{ "ignored_warnings": [ { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "011b2643940ba1112f7a737e403abe3616ad91764703c801cc35a48d36b721da", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/concerns/spree/product_scopes.rb", "line": 64, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "where(\"#{price_table_name}.amount <= ?\", price)", "render_path": null, "location": { "type": "method", "class": "Spree", "method": null }, "user_input": "price_table_name", "confidence": "Medium", "cwe_id": [ 89 ], "note": "interpolating table name" }, { "warning_type": "Redirect", "warning_code": 18, "fingerprint": "05d3870f66d650510c859a8949d5686b05eb028825083b096d0f65fedf80b118", "check_name": "Redirect", "message": "Possible unprotected redirect", "file": "lib/spree/core/controller_helpers/auth.rb", "line": 25, "link": "https://brakemanscanner.org/docs/warning_types/redirect/", "code": "redirect_to((session[\"spree_user_return_to\"] or (request.env[\"HTTP_REFERER\"] or default)))", "render_path": null, "location": { "type": "method", "class": "Spree::Core::ControllerHelpers::Auth", "method": "redirect_back_or_default" }, "user_input": "request.env[\"HTTP_REFERER\"]", "confidence": "High", "cwe_id": [ 601 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "1c12fcb833b0ddffa07880acb7e604922c0d1d52de598316186241baf16551cd", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/finders/spree/taxons/find.rb", "line": 75, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "taxons.joins(\"INNER JOIN #{Spree::Taxon.table_name} AS parent_taxon ON parent_taxon.id = #{Spree::Taxon.table_name}.parent_id\").join_translation_table(Taxon, \"parent_taxon\").where([\"#{Taxon.translation_table_alias}.permalink = ?\", parent_permalink])", "render_path": null, "location": { "type": "method", "class": "Spree::Taxons::Find", "method": "by_parent_permalink" }, "user_input": "Taxon.translation_table_alias", "confidence": "Weak", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "1f02952550c2f54d044c9577a45e7ba7c7990c8b8a59d1dac83a96790237f507", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/concerns/spree/product_scopes.rb", "line": 139, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "joins(:properties).join_translation_table(Property).join_translation_table(ProductProperty).where(\"#{ProductProperty.translation_table_alias}.value = ?\", value)", "render_path": null, "location": { "type": "method", "class": "Spree::ProductScopes", "method": null }, "user_input": "ProductProperty.translation_table_alias", "confidence": "Weak", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "7928c0813a0bf084ead091b4554ef6abea9ae9c7167936f5c62da9e328b9f736", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/concerns/spree/product_scopes.rb", "line": 139, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "joins(:properties).join_translation_table(Property).join_translation_table(ProductProperty).where(\"#{ProductProperty.translation_table_alias}.value = ?\", value)", "render_path": null, "location": { "type": "method", "class": "Spree", "method": null }, "user_input": "ProductProperty.translation_table_alias", "confidence": "Weak", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "857c335935a00f584137f31dbcb1a4532af5c8bb5cf53a86058b4af98c6597dc", "check_name": "SQL", "message": "Possible SQL injection", "file": "lib/spree/translation_migrations.rb", "line": 21, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "ActiveRecord::Base.connection.execute(\"\\n UPDATE #{resource_class.table_name}\\n SET #{resource_class.translatable_fields.map do\n \"#{f}=null\"\n end.join(\", \")};\\n \")", "render_path": null, "location": { "type": "method", "class": "Spree::TranslationMigrations", "method": "transfer_translation_data" }, "user_input": "resource_class.translatable_fields.map do\n \"#{f}=null\"\n end.join(\", \")", "confidence": "Medium", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "965d3919f811ab63b7b8d62da528559a7f38dc122c57efea7136e7ec5ef1f062", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/concerns/spree/product_scopes.rb", "line": 68, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "where(\"#{price_table_name}.amount >= ?\", price)", "render_path": null, "location": { "type": "method", "class": "Spree::ProductScopes", "method": null }, "user_input": "price_table_name", "confidence": "Medium", "cwe_id": [ 89 ], "note": "interpolating table name" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "98607ecfb86c2d3c2567390f813861edbc42d6ffa9f482afb7c0b3464eaf6e73", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/concerns/spree/translatable_resource_scopes.rb", "line": 18, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "joins(\"LEFT OUTER JOIN #{translatable_class::Translation.table_name} #{translatable_class.translation_table_alias}\\n ON #{translatable_class.translation_table_alias}.#{\"#{translatable_class.table_name.singularize}_id\"} = #{(translatable_class.table_name or join_on_table_alias)}.id\\n AND #{translatable_class.translation_table_alias}.locale = '#{Mobility.locale}'\")", "render_path": null, "location": { "type": "method", "class": "Spree::TranslatableResourceScopes", "method": "join_translation_table" }, "user_input": "translatable_class.translation_table_alias", "confidence": "Medium", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "abd8e90e7a7dfbcdcd6d44fd3fb550598aee6d7a9ef2bb132ad1a18a3c50be30", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/concerns/spree/product_scopes.rb", "line": 64, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "where(\"#{price_table_name}.amount <= ?\", price)", "render_path": null, "location": { "type": "method", "class": "Spree::ProductScopes", "method": null }, "user_input": "price_table_name", "confidence": "Medium", "cwe_id": [ 89 ], "note": "interpolating table name" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "c1c97347a2d74ea41d46519e3bfbd94c511a1bd9c285f3f2a1fa0cb7e624d232", "check_name": "SQL", "message": "Possible SQL injection", "file": "lib/spree/translation_migrations.rb", "line": 32, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "ActiveRecord::Base.connection.execute(\"\\n UPDATE #{resource_class.table_name}\\n SET (#{resource_class.translatable_fields.join(\", \")}) = #{(\"ROW\" or \"\")}(#{resource_class.translatable_fields.map do\n \"#{resource_class::Translation.table_name}.#{f}\"\n end.join(\", \")})\\n FROM #{resource_class::Translation.table_name}\\n WHERE #{resource_class::Translation.table_name}.#{\"#{resource_class.table_name.singularize}_id\"} = #{resource_class.table_name}.id\\n \")", "render_path": null, "location": { "type": "method", "class": "Spree::TranslationMigrations", "method": "revert_translation_data_transfer" }, "user_input": "resource_class.translatable_fields.join(\", \")", "confidence": "Medium", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "c2bc48d98076b7c4fc3314c6a85f7bd1132efe5fcc346da4d28df7c25f93633f", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/spree/variant.rb", "line": 126, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "joins(:product).join_translation_table(Product).where(\"LOWER(#{Product.translation_table_alias}.name) LIKE LOWER(:query)\\n OR LOWER(sku) LIKE LOWER(:query)\", :query => (\"%#{query}%\"))", "render_path": null, "location": { "type": "method", "class": "Spree::Variant", "method": "Spree::Variant.product_name_or_sku_cont" }, "user_input": "Product.translation_table_alias", "confidence": "Weak", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "ed253ae6b1b4ea3fe3d87d3652380fecab80133319b1ed041d98d163fd16b815", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/finders/spree/taxons/find.rb", "line": 71, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "taxons.joins(:parent).join_translation_table(Taxon, \"parents_spree_taxons\").where([\"#{Taxon.translation_table_alias}.permalink = ?\", parent_permalink])", "render_path": null, "location": { "type": "method", "class": "Spree::Taxons::Find", "method": "by_parent_permalink" }, "user_input": "Taxon.translation_table_alias", "confidence": "Weak", "cwe_id": [ 89 ], "note": "" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "efcc57e1a5648d7db59d1beaf5e399d2278539a8667b19c520b305a6ca7e15e8", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/concerns/spree/product_scopes.rb", "line": 68, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "where(\"#{price_table_name}.amount >= ?\", price)", "render_path": null, "location": { "type": "method", "class": "Spree", "method": null }, "user_input": "price_table_name", "confidence": "Medium", "cwe_id": [ 89 ], "note": "interpolating table name" }, { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "f14dd62fac0dd1e9d5532dd5efc770e2eb873a8db80faf366b6295378634754a", "check_name": "SQL", "message": "Possible SQL injection", "file": "lib/spree/translation_migrations.rb", "line": 16, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "ActiveRecord::Base.connection.execute(\"\\n INSERT INTO #{resource_class::Translation.table_name} (#{resource_class.translatable_fields.join(\", \")}, #{\"#{resource_class.table_name.singularize}_id\"}, locale, created_at, updated_at)\\n SELECT #{resource_class.translatable_fields.join(\", \")}, id, '#{default_locale}' as locale, created_at, updated_at FROM #{resource_class.table_name};\\n \")", "render_path": null, "location": { "type": "method", "class": "Spree::TranslationMigrations", "method": "transfer_translation_data" }, "user_input": "resource_class.translatable_fields.join(\", \")", "confidence": "Medium", "cwe_id": [ 89 ], "note": "" } ], "updated": "2023-03-22 20:11:32 +0100", "brakeman_version": "5.4.1" }