brakeman.ignore 36 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959
  1. {
  2. "ignored_warnings": [
  3. {
  4. "warning_type": "Remote Code Execution",
  5. "warning_code": 24,
  6. "fingerprint": "0fcd117fd53301f531142fc075ee8d30219c1239affce9322f9939ac0572ba3b",
  7. "check_name": "UnsafeReflection",
  8. "message": "Unsafe reflection method `constantize` called on model attribute",
  9. "file": "app/models/ticket/number.rb",
  10. "line": 45,
  11. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  12. "code": "Setting.get(\"ticket_number\").constantize",
  13. "render_path": null,
  14. "location": {
  15. "type": "method",
  16. "class": "Ticket::Number",
  17. "method": "Ticket::Number.adapter"
  18. },
  19. "user_input": "Setting.get(\"ticket_number\")",
  20. "confidence": "Medium",
  21. "cwe_id": [
  22. 470
  23. ],
  24. "note": "Setting.get(\"ticket_number\") returns defined ticket number backend class names"
  25. },
  26. {
  27. "warning_type": "Denial of Service",
  28. "warning_code": 76,
  29. "fingerprint": "15d4ddbc3ac2ae0a0fe27218a42a1920fe2c1868ae5f504422c4af8ffe893beb",
  30. "check_name": "RegexDoS",
  31. "message": "Model attribute used in regular expression",
  32. "file": "app/models/channel/filter/monitoring_base.rb",
  33. "line": 92,
  34. "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
  35. "code": "/#{(Setting.get(\"#{integration_name}_recovery_match\") or \"(OK|UP)\")}/i",
  36. "render_path": null,
  37. "location": {
  38. "type": "method",
  39. "class": "Channel::Filter::MonitoringBase",
  40. "method": "Channel::Filter::MonitoringBase.run"
  41. },
  42. "user_input": "Setting.get(\"#{integration_name}_recovery_match\")",
  43. "confidence": "Medium",
  44. "cwe_id": [
  45. 20,
  46. 185
  47. ],
  48. "note": "Admin configured RegExp"
  49. },
  50. {
  51. "warning_type": "Denial of Service",
  52. "warning_code": 76,
  53. "fingerprint": "15d4ddbc3ac2ae0a0fe27218a42a1920fe2c1868ae5f504422c4af8ffe893beb",
  54. "check_name": "RegexDoS",
  55. "message": "Model attribute used in regular expression",
  56. "file": "app/models/channel/filter/monitoring_base.rb",
  57. "line": 121,
  58. "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
  59. "code": "/#{(Setting.get(\"#{integration_name}_recovery_match\") or \"(OK|UP)\")}/i",
  60. "render_path": null,
  61. "location": {
  62. "type": "method",
  63. "class": "Channel::Filter::MonitoringBase",
  64. "method": "Channel::Filter::MonitoringBase.run"
  65. },
  66. "user_input": "Setting.get(\"#{integration_name}_recovery_match\")",
  67. "confidence": "Medium",
  68. "cwe_id": [
  69. 20,
  70. 185
  71. ],
  72. "note": "Admin configured RegExp"
  73. },
  74. {
  75. "warning_type": "Remote Code Execution",
  76. "warning_code": 24,
  77. "fingerprint": "176994cedb6a57bc52f7a98b0fd93caad211f8f3b48fd010a5db164b37992e1f",
  78. "check_name": "UnsafeReflection",
  79. "message": "Unsafe reflection method `constantize` called on model attribute",
  80. "file": "app/models/avatar.rb",
  81. "line": 427,
  82. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  83. "code": "ObjectLookup.by_id(object_id).constantize",
  84. "render_path": null,
  85. "location": {
  86. "type": "method",
  87. "class": "Avatar",
  88. "method": "Avatar._add_init_avatar"
  89. },
  90. "user_input": "ObjectLookup.by_id(object_id)",
  91. "confidence": "Medium",
  92. "cwe_id": [
  93. 470
  94. ],
  95. "note": "ObjectLookup.by_id works as designed"
  96. },
  97. {
  98. "warning_type": "SQL Injection",
  99. "warning_code": 0,
  100. "fingerprint": "2251415d8897d2c79a5c952dd0fe57dadd5ca96defd67ccefa27fc7b5ab06148",
  101. "check_name": "SQL",
  102. "message": "Possible SQL injection",
  103. "file": "app/services/service/translation/search/collector/model.rb",
  104. "line": 28,
  105. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  106. "code": "Translation.not_customized.where(\"locale = :locale AND (source #{like_operator} :query OR target #{like_operator} :query OR target_initial #{like_operator} :query)\", :locale => locale, :query => like_query)",
  107. "render_path": null,
  108. "location": {
  109. "type": "method",
  110. "class": "Service::Translation::Search::Collector::Model",
  111. "method": "search_by_query"
  112. },
  113. "user_input": "like_operator",
  114. "confidence": "Medium",
  115. "cwe_id": [
  116. 89
  117. ],
  118. "note": ""
  119. },
  120. {
  121. "warning_type": "Redirect",
  122. "warning_code": 18,
  123. "fingerprint": "2ebd9f5e35ae11122d5561fdbbef7432eeef6b34d7c61249365be7dc34cbfb82",
  124. "check_name": "Redirect",
  125. "message": "Possible unprotected redirect",
  126. "file": "app/controllers/external_credentials_controller.rb",
  127. "line": 38,
  128. "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
  129. "code": "redirect_to(ExternalCredential.request_account_to_link(params[:provider].downcase, params)[:authorize_url], :allow_other_host => true)",
  130. "render_path": null,
  131. "location": {
  132. "type": "method",
  133. "class": "ExternalCredentialsController",
  134. "method": "link_account"
  135. },
  136. "user_input": "ExternalCredential.request_account_to_link(params[:provider].downcase, params)[:authorize_url]",
  137. "confidence": "Weak",
  138. "cwe_id": [
  139. 601
  140. ],
  141. "note": ""
  142. },
  143. {
  144. "warning_type": "SQL Injection",
  145. "warning_code": 0,
  146. "fingerprint": "34d5d0f52def9a9fbcb045f4f16b0117cb22d59d8ab6184f3bddd057d81d7cd1",
  147. "check_name": "SQL",
  148. "message": "Possible SQL injection",
  149. "file": "app/models/channel/filter/internal_article_check.rb",
  150. "line": 31,
  151. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  152. "code": "ticket.articles.where(\"ticket_articles.to #{Rails.application.config.db_like} ?\", \"%#{parse_email(mail[:from_email])}%\")",
  153. "render_path": null,
  154. "location": {
  155. "type": "method",
  156. "class": "Channel::Filter::InternalArticleCheck",
  157. "method": "Channel::Filter::InternalArticleCheck.last_outgoing_mail_is_internal?"
  158. },
  159. "user_input": "Rails.application.config.db_like",
  160. "confidence": "Weak",
  161. "cwe_id": [
  162. 89
  163. ],
  164. "note": "The db_like config setting is safe to use in an SQL string."
  165. },
  166. {
  167. "warning_type": "Denial of Service",
  168. "warning_code": 76,
  169. "fingerprint": "381781925211cac1f2592a6537f4abc050f98b081e5554b7d3d70a9454157e35",
  170. "check_name": "RegexDoS",
  171. "message": "Model attribute used in regular expression",
  172. "file": "app/models/ticket/number/increment.rb",
  173. "line": 47,
  174. "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
  175. "code": "/(?<=\\W|^)#{Regexp.quote(Setting.get(\"ticket_hook\"))}\\s{0,2}(#{(\"\" or Setting.get(\"system_id\").to_s)}\\d{2,48})\\b/i",
  176. "render_path": null,
  177. "location": {
  178. "type": "method",
  179. "class": "Ticket::Number::Increment",
  180. "method": "Ticket::Number::Increment.check"
  181. },
  182. "user_input": "Setting.get(\"system_id\").to_s",
  183. "confidence": "Medium",
  184. "cwe_id": [
  185. 20,
  186. 185
  187. ],
  188. "note": "Admin configured RegExp"
  189. },
  190. {
  191. "warning_type": "Remote Code Execution",
  192. "warning_code": 24,
  193. "fingerprint": "3c69accdb245b8493b7455698a454c70c2246c14f46f24e28e1c5329cee9ffac",
  194. "check_name": "UnsafeReflection",
  195. "message": "Unsafe reflection method `constantize` called on model attribute",
  196. "file": "config/initializers/store_provider_check.rb",
  197. "line": 11,
  198. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  199. "code": "\"Store::Provider::#{Setting.get(\"storage_provider\")}\".constantize",
  200. "render_path": null,
  201. "location": null,
  202. "user_input": "Setting.get(\"storage_provider\")",
  203. "confidence": "Medium",
  204. "cwe_id": [
  205. 470
  206. ],
  207. "note": ""
  208. },
  209. {
  210. "warning_type": "SQL Injection",
  211. "warning_code": 0,
  212. "fingerprint": "49c4e60297a41654cfb9d8ac6b8232e0d3a68ee7ebd53f48b7c6d0ec6f830318",
  213. "check_name": "SQL",
  214. "message": "Possible SQL injection",
  215. "file": "app/services/service/translation/search/collector/macro.rb",
  216. "line": 11,
  217. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  218. "code": "::Macro.where(\"name #{like_operator} :query\", :query => like_query)",
  219. "render_path": null,
  220. "location": {
  221. "type": "method",
  222. "class": "Service::Translation::Search::Collector::Macro",
  223. "method": "search_sources"
  224. },
  225. "user_input": "like_operator",
  226. "confidence": "Weak",
  227. "cwe_id": [
  228. 89
  229. ],
  230. "note": ""
  231. },
  232. {
  233. "warning_type": "Denial of Service",
  234. "warning_code": 76,
  235. "fingerprint": "4ea1b96c11cdde309b0f31defd8af9dc39dd7605a7bb18b13b122469a74a5a70",
  236. "check_name": "RegexDoS",
  237. "message": "Model attribute used in regular expression",
  238. "file": "app/models/channel/filter/monitoring_base.rb",
  239. "line": 115,
  240. "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
  241. "code": "/#{(Setting.get(\"#{integration_name}_ignore_match\") or \"\")}/i",
  242. "render_path": null,
  243. "location": {
  244. "type": "method",
  245. "class": "Channel::Filter::MonitoringBase",
  246. "method": "Channel::Filter::MonitoringBase.run"
  247. },
  248. "user_input": "Setting.get(\"#{integration_name}_ignore_match\")",
  249. "confidence": "Medium",
  250. "cwe_id": [
  251. 20,
  252. 185
  253. ],
  254. "note": "Admin configured RegExp"
  255. },
  256. {
  257. "warning_type": "Remote Code Execution",
  258. "warning_code": 24,
  259. "fingerprint": "55248822583e32826f88a68e27568416fe1f101d83b02791c10296d2393b83a5",
  260. "check_name": "UnsafeReflection",
  261. "message": "Unsafe reflection method `constantize` called on model attribute",
  262. "file": "app/models/store/file.rb",
  263. "line": 32,
  264. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  265. "code": "\"Store::Provider::#{(Setting.get(\"storage_provider\") or \"DB\")}\".constantize",
  266. "render_path": null,
  267. "location": {
  268. "type": "method",
  269. "class": "File",
  270. "method": "s(:self).add"
  271. },
  272. "user_input": "Setting.get(\"storage_provider\")",
  273. "confidence": "Medium",
  274. "cwe_id": [
  275. 470
  276. ],
  277. "note": "Setting.get('storage_provider') returns defined Store::Provider backend class names"
  278. },
  279. {
  280. "warning_type": "Remote Code Execution",
  281. "warning_code": 24,
  282. "fingerprint": "582df3b442a09879f0c035b50f6c4fce9aa8285c907737476f16004246c67bc6",
  283. "check_name": "UnsafeReflection",
  284. "message": "Unsafe reflection method `safe_constantize` called on parameter value",
  285. "file": "app/controllers/tests_controller.rb",
  286. "line": 37,
  287. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  288. "code": "params.fetch(:exception, \"StandardError\").safe_constantize",
  289. "render_path": null,
  290. "location": {
  291. "type": "method",
  292. "class": "TestsController",
  293. "method": "error_raised_exception"
  294. },
  295. "user_input": "params.fetch(:exception, \"StandardError\")",
  296. "confidence": "High",
  297. "cwe_id": [
  298. 470
  299. ],
  300. "note": "Only for testing purposes"
  301. },
  302. {
  303. "warning_type": "SQL Injection",
  304. "warning_code": 0,
  305. "fingerprint": "6f9bc95786e5e3904c8cf11eaff8d481d057ac2a15edad0a753587047a9bd785",
  306. "check_name": "SQL",
  307. "message": "Possible SQL injection",
  308. "file": "app/services/service/translation/search/collector/overview.rb",
  309. "line": 11,
  310. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  311. "code": "::Overview.where(\"name #{like_operator} :query\", :query => like_query)",
  312. "render_path": null,
  313. "location": {
  314. "type": "method",
  315. "class": "Service::Translation::Search::Collector::Overview",
  316. "method": "search_sources"
  317. },
  318. "user_input": "like_operator",
  319. "confidence": "Weak",
  320. "cwe_id": [
  321. 89
  322. ],
  323. "note": ""
  324. },
  325. {
  326. "warning_type": "Remote Code Execution",
  327. "warning_code": 24,
  328. "fingerprint": "73999042c4866cd2effe286fdd6a74c51659bc4a5fc760d1b96d35bd11b2bcda",
  329. "check_name": "UnsafeReflection",
  330. "message": "Unsafe reflection method `constantize` called on model attribute",
  331. "file": "lib/transaction_dispatcher.rb",
  332. "line": 37,
  333. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  334. "code": "Setting.get(setting.name).constantize",
  335. "render_path": null,
  336. "location": {
  337. "type": "method",
  338. "class": "TransactionDispatcher",
  339. "method": "s(:self).perform"
  340. },
  341. "user_input": "Setting.get(setting.name)",
  342. "confidence": "Medium",
  343. "cwe_id": [
  344. 470
  345. ],
  346. "note": "Setting.where(area: 'Transaction::Backend::Sync').order(:name) returns defined Transaction backend class names"
  347. },
  348. {
  349. "warning_type": "Dangerous Send",
  350. "warning_code": 23,
  351. "fingerprint": "73f7454b7fdc88e0fb9cfc849b74006956a7a031836897a0b61d8d13dde94340",
  352. "check_name": "Send",
  353. "message": "User controlled method execution",
  354. "file": "app/controllers/channels_sms_controller.rb",
  355. "line": 48,
  356. "link": "https://brakemanscanner.org/docs/warning_types/dangerous_send/",
  357. "code": "Channel.driver_class(params[:options][:adapter]).new.send(params[:options], test_options)",
  358. "render_path": null,
  359. "location": {
  360. "type": "method",
  361. "class": "ChannelsSmsController",
  362. "method": "test"
  363. },
  364. "user_input": "params[:options]",
  365. "confidence": "High",
  366. "cwe_id": [
  367. 77
  368. ],
  369. "note": "Channel#send is a custom implementation"
  370. },
  371. {
  372. "warning_type": "Remote Code Execution",
  373. "warning_code": 24,
  374. "fingerprint": "7541faf8d3249dc4ac24f9c354024614ae79b0d6cd4c057f034ea88be1154bf7",
  375. "check_name": "UnsafeReflection",
  376. "message": "Unsafe reflection method `constantize` called on model attribute",
  377. "file": "lib/application_lib.rb",
  378. "line": 26,
  379. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  380. "code": "Setting.get(setting).constantize",
  381. "render_path": null,
  382. "location": {
  383. "type": "method",
  384. "class": "ApplicationLib::ClassMethods",
  385. "method": "load_adapter_by_setting"
  386. },
  387. "user_input": "Setting.get(setting)",
  388. "confidence": "Medium",
  389. "cwe_id": [
  390. 470
  391. ],
  392. "note": "ApplicationLib.load_adapter_by_setting works as designed"
  393. },
  394. {
  395. "warning_type": "Denial of Service",
  396. "warning_code": 76,
  397. "fingerprint": "768e035d4bcb32ab79f5f747ccd5561d3c5f3a8ea74b2be08638d892be2249b2",
  398. "check_name": "RegexDoS",
  399. "message": "Model attribute used in regular expression",
  400. "file": "app/models/ticket/number/date.rb",
  401. "line": 49,
  402. "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
  403. "code": "/(?<=\\W|^)#{Regexp.quote(Setting.get(\"ticket_hook\"))}\\s{0,2}(\\d{4,10}#{(Setting.get(\"system_id\") or \"\")}\\d{2,40})\\b/i",
  404. "render_path": null,
  405. "location": {
  406. "type": "method",
  407. "class": "Ticket::Number::Date",
  408. "method": "Ticket::Number::Date.check"
  409. },
  410. "user_input": "Setting.get(\"system_id\")",
  411. "confidence": "Medium",
  412. "cwe_id": [
  413. 20,
  414. 185
  415. ],
  416. "note": "Admin configured RegExp"
  417. },
  418. {
  419. "warning_type": "SSL Verification Bypass",
  420. "warning_code": 71,
  421. "fingerprint": "7d088914c00f93dddb545ad9e567d59bf89dad493884b550ba72c014c0190011",
  422. "check_name": "SSLVerify",
  423. "message": "SSL certificate verification was bypassed",
  424. "file": "lib/user_agent.rb",
  425. "line": 363,
  426. "link": "https://brakemanscanner.org/docs/warning_types/ssl_verification_bypass/",
  427. "code": "(Net::HTTP.Proxy($1, $2, ((options[\"proxy_username\"] or Setting.get(\"proxy_username\")) or nil), ((options[\"proxy_password\"] or Setting.get(\"proxy_password\")) or nil)).new(uri.host, uri.port) or Net::HTTP.new(uri.host, uri.port)).verify_mode = OpenSSL::SSL::VERIFY_NONE",
  428. "render_path": null,
  429. "location": {
  430. "type": "method",
  431. "class": "UserAgent",
  432. "method": "s(:self).get_http"
  433. },
  434. "user_input": null,
  435. "confidence": "High",
  436. "cwe_id": [
  437. 295
  438. ],
  439. "note": "SSL Verification can already be requested from callers. The default value should be switched to true at some point."
  440. },
  441. {
  442. "warning_type": "SQL Injection",
  443. "warning_code": 0,
  444. "fingerprint": "8374304b5866de51754c98208fc3dcd434bc20e02bd4c9713f6d35f831a0ddd7",
  445. "check_name": "SQL",
  446. "message": "Possible SQL injection",
  447. "file": "app/models/pgp_key.rb",
  448. "line": 32,
  449. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  450. "code": "PGPKey.where(([\"#{SqlHelper.new(:object => (PGPKey)).array_contains_one(:email_addresses, uid.downcase)} OR (? LIKE domain_alias)\", SqlHelper.quote_like(uid.downcase)] or SqlHelper.new(:object => (PGPKey)).array_contains_one(:email_addresses, uid.downcase)))",
  451. "render_path": null,
  452. "location": {
  453. "type": "method",
  454. "class": "PGPKey",
  455. "method": "PGPKey.find_all_by_uid"
  456. },
  457. "user_input": "SqlHelper.new(:object => (PGPKey)).array_contains_one(:email_addresses, uid.downcase)",
  458. "confidence": "Medium",
  459. "cwe_id": [
  460. 89
  461. ],
  462. "note": ""
  463. },
  464. {
  465. "warning_type": "Remote Code Execution",
  466. "warning_code": 24,
  467. "fingerprint": "8db3b4731daa1ef96c53729b2fca4cc91b47af058564f61cba24833aacaa55ae",
  468. "check_name": "UnsafeReflection",
  469. "message": "Unsafe reflection method `constantize` called on model attribute",
  470. "file": "app/jobs/transaction_job.rb",
  471. "line": 25,
  472. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  473. "code": "Setting.get(setting.name).constantize",
  474. "render_path": null,
  475. "location": {
  476. "type": "method",
  477. "class": "TransactionJob",
  478. "method": "perform"
  479. },
  480. "user_input": "Setting.get(setting.name)",
  481. "confidence": "Medium",
  482. "cwe_id": [
  483. 470
  484. ],
  485. "note": "Setting.where(area: 'Transaction::Backend::Async').order(:name) returns defined Transaction backend class names"
  486. },
  487. {
  488. "warning_type": "SQL Injection",
  489. "warning_code": 0,
  490. "fingerprint": "9385240f75935e7ed242f9b52cc9471bcbb907d1990a33ec083f303d951df563",
  491. "check_name": "SQL",
  492. "message": "Possible SQL injection",
  493. "file": "app/models/taskbar/has_attachments.rb",
  494. "line": 7,
  495. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  496. "code": "where(\"state LIKE '%#{SqlHelper.quote_like(\"form_id\")}%'\")",
  497. "render_path": null,
  498. "location": {
  499. "type": "method",
  500. "class": "Taskbar::HasAttachments",
  501. "method": null
  502. },
  503. "user_input": "SqlHelper.quote_like(\"form_id\")",
  504. "confidence": "Medium",
  505. "cwe_id": [
  506. 89
  507. ],
  508. "note": ""
  509. },
  510. {
  511. "warning_type": "Denial of Service",
  512. "warning_code": 76,
  513. "fingerprint": "949570adfbda072b1fa14632a6d7a0e829a632c699339dce93e1ff109bf79786",
  514. "check_name": "RegexDoS",
  515. "message": "Model attribute used in regular expression",
  516. "file": "app/models/ticket/number/increment.rb",
  517. "line": 41,
  518. "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
  519. "code": "/(?<=\\W|^)#{Regexp.quote(Setting.get(\"ticket_hook\"))}#{Regexp.quote(Setting.get(\"ticket_hook_divider\").to_s)}(#{(\"\" or Setting.get(\"system_id\").to_s)}\\d{2,48})\\b/i",
  520. "render_path": null,
  521. "location": {
  522. "type": "method",
  523. "class": "Ticket::Number::Increment",
  524. "method": "Ticket::Number::Increment.check"
  525. },
  526. "user_input": "Setting.get(\"system_id\").to_s",
  527. "confidence": "Medium",
  528. "cwe_id": [
  529. 20,
  530. 185
  531. ],
  532. "note": "Admin configured RegExp"
  533. },
  534. {
  535. "warning_type": "SQL Injection",
  536. "warning_code": 0,
  537. "fingerprint": "9ec74dbe0ca90264aab31f05df4f0565f53e28477c93ced418e0249913c519fc",
  538. "check_name": "SQL",
  539. "message": "Possible SQL injection",
  540. "file": "app/models/organization/search.rb",
  541. "line": 133,
  542. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  543. "code": "Organization.select(\"DISTINCT(organizations.id), #{::SqlHelper.new(:object => (self)).get_order_select(::SqlHelper.new(:object => (self)).get_sort_by(params, [\"active\", \"updated_at\"]), ::SqlHelper.new(:object => (self)).get_order_by(params, [\"desc\", \"desc\"]), \"organizations.updated_at\")}\")",
  544. "render_path": null,
  545. "location": {
  546. "type": "method",
  547. "class": "Organization",
  548. "method": "search"
  549. },
  550. "user_input": "::SqlHelper.new(:object => (self)).get_order_select(::SqlHelper.new(:object => (self)).get_sort_by(params, [\"active\", \"updated_at\"]), ::SqlHelper.new(:object => (self)).get_order_by(params, [\"desc\", \"desc\"]), \"organizations.updated_at\")",
  551. "confidence": "Medium",
  552. "cwe_id": [
  553. 89
  554. ],
  555. "note": "SqlHelper does properly escape table and column names."
  556. },
  557. {
  558. "warning_type": "Cross-Site Scripting",
  559. "warning_code": 2,
  560. "fingerprint": "a9e68e841f16226b94c736d272962dd57d02c2333ead2855f2494dfb2c994de7",
  561. "check_name": "CrossSiteScripting",
  562. "message": "Unescaped parameter value",
  563. "file": "app/views/knowledge_base/public/answers/show.html.erb",
  564. "line": 11,
  565. "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
  566. "code": "prepare_rich_text(find_answer(find_category(params[:category]).answers, params[:answer]).translation.content.body_with_urls)",
  567. "render_path": [
  568. {
  569. "type": "controller",
  570. "class": "KnowledgeBase::Public::AnswersController",
  571. "method": "show",
  572. "line": 11,
  573. "file": "app/controllers/knowledge_base/public/answers_controller.rb",
  574. "rendered": {
  575. "name": "knowledge_base/public/answers/show",
  576. "file": "app/views/knowledge_base/public/answers/show.html.erb"
  577. }
  578. }
  579. ],
  580. "location": {
  581. "type": "template",
  582. "template": "knowledge_base/public/answers/show"
  583. },
  584. "user_input": "params[:category]",
  585. "confidence": "Weak",
  586. "cwe_id": [
  587. 79
  588. ],
  589. "note": ""
  590. },
  591. {
  592. "warning_type": "Remote Code Execution",
  593. "warning_code": 24,
  594. "fingerprint": "b4e5b1ad22930f849b12cbdf519dced6ec46b6cc653504f0a8e910c0a9590d61",
  595. "check_name": "UnsafeReflection",
  596. "message": "Unsafe reflection method `constantize` called on model attribute",
  597. "file": "app/models/object_manager/attribute.rb",
  598. "line": 924,
  599. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  600. "code": "ObjectLookup.by_id(object_lookup_id).constantize",
  601. "render_path": null,
  602. "location": {
  603. "type": "method",
  604. "class": "ObjectManager::Attribute",
  605. "method": "check_name"
  606. },
  607. "user_input": "ObjectLookup.by_id(object_lookup_id)",
  608. "confidence": "Medium",
  609. "cwe_id": [
  610. 470
  611. ],
  612. "note": "ObjectLookup.by_id works as designed"
  613. },
  614. {
  615. "warning_type": "Command Injection",
  616. "warning_code": 14,
  617. "fingerprint": "be422b13e9cd280bc5ae570cd575777a4d48d8a53aed09bb59d1db85eee4927b",
  618. "check_name": "Execute",
  619. "message": "Possible command injection",
  620. "file": "lib/mysql_strategy.rb",
  621. "line": 62,
  622. "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
  623. "code": "system(\"mysqldump #{mysql_arguments} > #{backup_file}\", :exception => true)",
  624. "render_path": null,
  625. "location": {
  626. "type": "method",
  627. "class": "MysqlStrategy",
  628. "method": "s(:self).backup"
  629. },
  630. "user_input": "mysql_arguments",
  631. "confidence": "Medium",
  632. "cwe_id": [
  633. 77
  634. ],
  635. "note": "Mysql arguments are internal / from config."
  636. },
  637. {
  638. "warning_type": "SQL Injection",
  639. "warning_code": 0,
  640. "fingerprint": "c3e251f444d988a200ae5c5e811dc7264337906df99740007bfa499c35e203c9",
  641. "check_name": "SQL",
  642. "message": "Possible SQL injection",
  643. "file": "app/services/service/translation/search/collector/priority.rb",
  644. "line": 11,
  645. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  646. "code": "Ticket::Priority.where(\"name #{like_operator} :query\", :query => like_query)",
  647. "render_path": null,
  648. "location": {
  649. "type": "method",
  650. "class": "Service::Translation::Search::Collector::Priority",
  651. "method": "search_sources"
  652. },
  653. "user_input": "like_operator",
  654. "confidence": "Medium",
  655. "cwe_id": [
  656. 89
  657. ],
  658. "note": ""
  659. },
  660. {
  661. "warning_type": "Command Injection",
  662. "warning_code": 14,
  663. "fingerprint": "c47bddc058fcf0381c1a91f2d107606a76bb1a5c40130c555ff1dfec713f2775",
  664. "check_name": "Execute",
  665. "message": "Possible command injection",
  666. "file": "lib/secure_mailing/pgp/tool/exec/agent.rb",
  667. "line": 32,
  668. "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
  669. "code": "Open3.capture3(\"GNUPGHOME\" => (@gnupg_home), *([\"#{File.dirname(binary_path)}/gpgconf\"] + cmdline), :binmode => true)",
  670. "render_path": null,
  671. "location": {
  672. "type": "method",
  673. "class": "SecureMailing::PGP::Tool::Exec::Agent",
  674. "method": "gpgconf"
  675. },
  676. "user_input": "File.dirname(binary_path)",
  677. "confidence": "Medium",
  678. "cwe_id": [
  679. 77
  680. ],
  681. "note": "gpg command line tool stuff."
  682. },
  683. {
  684. "warning_type": "Dynamic Render Path",
  685. "warning_code": 15,
  686. "fingerprint": "c52f57d32456c9ab6dba6dfc93bd8effa16829a87a9ce9368da83a35fc6cf1a7",
  687. "check_name": "Render",
  688. "message": "Render path contains parameter value",
  689. "file": "app/controllers/tests_controller.rb",
  690. "line": 13,
  691. "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
  692. "code": "render(action => params[:name], {})",
  693. "render_path": null,
  694. "location": {
  695. "type": "method",
  696. "class": "TestsController",
  697. "method": "show"
  698. },
  699. "user_input": "params[:name]",
  700. "confidence": "High",
  701. "cwe_id": [
  702. 22
  703. ],
  704. "note": "Running QUnit tests"
  705. },
  706. {
  707. "warning_type": "SQL Injection",
  708. "warning_code": 0,
  709. "fingerprint": "c686d86a18e1345c9216a074fb8cd86f1e4d4bc1f6d78c8f00891f4c13dfb849",
  710. "check_name": "SQL",
  711. "message": "Possible SQL injection",
  712. "file": "app/services/service/translation/search/collector/state.rb",
  713. "line": 11,
  714. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  715. "code": "Ticket::State.where(\"name #{like_operator} :query\", :query => like_query)",
  716. "render_path": null,
  717. "location": {
  718. "type": "method",
  719. "class": "Service::Translation::Search::Collector::State",
  720. "method": "search_sources"
  721. },
  722. "user_input": "like_operator",
  723. "confidence": "Medium",
  724. "cwe_id": [
  725. 89
  726. ],
  727. "note": ""
  728. },
  729. {
  730. "warning_type": "SSL Verification Bypass",
  731. "warning_code": 71,
  732. "fingerprint": "c7311ebfec11c51dead99054a31ec84773b4d0d4848c11a15801c439d35d2171",
  733. "check_name": "SSLVerify",
  734. "message": "SSL certificate verification was bypassed",
  735. "file": "app/controllers/integration/exchange_controller.rb",
  736. "line": 93,
  737. "link": "https://brakemanscanner.org/docs/warning_types/ssl_verification_bypass/",
  738. "code": "Autodiscover::Client.new(:email => params[:user], :password => params[:password]).http.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE",
  739. "render_path": null,
  740. "location": {
  741. "type": "method",
  742. "class": "Integration::ExchangeController",
  743. "method": "autodiscover_basic_auth_check"
  744. },
  745. "user_input": null,
  746. "confidence": "High",
  747. "cwe_id": [
  748. 295
  749. ],
  750. "note": "Only if requester sends `:disable_ssl_verify` param"
  751. },
  752. {
  753. "warning_type": "Remote Code Execution",
  754. "warning_code": 24,
  755. "fingerprint": "d48809837203098f7be4803f19b4f180f93361030bcf145560c65582d44f8edc",
  756. "check_name": "UnsafeReflection",
  757. "message": "Unsafe reflection method `constantize` called on model attribute",
  758. "file": "app/models/channel/email_parser.rb",
  759. "line": 159,
  760. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  761. "code": "Setting.get(setting.name).constantize",
  762. "render_path": null,
  763. "location": {
  764. "type": "method",
  765. "class": "Channel::EmailParser",
  766. "method": "_process"
  767. },
  768. "user_input": "Setting.get(setting.name)",
  769. "confidence": "Medium",
  770. "cwe_id": [
  771. 470
  772. ],
  773. "note": "Setting.where(area: 'Postmaster::PreFilter').order(:name) returns defined postmaster backend class names"
  774. },
  775. {
  776. "warning_type": "Remote Code Execution",
  777. "warning_code": 24,
  778. "fingerprint": "d48809837203098f7be4803f19b4f180f93361030bcf145560c65582d44f8edc",
  779. "check_name": "UnsafeReflection",
  780. "message": "Unsafe reflection method `constantize` called on model attribute",
  781. "file": "app/models/channel/email_parser.rb",
  782. "line": 324,
  783. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  784. "code": "Setting.get(setting.name).constantize",
  785. "render_path": null,
  786. "location": {
  787. "type": "method",
  788. "class": "Channel::EmailParser",
  789. "method": "_process"
  790. },
  791. "user_input": "Setting.get(setting.name)",
  792. "confidence": "Medium",
  793. "cwe_id": [
  794. 470
  795. ],
  796. "note": "Setting.where(area: 'Postmaster::PreFilter').order(:name) returns defined postmaster backend class names"
  797. },
  798. {
  799. "warning_type": "Remote Code Execution",
  800. "warning_code": 24,
  801. "fingerprint": "d5d1526bf7a888d1965405d0e3dc5c63f11fe2de47f9704c0e1717ee0410dd6b",
  802. "check_name": "UnsafeReflection",
  803. "message": "Unsafe reflection method `safe_constantize` called on model attribute",
  804. "file": "app/models/online_notification.rb",
  805. "line": 38,
  806. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  807. "code": "ObjectLookup.by_id(object_lookup_id).safe_constantize",
  808. "render_path": null,
  809. "location": {
  810. "type": "method",
  811. "class": "OnlineNotification",
  812. "method": "related_object"
  813. },
  814. "user_input": "ObjectLookup.by_id(object_lookup_id)",
  815. "confidence": "Medium",
  816. "cwe_id": [
  817. 470
  818. ],
  819. "note": ""
  820. },
  821. {
  822. "warning_type": "Denial of Service",
  823. "warning_code": 76,
  824. "fingerprint": "ea2a3af842a48c9ef4dc8d142abd56978baa4823a598d2a76dc8f840799d6967",
  825. "check_name": "RegexDoS",
  826. "message": "Model attribute used in regular expression",
  827. "file": "app/models/ticket/number/date.rb",
  828. "line": 44,
  829. "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
  830. "code": "/(?<=\\W|^)#{Regexp.quote(Setting.get(\"ticket_hook\"))}#{Regexp.quote((Setting.get(\"ticket_hook_divider\") or \"\"))}(\\d{4,10}#{(Setting.get(\"system_id\") or \"\")}\\d{2,40})\\b/i",
  831. "render_path": null,
  832. "location": {
  833. "type": "method",
  834. "class": "Ticket::Number::Date",
  835. "method": "Ticket::Number::Date.check"
  836. },
  837. "user_input": "Setting.get(\"system_id\")",
  838. "confidence": "Medium",
  839. "cwe_id": [
  840. 20,
  841. 185
  842. ],
  843. "note": "Admin configured RegExp"
  844. },
  845. {
  846. "warning_type": "Session Setting",
  847. "warning_code": 29,
  848. "fingerprint": "f0ee1cc1980474c82a013645508f002dcc801e00db5592f7dd8cd6bdb93c73fe",
  849. "check_name": "SessionSettings",
  850. "message": "Session secret should not be included in version control",
  851. "file": "config/secrets.yml",
  852. "line": 2,
  853. "link": "https://brakemanscanner.org/docs/warning_types/session_setting/",
  854. "code": null,
  855. "render_path": null,
  856. "location": null,
  857. "user_input": null,
  858. "confidence": "High",
  859. "cwe_id": [
  860. 798
  861. ],
  862. "note": "Since Sessions are stored in the database and not in cookies, the session secret is not used / not relevant.\""
  863. },
  864. {
  865. "warning_type": "Remote Code Execution",
  866. "warning_code": 24,
  867. "fingerprint": "fc299f57cedf226dc79a25c6bca84ceb85d5896a86820648d49c0e59d865575a",
  868. "check_name": "UnsafeReflection",
  869. "message": "Unsafe reflection method `constantize` called on model attribute",
  870. "file": "app/graphql/gql/resolvers/belongs_to_resolver.rb",
  871. "line": 18,
  872. "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
  873. "code": "ObjectLookup.by_id(object.send(field.through_key)).constantize",
  874. "render_path": null,
  875. "location": {
  876. "type": "method",
  877. "class": "Gql::Resolvers::BelongsToResolver",
  878. "method": "target_object_klass"
  879. },
  880. "user_input": "ObjectLookup.by_id(object.send(field.through_key))",
  881. "confidence": "Medium",
  882. "cwe_id": [
  883. 470
  884. ],
  885. "note": ""
  886. },
  887. {
  888. "warning_type": "SQL Injection",
  889. "warning_code": 0,
  890. "fingerprint": "fcad47a712a324ace0e97560767e5420500df03fd3de3057198800bdea5fd324",
  891. "check_name": "SQL",
  892. "message": "Possible SQL injection",
  893. "file": "lib/models.rb",
  894. "line": 172,
  895. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  896. "code": "model_class.where(\"#{reflection_value.name}_id\" => object_id)",
  897. "render_path": null,
  898. "location": {
  899. "type": "method",
  900. "class": "Models",
  901. "method": "s(:self).references"
  902. },
  903. "user_input": "reflection_value.name",
  904. "confidence": "Weak",
  905. "cwe_id": [
  906. 89
  907. ],
  908. "note": "Reflections come from the models themselves and are thus safe to use."
  909. },
  910. {
  911. "warning_type": "SQL Injection",
  912. "warning_code": 0,
  913. "fingerprint": "fcad47a712a324ace0e97560767e5420500df03fd3de3057198800bdea5fd324",
  914. "check_name": "SQL",
  915. "message": "Possible SQL injection",
  916. "file": "lib/models.rb",
  917. "line": 185,
  918. "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
  919. "code": "model_class.where(\"#{reflection_value.name}_id\" => object_id)",
  920. "render_path": null,
  921. "location": {
  922. "type": "method",
  923. "class": "Models",
  924. "method": "s(:self).references"
  925. },
  926. "user_input": "reflection_value.name",
  927. "confidence": "Weak",
  928. "cwe_id": [
  929. 89
  930. ],
  931. "note": "Reflections come from the models themselves and are thus safe to use."
  932. },
  933. {
  934. "warning_type": "Command Injection",
  935. "warning_code": 14,
  936. "fingerprint": "fe15417756eed2c518c355309ee042b57df5f88a5410858dce3fa9fe9c893b84",
  937. "check_name": "Execute",
  938. "message": "Possible command injection",
  939. "file": "lib/mysql_strategy.rb",
  940. "line": 54,
  941. "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
  942. "code": "system(\"mysql #{mysql_arguments} < #{backup_file}\", :exception => true)",
  943. "render_path": null,
  944. "location": {
  945. "type": "method",
  946. "class": "MysqlStrategy",
  947. "method": "s(:self).rollback"
  948. },
  949. "user_input": "mysql_arguments",
  950. "confidence": "Medium",
  951. "cwe_id": [
  952. 77
  953. ],
  954. "note": "Mysql arguments are internal / from config."
  955. }
  956. ],
  957. "updated": "2024-03-15 20:16:59 +0100",
  958. "brakeman_version": "6.1.2"
  959. }