": "index",
  220.           "line": 12,
  221.           "file": "app/controllers/admin/accounts_controller.rb",
  222.           "rendered": {
  223.             "name": "admin/accounts/index",
  224.             "file": "app/views/admin/accounts/index.html.haml"
  225.           }
  226.         }
  227.       ],
  228.       "location": {
  229.         "type": "template",
  230.         "template": "admin/accounts/index"
  231.       },
  232.       "user_input": "params[:page]",
  233.       "confidence": "Weak",
  234.       "note": ""
  235.     },
  236.     {
  237.       "warning_type": "Redirect",
  238.       "warning_code": 18,
  239.       "fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50",
  240.       "check_name": "Redirect",
  241.       "message": "Possible unprotected redirect",
  242.       "file": "app/controllers/remote_follow_controller.rb",
  243.       "line": 21,
  244.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  245.       "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))",
  246.       "render_path": null,
  247.       "location": {
  248.         "type": "method",
  249.         "class": "RemoteFollowController",
  250.         "method": "create"
  251.       },
  252.       "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)",
  253.       "confidence": "High",
  254.       "note": ""
  255.     },
  256.     {
  257.       "warning_type": "Redirect",
  258.       "warning_code": 18,
  259.       "fingerprint": "ba699ddcc6552c422c4ecd50d2cd217f616a2446659e185a50b05a0f2dad8d33",
  260.       "check_name": "Redirect",
  261.       "message": "Possible unprotected redirect",
  262.       "file": "app/controllers/media_controller.rb",
  263.       "line": 20,
  264.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  265.       "code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))",
  266.       "render_path": null,
  267.       "location": {
  268.         "type": "method",
  269.         "class": "MediaController",
  270.         "method": "show"
  271.       },
  272.       "user_input": "MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original)",
  273.       "confidence": "High",
  274.       "note": ""
  275.     },
  276.     {
  277.       "warning_type": "Mass Assignment",
  278.       "warning_code": 105,
  279.       "fingerprint": "e867661b2c9812bc8b75a5df12b28e2a53ab97015de0638b4e732fe442561b28",
  280.       "check_name": "PermitAttributes",
  281.       "message": "Potentially dangerous key allowed for mass assignment",
  282.       "file": "app/controllers/api/v1/reports_controller.rb",
  283.       "line": 36,
  284.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  285.       "code": "params.permit(:account_id, :comment, :forward, :status_ids => ([]))",
  286.       "render_path": null,
  287.       "location": {
  288.         "type": "method",
  289.         "class": "Api::V1::ReportsController",
  290.         "method": "report_params"
  291.       },
  292.       "user_input": ":account_id",
  293.       "confidence": "High",
  294.       "note": ""
  295.     }
  296.   ],
  297.   "updated": "2020-06-01 18:18:02 +0200",
  298.   "brakeman_version": "4.8.0"
  299. }