{ "ignored_warnings": [ { "warning_type": "Cross-Site Scripting", "warning_code": 2, "fingerprint": "068b12d24047e2ece633115ba065ce46fc8c8a26827be7de2565ab721e1c2e82", "check_name": "CrossSiteScripting", "message": "Unescaped parameter value", "file": "app/views/alchemy/admin/elements/update.js.erb", "line": 21, "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting", "code": "Element.find(params[:id]).ingredients_with_errors.map do\n \"[data-ingredient-id=\\\"#{ingredient.id}\\\"]\"\n end.join(\", \")", "render_path": [ { "type": "controller", "class": "Alchemy::Admin::ElementsController", "method": "update", "line": 61, "file": "app/controllers/alchemy/admin/elements_controller.rb", "rendered": { "name": "alchemy/admin/elements/update", "file": "app/views/alchemy/admin/elements/update.js.erb" } } ], "location": { "type": "template", "template": "alchemy/admin/elements/update" }, "user_input": "params[:id]", "confidence": "Weak", "note": "" }, { "warning_type": "File Access", "warning_code": 16, "fingerprint": "154e5d85347ab40256b60182d3143830247b33b81de2ae9ac0622155a1de8e51", "check_name": "SendFile", "message": "Parameter value used in file name", "file": "app/controllers/alchemy/admin/attachments_controller.rb", "line": 69, "link": "https://brakemanscanner.org/docs/warning_types/file_access/", "code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type)", "render_path": null, "location": { "type": "method", "class": "Alchemy::Admin::AttachmentsController", "method": "download" }, "user_input": "params[:id]", "confidence": "Weak", "note": "" }, { "warning_type": "Mass Assignment", "warning_code": 70, "fingerprint": "1dd8f69d9b1bdd4017212f38098f03d2ecb2db06269fb940090f209eee7570c6", "check_name": "MassAssignment", "message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys", "file": "app/controllers/alchemy/admin/resources_controller.rb", "line": 209, "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", "code": "params.require(resource_handler.namespaced_resource_name).permit!", "render_path": null, "location": { "type": "method", "class": "Alchemy::Admin::ResourcesController", "method": "resource_params" }, "user_input": null, "confidence": "Medium", "note": "Because we actually can't know all attributes each inheriting controller supports, we permit all resource model params. It is adviced that all inheriting controllers implement this method and provide its own set of permitted attributes. As this all happens inside the password protected /admin namespace this can be considered a false positive." }, { "warning_type": "Dynamic Render Path", "warning_code": 15, "fingerprint": "384ec61125c6390d59fb7ebcf52792ba284bfd463d70d4ef552ab6c328e776f6", "check_name": "Render", "message": "Render path contains parameter value", "file": "app/views/alchemy/admin/elements/fold.js.erb", "line": 11, "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", "code": "render(action => Alchemy::ElementEditor.new(Element.find(params[:id])), {})", "render_path": [ { "type": "controller", "class": "Alchemy::Admin::ElementsController", "method": "fold", "line": 102, "file": "app/controllers/alchemy/admin/elements_controller.rb", "rendered": { "name": "alchemy/admin/elements/fold", "file": "app/views/alchemy/admin/elements/fold.js.erb" } } ], "location": { "type": "template", "template": "alchemy/admin/elements/fold" }, "user_input": "params[:id]", "confidence": "Weak", "note": "" }, { "warning_type": "Mass Assignment", "warning_code": 70, "fingerprint": "4b4dc24a6f5251bc1a6851597dfcee39608a2932eb7f81a4a241c00fca8a3043", "check_name": "MassAssignment", "message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys", "file": "app/controllers/alchemy/admin/elements_controller.rb", "line": 155, "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", "code": "params.fetch(:contents, {}).permit!", "render_path": null, "location": { "type": "method", "class": "Alchemy::Admin::ElementsController", "method": "contents_params" }, "user_input": null, "confidence": "Medium", "note": "`Alchemy::Content` is a polymorphic association of any kind of model extending `Alchemy::Essence`. Since we can't know the attributes of all potential essences we need to permit all attributes. As this all happens inside the password protected /admin namespace this can be considered a false positive." }, { "warning_type": "Command Injection", "warning_code": 14, "fingerprint": "6addfcb9d23d2d6f699f2f3542169744ff749dc4d0a97f8ac783ab92593e1d84", "check_name": "Execute", "message": "Possible command injection", "file": "lib/alchemy/upgrader.rb", "line": 30, "link": "https://brakemanscanner.org/docs/warning_types/command_injection/", "code": "`yarn add @alchemy_cms/admin@~#{Alchemy.version}`", "render_path": null, "location": { "type": "method", "class": "Alchemy::Upgrader", "method": "update_npm_package" }, "user_input": "Alchemy.version", "confidence": "Medium", "note": "The alchemy version is safe" }, { "warning_type": "Cross-Site Scripting", "warning_code": 4, "fingerprint": "6e6ed4f8b20c07868bc04a4dc419103ecce33bb514eff77790abd57246a4513f", "check_name": "LinkToHref", "message": "Potentially unsafe model attribute in `link_to` href", "file": "app/views/alchemy/admin/nodes/_node.html.erb", "line": 62, "link": "https://brakemanscanner.org/docs/warning_types/link_to_href", "code": "link_to((Unresolved Model).new.url, (Unresolved Model).new.url, :target => \"_blank\", :title => (Unresolved Model).new.url)", "render_path": [ { "type": "template", "name": "alchemy/admin/nodes/_node", "line": 71, "file": "app/views/alchemy/admin/nodes/_node.html.erb", "rendered": { "name": "alchemy/admin/nodes/_node", "file": "app/views/alchemy/admin/nodes/_node.html.erb" } } ], "location": { "type": "template", "template": "alchemy/admin/nodes/_node" }, "user_input": "(Unresolved Model).new.url", "confidence": "Weak", "note": "" }, { "warning_type": "File Access", "warning_code": 16, "fingerprint": "6f642c32a45d9f6bbdff89c51873485c930479f4d72885ad0a1883c4372140bf", "check_name": "SendFile", "message": "Parameter value used in file name", "file": "app/controllers/alchemy/attachments_controller.rb", "line": 25, "link": "https://brakemanscanner.org/docs/warning_types/file_access/", "code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type)", "render_path": null, "location": { "type": "method", "class": "Alchemy::AttachmentsController", "method": "download" }, "user_input": "params[:id]", "confidence": "Weak", "note": "" }, { "warning_type": "Dynamic Render Path", "warning_code": 15, "fingerprint": "80b9b11d658cd393c549d568b3655c62566862f55b2fa16ed688de7c2e9343ac", "check_name": "Render", "message": "Render path contains parameter value", "file": "app/views/alchemy/admin/elements/index.html.erb", "line": 18, "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", "code": "render(action => PageVersion.find(params[:page_version_id]).elements.order(:position).includes(*element_includes).not_nested.unfixed.map do\n Alchemy::ElementEditor.new(element)\n end, {})", "render_path": [ { "type": "controller", "class": "Alchemy::Admin::ElementsController", "method": "index", "line": 15, "file": "app/controllers/alchemy/admin/elements_controller.rb", "rendered": { "name": "alchemy/admin/elements/index", "file": "app/views/alchemy/admin/elements/index.html.erb" } } ], "location": { "type": "template", "template": "alchemy/admin/elements/index" }, "user_input": "params[:page_version_id]", "confidence": "Weak", "note": "" }, { "warning_type": "Dynamic Render Path", "warning_code": 15, "fingerprint": "80b9b11d658cd393c549d568b3655c62566862f55b2fa16ed688de7c2e9343ac", "check_name": "Render", "message": "Render path contains parameter value", "file": "app/views/alchemy/admin/elements/index.html.erb", "line": 31, "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", "code": "render(action => PageVersion.find(params[:page_version_id]).elements.order(:position).includes(*element_includes).not_nested.unfixed.map do\n Alchemy::ElementEditor.new(element)\n end, {})", "render_path": [ { "type": "controller", "class": "Alchemy::Admin::ElementsController", "method": "index", "line": 15, "file": "app/controllers/alchemy/admin/elements_controller.rb", "rendered": { "name": "alchemy/admin/elements/index", "file": "app/views/alchemy/admin/elements/index.html.erb" } } ], "location": { "type": "template", "template": "alchemy/admin/elements/index" }, "user_input": "params[:page_version_id]", "confidence": "Weak", "note": "" }, { "warning_type": "File Access", "warning_code": 16, "fingerprint": "a1197cfa89e3a66e6d10ee060cd87af97d5e978d6d93b5936eb987288f1c02e6", "check_name": "SendFile", "message": "Parameter value used in file name", "file": "app/controllers/alchemy/attachments_controller.rb", "line": 12, "link": "https://brakemanscanner.org/docs/warning_types/file_access/", "code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type, :disposition => \"inline\")", "render_path": null, "location": { "type": "method", "class": "Alchemy::AttachmentsController", "method": "show" }, "user_input": "params[:id]", "confidence": "Weak", "note": "" } ], "updated": "2021-10-26 21:44:59 +0200", "brakeman_version": "5.1.1" }