closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9997 Commits
4 Branches
567 MiB
Tree: efffdd3778
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'efffdd3778'
${ noResults }
mastodon/config/brakeman.ignore

370 lines
17 KiB
Raw Normal View History

Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Add E2EE API (#13820)
3 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add logging of admin actions (#5757) * Add logging of admin actions * Update brakeman whitelist * Log creates, updates and destroys with history of changes * i18n: Update Polish translation (#5782) Signed-off-by: Marcin Mikołajczak <me@m4sk.in> * Split admin navigation into moderation and administration * Redesign audit log page * 🇵🇱 (#5795) * Add color coding to audit log * Change dismiss->resolve, log all outcomes of report as resolve * Update terminology (e-mail blacklist) (#5796) * Update terminology (e-mail blacklist) imho looks better * Update en.yml * Fix code style issues * i18n-tasks normalize
6 years ago
Add E2EE API (#13820)
3 years ago
Add logging of admin actions (#5757) * Add logging of admin actions * Update brakeman whitelist * Log creates, updates and destroys with history of changes * i18n: Update Polish translation (#5782) Signed-off-by: Marcin Mikołajczak <me@m4sk.in> * Split admin navigation into moderation and administration * Redesign audit log page * 🇵🇱 (#5795) * Add color coding to audit log * Change dismiss->resolve, log all outcomes of report as resolve * Update terminology (e-mail blacklist) (#5796) * Update terminology (e-mail blacklist) imho looks better * Update en.yml * Fix code style issues * i18n-tasks normalize
6 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add logging of admin actions (#5757) * Add logging of admin actions * Update brakeman whitelist * Log creates, updates and destroys with history of changes * i18n: Update Polish translation (#5782) Signed-off-by: Marcin Mikołajczak <me@m4sk.in> * Split admin navigation into moderation and administration * Redesign audit log page * 🇵🇱 (#5795) * Add color coding to audit log * Change dismiss->resolve, log all outcomes of report as resolve * Update terminology (e-mail blacklist) (#5796) * Update terminology (e-mail blacklist) imho looks better * Update en.yml * Fix code style issues * i18n-tasks normalize
6 years ago
Add E2EE API (#13820)
3 years ago
Add logging of admin actions (#5757) * Add logging of admin actions * Update brakeman whitelist * Log creates, updates and destroys with history of changes * i18n: Update Polish translation (#5782) Signed-off-by: Marcin Mikołajczak <me@m4sk.in> * Split admin navigation into moderation and administration * Redesign audit log page * 🇵🇱 (#5795) * Add color coding to audit log * Change dismiss->resolve, log all outcomes of report as resolve * Update terminology (e-mail blacklist) (#5796) * Update terminology (e-mail blacklist) imho looks better * Update en.yml * Fix code style issues * i18n-tasks normalize
6 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Add E2EE API (#13820)
3 years ago
Allow joining several hashtags in a single column (#8904) * Nascent tag menu on frontend * Hook up frontend to search * Tag intersection backend first pass * Update yarnlock * WIP * Fix for tags not searching correctly * Make radio buttons function * Simplify radio buttons with modeOption * Better naming * Rearrange options * Add all/any/none functionality on backend * Small PR cleanup * Move to service from scope * Small cleanup, add proper service tests * Don't use send with user input :D * Set appropriate column header * Handle auto updating timeline * Fix up toggle function * Use tag value correctly * A bit more correct to use 'self' rather than 'all' in status scope * Fix some style issues * Fix more code style issues * Style select dropdown more better * Only use to_id'ed value to ensure no SQL injection * Revamp frontend to allow for multiple selects * Update backend / col header to account for more flexible tagging * Update brakeman ignore * Codeclimate suggestions * Fix presenter tag_url * Implement initial PR feedback * Handle additional tag streaming * CodeClimate tweak
5 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add E2EE API (#13820)
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add E2EE API (#13820)
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add E2EE API (#13820)
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add E2EE API (#13820)
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add E2EE API (#13820)
3 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
6 years ago
Show the local couterpart of emoji when it exists in /admin/custom_emojis (#5467) * Show the local couterpart of emoji when it exists in admin/custom_emojis * Fix indentation * Fix error * Add class table-action-link to Overwrite link * Make it enable to overwrite emojis * Make Code Climate happy
6 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Set snowflake IDs for backdated statuses (#5260) - Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Add E2EE API (#13820)
3 years ago
Save video metadata and improve video OpenGraph tags (#6481) * Save metadata from video attachments, put correct dimensions into OG tags * Add twitter:player for videos * Fix code style and test
6 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Add E2EE API (#13820)
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Add type, limit, offset, min_id, max_id, account_id to search API (#10091) * Add type, limit, offset, min_id, max_id, account_id to search API Fix #8939 * Make the offset work on accounts and hashtags search as well * Assure brakeman we are not doing mass assignment here * Do not allow paginating unless a type is chosen * Fix search query and index id field on statuses instead of created_at
5 years ago
Add remote interaction dialog for toots (#8202) * Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
5 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
Fix performance on instances list in admin UI (#15282) - Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
3 years ago
Enable CodeClimate Brakeman checks (#2861) * add brakeman to Gemfile * Enable CodeClimate brakeman checks * add config/brakeman.ignore
7 years ago
 
  1. {
  2.   "ignored_warnings": [
  3.     {
  4.       "warning_type": "SQL Injection",
  5.       "warning_code": 0,
  6.       "fingerprint": "04dbbc249b989db2e0119bbb0f59c9818e12889d2b97c529cdc0b1526002ba4b",
  7.       "check_name": "SQL",
  8.       "message": "Possible SQL injection",
  9.       "file": "app/models/report.rb",
  10.       "line": 112,
  11.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  12.       "code": "Admin::ActionLog.from(\"(#{[Admin::ActionLog.where(:target_type => \"Report\", :target_id => id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Account\", :target_id => target_account_id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)].map do\n \"(#{query.to_sql})\"\n end.join(\" UNION ALL \")}) AS admin_action_logs\")",
  13.       "render_path": null,
  14.       "location": {
  15.         "type": "method",
  16.         "class": "Report",
  17.         "method": "history"
  18.       },
  19.       "user_input": "Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)",
  20.       "confidence": "High",
  21.       "note": ""
  22.     },
  23.     {
  24.       "warning_type": "SQL Injection",
  25.       "warning_code": 0,
  26.       "fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d",
  27.       "check_name": "SQL",
  28.       "message": "Possible SQL injection",
  29.       "file": "app/models/status.rb",
  30.       "line": 100,
  31.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  32.       "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
  33.       "render_path": null,
  34.       "location": {
  35.         "type": "method",
  36.         "class": "Status",
  37.         "method": null
  38.       },
  39.       "user_input": "id",
  40.       "confidence": "Weak",
  41.       "note": ""
  42.     },
  43.     {
  44.       "warning_type": "Dynamic Render Path",
  45.       "warning_code": 15,
  46.       "fingerprint": "20a660939f2bbf8c665e69f2844031c0564524689a9570a0091ed94846212020",
  47.       "check_name": "Render",
  48.       "message": "Render path contains parameter value",
  49.       "file": "app/views/admin/action_logs/index.html.haml",
  50.       "line": 26,
  51.       "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  52.       "code": "render(action => Admin::ActionLogFilter.new(filter_params).results.page(params[:page]), {})",
  53.       "render_path": [
  54.         {
  55.           "type": "controller",
  56.           "class": "Admin::ActionLogsController",
  57.           "method": "index",
  58.           "line": 8,
  59.           "file": "app/controllers/admin/action_logs_controller.rb",
  60.           "rendered": {
  61.             "name": "admin/action_logs/index",
  62.             "file": "app/views/admin/action_logs/index.html.haml"
  63.           }
  64.         }
  65.       ],
  66.       "location": {
  67.         "type": "template",
  68.         "template": "admin/action_logs/index"
  69.       },
  70.       "user_input": "params[:page]",
  71.       "confidence": "Weak",
  72.       "note": ""
  73.     },
  74.     {
  75.       "warning_type": "Dynamic Render Path",
  76.       "warning_code": 15,
  77.       "fingerprint": "371fe16dc4c9d6ab08a20437d65be4825776107a67c38f6d4780a9c703cd44a5",
  78.       "check_name": "Render",
  79.       "message": "Render path contains parameter value",
  80.       "file": "app/views/admin/email_domain_blocks/index.html.haml",
  81.       "line": 17,
  82.       "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  83.       "code": "render(action => EmailDomainBlock.where(:parent_id => nil).includes(:children).order(:id => :desc).page(params[:page]), {})",
  84.       "render_path": [
  85.         {
  86.           "type": "controller",
  87.           "class": "Admin::EmailDomainBlocksController",
  88.           "method": "index",
  89.           "line": 10,
  90.           "file": "app/controllers/admin/email_domain_blocks_controller.rb",
  91.           "rendered": {
  92.             "name": "admin/email_domain_blocks/index",
  93.             "file": "app/views/admin/email_domain_blocks/index.html.haml"
  94.           }
  95.         }
  96.       ],
  97.       "location": {
  98.         "type": "template",
  99.         "template": "admin/email_domain_blocks/index"
  100.       },
  101.       "user_input": "params[:page]",
  102.       "confidence": "Weak",
  103.       "note": ""
  104.     },
  105.     {
  106.       "warning_type": "Dynamic Render Path",
  107.       "warning_code": 15,
  108.       "fingerprint": "4704e8093e3e0561bf705f892e8fc6780419f8255f4440b1c0afd09339bd6446",
  109.       "check_name": "Render",
  110.       "message": "Render path contains parameter value",
  111.       "file": "app/views/admin/instances/index.html.haml",
  112.       "line": 39,
  113.       "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  114.       "code": "render(action => filtered_instances.page(params[:page]), {})",
  115.       "render_path": [
  116.         {
  117.           "type": "controller",
  118.           "class": "Admin::InstancesController",
  119.           "method": "index",
  120.           "line": 10,
  121.           "file": "app/controllers/admin/instances_controller.rb",
  122.           "rendered": {
  123.             "name": "admin/instances/index",
  124.             "file": "app/views/admin/instances/index.html.haml"
  125.           }
  126.         }
  127.       ],
  128.       "location": {
  129.         "type": "template",
  130.         "template": "admin/instances/index"
  131.       },
  132.       "user_input": "params[:page]",
  133.       "confidence": "Weak",
  134.       "note": ""
  135.     },
  136.     {
  137.       "warning_type": "Redirect",
  138.       "warning_code": 18,
  139.       "fingerprint": "5fad11cd67f905fab9b1d5739d01384a1748ebe78c5af5ac31518201925265a7",
  140.       "check_name": "Redirect",
  141.       "message": "Possible unprotected redirect",
  142.       "file": "app/controllers/remote_interaction_controller.rb",
  143.       "line": 24,
  144.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  145.       "code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))",
  146.       "render_path": null,
  147.       "location": {
  148.         "type": "method",
  149.         "class": "RemoteInteractionController",
  150.         "method": "create"
  151.       },
  152.       "user_input": "RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id]))",
  153.       "confidence": "High",
  154.       "note": ""
  155.     },
  156.     {
  157.       "warning_type": "SQL Injection",
  158.       "warning_code": 0,
  159.       "fingerprint": "6e4051854bb62e2ddbc671f82d6c2328892e1134b8b28105ecba9b0122540714",
  160.       "check_name": "SQL",
  161.       "message": "Possible SQL injection",
  162.       "file": "app/models/account.rb",
  163.       "line": 491,
  164.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  165.       "code": "find_by_sql([\"          WITH first_degree AS (\\n            SELECT target_account_id\\n            FROM follows\\n            WHERE account_id = ?\\n            UNION ALL\\n            SELECT ?\\n          )\\n          SELECT\\n            accounts.*,\\n            (count(f.id) + 1) * ts_rank_cd(#{textsearch}, #{query}, 32) AS rank\\n          FROM accounts\\n          LEFT OUTER JOIN follows AS f ON (accounts.id = f.account_id AND f.target_account_id = ?)\\n          WHERE accounts.id IN (SELECT * FROM first_degree)\\n            AND #{query} @@ #{textsearch}\\n            AND accounts.suspended_at IS NULL\\n            AND accounts.moved_to_account_id IS NULL\\n          GROUP BY accounts.id\\n          ORDER BY rank DESC\\n          LIMIT ? OFFSET ?\\n\".squish, account.id, account.id, account.id, limit, offset])",
  166.       "render_path": null,
  167.       "location": {
  168.         "type": "method",
  169.         "class": "Account",
  170.         "method": "advanced_search_for"
  171.       },
  172.       "user_input": "textsearch",
  173.       "confidence": "Medium",
  174.       "note": ""
  175.     },
  176.     {
  177.       "warning_type": "SQL Injection",
  178.       "warning_code": 0,
  179.       "fingerprint": "6f075c1484908e3ec9bed21ab7cf3c7866be8da3881485d1c82e13093aefcbd7",
  180.       "check_name": "SQL",
  181.       "message": "Possible SQL injection",
  182.       "file": "app/models/status.rb",
  183.       "line": 105,
  184.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  185.       "code": "result.joins(\"LEFT OUTER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
  186.       "render_path": null,
  187.       "location": {
  188.         "type": "method",
  189.         "class": "Status",
  190.         "method": null
  191.       },
  192.       "user_input": "id",
  193.       "confidence": "Weak",
  194.       "note": ""
  195.     },
  196.     {
  197.       "warning_type": "Mass Assignment",
  198.       "warning_code": 105,
  199.       "fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a",
  200.       "check_name": "PermitAttributes",
  201.       "message": "Potentially dangerous key allowed for mass assignment",
  202.       "file": "app/controllers/api/v2/search_controller.rb",
  203.       "line": 28,
  204.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  205.       "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
  206.       "render_path": null,
  207.       "location": {
  208.         "type": "method",
  209.         "class": "Api::V2::SearchController",
  210.         "method": "search_params"
  211.       },
  212.       "user_input": ":account_id",
  213.       "confidence": "High",
  214.       "note": ""
  215.     },
  216.     {
  217.       "warning_type": "SQL Injection",
  218.       "warning_code": 0,
  219.       "fingerprint": "9251d682c4e2840e1b2fea91e7d758efe2097ecb7f6255c065e3750d25eb178c",
  220.       "check_name": "SQL",
  221.       "message": "Possible SQL injection",
  222.       "file": "app/models/account.rb",
  223.       "line": 460,
  224.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  225.       "code": "find_by_sql([\"        SELECT\\n          accounts.*,\\n          ts_rank_cd(#{textsearch}, #{query}, 32) AS rank\\n        FROM accounts\\n        WHERE #{query} @@ #{textsearch}\\n          AND accounts.suspended_at IS NULL\\n          AND accounts.moved_to_account_id IS NULL\\n        ORDER BY rank DESC\\n        LIMIT ? OFFSET ?\\n\".squish, limit, offset])",
  226.       "render_path": null,
  227.       "location": {
  228.         "type": "method",
  229.         "class": "Account",
  230.         "method": "search_for"
  231.       },
  232.       "user_input": "textsearch",
  233.       "confidence": "Medium",
  234.       "note": ""
  235.     },
  236.     {
  237.       "warning_type": "SQL Injection",
  238.       "warning_code": 0,
  239.       "fingerprint": "9ccb9ba6a6947400e187d515e0bf719d22993d37cfc123c824d7fafa6caa9ac3",
  240.       "check_name": "SQL",
  241.       "message": "Possible SQL injection",
  242.       "file": "lib/mastodon/snowflake.rb",
  243.       "line": 87,
  244.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  245.       "code": "connection.execute(\"        CREATE OR REPLACE FUNCTION timestamp_id(table_name text)\\n        RETURNS bigint AS\\n        $$\\n          DECLARE\\n            time_part bigint;\\n            sequence_base bigint;\\n            tail bigint;\\n          BEGIN\\n            time_part := (\\n              -- Get the time in milliseconds\\n              ((date_part('epoch', now()) * 1000))::bigint\\n              -- And shift it over two bytes\\n              << 16);\\n\\n            sequence_base := (\\n              'x' ||\\n              -- Take the first two bytes (four hex characters)\\n              substr(\\n                -- Of the MD5 hash of the data we documented\\n                md5(table_name ||\\n                  '#{SecureRandom.hex(16)}' ||\\n                  time_part::text\\n                ),\\n                1, 4\\n              )\\n            -- And turn it into a bigint\\n            )::bit(16)::bigint;\\n\\n            -- Finally, add our sequence number to our base, and chop\\n            -- it to the last two bytes\\n            tail := (\\n              (sequence_base + nextval(table_name || '_id_seq'))\\n              & 65535);\\n\\n            -- Return the time part and the sequence part. OR appears\\n            -- faster here than addition, but they're equivalent:\\n            -- time_part has no trailing two bytes, and tail is only\\n            -- the last two bytes.\\n            RETURN time_part | tail;\\n          END\\n        $$ LANGUAGE plpgsql VOLATILE;\\n\")",
  246.       "render_path": null,
  247.       "location": {
  248.         "type": "method",
  249.         "class": "Mastodon::Snowflake",
  250.         "method": "define_timestamp_id"
  251.       },
  252.       "user_input": "SecureRandom.hex(16)",
  253.       "confidence": "Medium",
  254.       "note": ""
  255.     },
  256.     {
  257.       "warning_type": "Dynamic Render Path",
  258.       "warning_code": 15,
  259.       "fingerprint": "9f31d941f3910dba2e9bfcd81aef4513249bd24c02d0f98e13ad44fdeeccd0e8",
  260.       "check_name": "Render",
  261.       "message": "Render path contains parameter value",
  262.       "file": "app/views/admin/accounts/index.html.haml",
  263.       "line": 54,
  264.       "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  265.       "code": "render(action => filtered_accounts.page(params[:page]), {})",
  266.       "render_path": [
  267.         {
  268.           "type": "controller",
  269.           "class": "Admin::AccountsController",
  270.           "method": "index",
  271.           "line": 12,
  272.           "file": "app/controllers/admin/accounts_controller.rb",
  273.           "rendered": {
  274.             "name": "admin/accounts/index",
  275.             "file": "app/views/admin/accounts/index.html.haml"
  276.           }
  277.         }
  278.       ],
  279.       "location": {
  280.         "type": "template",
  281.         "template": "admin/accounts/index"
  282.       },
  283.       "user_input": "params[:page]",
  284.       "confidence": "Weak",
  285.       "note": ""
  286.     },
  287.     {
  288.       "warning_type": "Redirect",
  289.       "warning_code": 18,
  290.       "fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50",
  291.       "check_name": "Redirect",
  292.       "message": "Possible unprotected redirect",
  293.       "file": "app/controllers/remote_follow_controller.rb",
  294.       "line": 21,
  295.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  296.       "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))",
  297.       "render_path": null,
  298.       "location": {
  299.         "type": "method",
  300.         "class": "RemoteFollowController",
  301.         "method": "create"
  302.       },
  303.       "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)",
  304.       "confidence": "High",
  305.       "note": ""
  306.     },
  307.     {
  308.       "warning_type": "Redirect",
  309.       "warning_code": 18,
  310.       "fingerprint": "ba699ddcc6552c422c4ecd50d2cd217f616a2446659e185a50b05a0f2dad8d33",
  311.       "check_name": "Redirect",
  312.       "message": "Possible unprotected redirect",
  313.       "file": "app/controllers/media_controller.rb",
  314.       "line": 20,
  315.       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  316.       "code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))",
  317.       "render_path": null,
  318.       "location": {
  319.         "type": "method",
  320.         "class": "MediaController",
  321.         "method": "show"
  322.       },
  323.       "user_input": "MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original)",
  324.       "confidence": "High",
  325.       "note": ""
  326.     },
  327.     {
  328.       "warning_type": "SQL Injection",
  329.       "warning_code": 0,
  330.       "fingerprint": "e21d8fee7a5805761679877ca35ed1029c64c45ef3b4012a30262623e1ba8bb9",
  331.       "check_name": "SQL",
  332.       "message": "Possible SQL injection",
  333.       "file": "app/models/account.rb",
  334.       "line": 507,
  335.       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  336.       "code": "find_by_sql([\"          SELECT\\n            accounts.*,\\n            (count(f.id) + 1) * ts_rank_cd(#{textsearch}, #{query}, 32) AS rank\\n          FROM accounts\\n          LEFT OUTER JOIN follows AS f ON (accounts.id = f.account_id AND f.target_account_id = ?) OR (accounts.id = f.target_account_id AND f.account_id = ?)\\n          WHERE #{query} @@ #{textsearch}\\n            AND accounts.suspended_at IS NULL\\n            AND accounts.moved_to_account_id IS NULL\\n          GROUP BY accounts.id\\n          ORDER BY rank DESC\\n          LIMIT ? OFFSET ?\\n\".squish, account.id, account.id, limit, offset])",
  337.       "render_path": null,
  338.       "location": {
  339.         "type": "method",
  340.         "class": "Account",
  341.         "method": "advanced_search_for"
  342.       },
  343.       "user_input": "textsearch",
  344.       "confidence": "Medium",
  345.       "note": ""
  346.     },
  347.     {
  348.       "warning_type": "Mass Assignment",
  349.       "warning_code": 105,
  350.       "fingerprint": "e867661b2c9812bc8b75a5df12b28e2a53ab97015de0638b4e732fe442561b28",
  351.       "check_name": "PermitAttributes",
  352.       "message": "Potentially dangerous key allowed for mass assignment",
  353.       "file": "app/controllers/api/v1/reports_controller.rb",
  354.       "line": 36,
  355.       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
  356.       "code": "params.permit(:account_id, :comment, :forward, :status_ids => ([]))",
  357.       "render_path": null,
  358.       "location": {
  359.         "type": "method",
  360.         "class": "Api::V1::ReportsController",
  361.         "method": "report_params"
  362.       },
  363.       "user_input": ":account_id",
  364.       "confidence": "High",
  365.       "note": ""
  366.     }
  367.   ],
  368.   "updated": "2020-12-07 01:17:13 +0100",
  369.   "brakeman_version": "4.10.0"
  370. }