Skip to content

Commit

Permalink
Ignore FranceConnect warning as translation breaks injection
Browse files Browse the repository at this point in the history
  • Loading branch information
maatinito committed Feb 13, 2024
1 parent e345957 commit 508cb29
Showing 1 changed file with 38 additions and 4 deletions.
42 changes: 38 additions & 4 deletions config/brakeman.ignore
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"type": "controller",
"class": "Users::DossiersController",
"method": "merci",
"line": 291,
"line": 311,
"file": "app/controllers/users/dossiers_controller.rb",
"rendered": {
"name": "users/dossiers/merci",
Expand Down Expand Up @@ -85,7 +85,7 @@
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/graphql/connections/cursor_connection.rb",
"line": 66,
"line": 134,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) < (?, ?)\", timestamp, id)",
"render_path": null,
Expand All @@ -108,7 +108,7 @@
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/graphql/connections/cursor_connection.rb",
"line": 69,
"line": 137,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "items.order(order_column => ((:desc or :asc)), :id => ((:desc or :asc))).limit(limit).where(\"(#{order_table}.#{order_column}, #{order_table}.id) > (?, ?)\", timestamp, id)",
"render_path": null,
Expand All @@ -124,6 +124,40 @@
],
"note": ""
},
{
"warning_type": "Cross-Site Scripting",
"warning_code": 2,
"fingerprint": "aee1320d481492d4ad69689a3f1442399545cfac16481029c25e0b08d4518fbf",
"check_name": "CrossSiteScripting",
"message": "Unescaped model attribute",
"file": "app/views/omniauth/merge.html.haml",
"line": 6,
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
"code": "t(\".subtitle\", :email => sanitize(FranceConnectInformation.find_by(:merge_token => merge_token_params).email_france_connect), :application_name => (APPLICATION_NAME), :provider => sanitize(t(\"omniauth.provider.#{provider_param}\")))",
"render_path": [
{
"type": "controller",
"class": "OmniauthController",
"method": "merge",
"line": 50,
"file": "app/controllers/omniauth_controller.rb",
"rendered": {
"name": "omniauth/merge",
"file": "app/views/omniauth/merge.html.haml"
}
}
],
"location": {
"type": "template",
"template": "omniauth/merge"
},
"user_input": "FranceConnectInformation.find_by(:merge_token => merge_token_params).email_france_connect",
"confidence": "Weak",
"cwe_id": [
79
],
"note": "added by pf"
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
Expand All @@ -148,6 +182,6 @@
"note": "The table and column are escaped, which should make this safe"
}
],
"updated": "2023-08-28 12:16:04 +0200",
"updated": "2024-02-12 14:58:28 -1000",
"brakeman_version": "5.4.1"
}

0 comments on commit 508cb29

Please sign in to comment.