config/brakeman.ignore in alchemy_cms-5.3.8 vs config/brakeman.ignore in alchemy_cms-6.0.0.b1
- old
+ new
@@ -1,23 +1,23 @@
{
"ignored_warnings": [
{
"warning_type": "Cross-Site Scripting",
"warning_code": 2,
- "fingerprint": "0551e3f9180b85fca4b17fe3c7cbbac1611d2ef8d385f77e9445c562c471d688",
+ "fingerprint": "068b12d24047e2ece633115ba065ce46fc8c8a26827be7de2565ab721e1c2e82",
"check_name": "CrossSiteScripting",
"message": "Unescaped parameter value",
"file": "app/views/alchemy/admin/elements/update.js.erb",
- "line": 18,
+ "line": 21,
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
- "code": "j(Element.find(params[:id]).essence_error_messages.join(\"</li><li>\"))",
+ "code": "Element.find(params[:id]).ingredients_with_errors.map do\n \"[data-ingredient-id=\\\"#{ingredient.id}\\\"]\"\n end.join(\", \")",
"render_path": [
{
"type": "controller",
"class": "Alchemy::Admin::ElementsController",
"method": "update",
- "line": 55,
+ "line": 61,
"file": "app/controllers/alchemy/admin/elements_controller.rb",
"rendered": {
"name": "alchemy/admin/elements/update",
"file": "app/views/alchemy/admin/elements/update.js.erb"
}
@@ -36,11 +36,11 @@
"warning_code": 16,
"fingerprint": "154e5d85347ab40256b60182d3143830247b33b81de2ae9ac0622155a1de8e51",
"check_name": "SendFile",
"message": "Parameter value used in file name",
"file": "app/controllers/alchemy/admin/attachments_controller.rb",
- "line": 65,
+ "line": 69,
"link": "https://brakemanscanner.org/docs/warning_types/file_access/",
"code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type)",
"render_path": null,
"location": {
"type": "method",
@@ -70,136 +70,12 @@
"user_input": null,
"confidence": "Medium",
"note": "Because we actually can't know all attributes each inheriting controller supports, we permit all resource model params. It is adviced that all inheriting controllers implement this method and provide its own set of permitted attributes. As this all happens inside the password protected /admin namespace this can be considered a false positive."
},
{
- "warning_type": "Cross-Site Scripting",
- "warning_code": 2,
- "fingerprint": "293a6f5581ba3f0e7aa4f81b38d68baf21f1219c8f3bae3eca6b3e1776b734df",
- "check_name": "CrossSiteScripting",
- "message": "Unescaped parameter value",
- "file": "app/views/alchemy/admin/elements/order.js.erb",
- "line": 17,
- "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
- "code": "Element.trashed.where(:id => params[:element_ids]).pluck(:id).collect do\n \"#element_area [data-element-id=\\\"#{id}\\\"]\"\n end.join(\", \")",
- "render_path": [
- {
- "type": "controller",
- "class": "Alchemy::Admin::ElementsController",
- "method": "order",
- "line": 78,
- "file": "app/controllers/alchemy/admin/elements_controller.rb",
- "rendered": {
- "name": "alchemy/admin/elements/order",
- "file": "app/views/alchemy/admin/elements/order.js.erb"
- }
- }
- ],
- "location": {
- "type": "template",
- "template": "alchemy/admin/elements/order"
- },
- "user_input": "params[:element_ids]",
- "confidence": "Weak",
- "note": ""
- },
- {
"warning_type": "Dynamic Render Path",
"warning_code": 15,
- "fingerprint": "2eb67abb2b025c3446afa2f9b8d48c6b6a05379234a9228c9af4c25b7e672b00",
- "check_name": "Render",
- "message": "Render path contains parameter value",
- "file": "app/views/alchemy/admin/elements/index.html.erb",
- "line": 18,
- "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
- "code": "render(action => Page.find(params[:page_id]).all_elements.not_nested.unfixed.not_trashed.includes(*element_includes).map do\n Alchemy::ElementEditor.new(element)\n end, {})",
- "render_path": [
- {
- "type": "controller",
- "class": "Alchemy::Admin::ElementsController",
- "method": "index",
- "line": 13,
- "file": "app/controllers/alchemy/admin/elements_controller.rb",
- "rendered": {
- "name": "alchemy/admin/elements/index",
- "file": "app/views/alchemy/admin/elements/index.html.erb"
- }
- }
- ],
- "location": {
- "type": "template",
- "template": "alchemy/admin/elements/index"
- },
- "user_input": "params[:page_id]",
- "confidence": "Weak",
- "note": ""
- },
- {
- "warning_type": "Dynamic Render Path",
- "warning_code": 15,
- "fingerprint": "2eb67abb2b025c3446afa2f9b8d48c6b6a05379234a9228c9af4c25b7e672b00",
- "check_name": "Render",
- "message": "Render path contains parameter value",
- "file": "app/views/alchemy/admin/elements/index.html.erb",
- "line": 31,
- "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
- "code": "render(action => Page.find(params[:page_id]).all_elements.not_nested.unfixed.not_trashed.includes(*element_includes).map do\n Alchemy::ElementEditor.new(element)\n end, {})",
- "render_path": [
- {
- "type": "controller",
- "class": "Alchemy::Admin::ElementsController",
- "method": "index",
- "line": 13,
- "file": "app/controllers/alchemy/admin/elements_controller.rb",
- "rendered": {
- "name": "alchemy/admin/elements/index",
- "file": "app/views/alchemy/admin/elements/index.html.erb"
- }
- }
- ],
- "location": {
- "type": "template",
- "template": "alchemy/admin/elements/index"
- },
- "user_input": "params[:page_id]",
- "confidence": "Weak",
- "note": ""
- },
- {
- "warning_type": "Dynamic Render Path",
- "warning_code": 15,
- "fingerprint": "2fa9bf5c73b4e6e3c272f0b14635f96efbd763e9a2c5b785caefffe3589ac461",
- "check_name": "Render",
- "message": "Render path contains parameter value",
- "file": "app/views/alchemy/admin/essence_pictures/assign.js.erb",
- "line": 2,
- "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
- "code": "render(action => Alchemy::ContentEditor.new(Content.find(params[:content_id])), {})",
- "render_path": [
- {
- "type": "controller",
- "class": "Alchemy::Admin::EssencePicturesController",
- "method": "assign",
- "line": 49,
- "file": "app/controllers/alchemy/admin/essence_pictures_controller.rb",
- "rendered": {
- "name": "alchemy/admin/essence_pictures/assign",
- "file": "app/views/alchemy/admin/essence_pictures/assign.js.erb"
- }
- }
- ],
- "location": {
- "type": "template",
- "template": "alchemy/admin/essence_pictures/assign"
- },
- "user_input": "params[:content_id]",
- "confidence": "Weak",
- "note": ""
- },
- {
- "warning_type": "Dynamic Render Path",
- "warning_code": 15,
"fingerprint": "384ec61125c6390d59fb7ebcf52792ba284bfd463d70d4ef552ab6c328e776f6",
"check_name": "Render",
"message": "Render path contains parameter value",
"file": "app/views/alchemy/admin/elements/fold.js.erb",
"line": 11,
@@ -208,11 +84,11 @@
"render_path": [
{
"type": "controller",
"class": "Alchemy::Admin::ElementsController",
"method": "fold",
- "line": 95,
+ "line": 97,
"file": "app/controllers/alchemy/admin/elements_controller.rb",
"rendered": {
"name": "alchemy/admin/elements/fold",
"file": "app/views/alchemy/admin/elements/fold.js.erb"
}
@@ -231,11 +107,11 @@
"warning_code": 70,
"fingerprint": "4b4dc24a6f5251bc1a6851597dfcee39608a2932eb7f81a4a241c00fca8a3043",
"check_name": "MassAssignment",
"message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys",
"file": "app/controllers/alchemy/admin/elements_controller.rb",
- "line": 146,
+ "line": 150,
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
"code": "params.fetch(:contents, {}).permit!",
"render_path": null,
"location": {
"type": "method",
@@ -295,59 +171,90 @@
"user_input": "params[:id]",
"confidence": "Weak",
"note": ""
},
{
- "warning_type": "File Access",
- "warning_code": 16,
- "fingerprint": "a1197cfa89e3a66e6d10ee060cd87af97d5e978d6d93b5936eb987288f1c02e6",
- "check_name": "SendFile",
- "message": "Parameter value used in file name",
- "file": "app/controllers/alchemy/attachments_controller.rb",
- "line": 12,
- "link": "https://brakemanscanner.org/docs/warning_types/file_access/",
- "code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type, :disposition => \"inline\")",
- "render_path": null,
+ "warning_type": "Dynamic Render Path",
+ "warning_code": 15,
+ "fingerprint": "80b9b11d658cd393c549d568b3655c62566862f55b2fa16ed688de7c2e9343ac",
+ "check_name": "Render",
+ "message": "Render path contains parameter value",
+ "file": "app/views/alchemy/admin/elements/index.html.erb",
+ "line": 18,
+ "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
+ "code": "render(action => PageVersion.find(params[:page_version_id]).elements.order(:position).includes(*element_includes).not_nested.unfixed.map do\n Alchemy::ElementEditor.new(element)\n end, {})",
+ "render_path": [
+ {
+ "type": "controller",
+ "class": "Alchemy::Admin::ElementsController",
+ "method": "index",
+ "line": 15,
+ "file": "app/controllers/alchemy/admin/elements_controller.rb",
+ "rendered": {
+ "name": "alchemy/admin/elements/index",
+ "file": "app/views/alchemy/admin/elements/index.html.erb"
+ }
+ }
+ ],
"location": {
- "type": "method",
- "class": "Alchemy::AttachmentsController",
- "method": "show"
+ "type": "template",
+ "template": "alchemy/admin/elements/index"
},
- "user_input": "params[:id]",
+ "user_input": "params[:page_version_id]",
"confidence": "Weak",
"note": ""
},
{
"warning_type": "Dynamic Render Path",
"warning_code": 15,
- "fingerprint": "b9f63fd46d0ebd6684b649ab260f27df8a6422d44fed4769273d8e6a6a30397c",
+ "fingerprint": "80b9b11d658cd393c549d568b3655c62566862f55b2fa16ed688de7c2e9343ac",
"check_name": "Render",
"message": "Render path contains parameter value",
- "file": "app/views/alchemy/admin/essence_files/assign.js.erb",
- "line": 1,
+ "file": "app/views/alchemy/admin/elements/index.html.erb",
+ "line": 31,
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
- "code": "render(action => Alchemy::ContentEditor.new(Content.find_by(:id => params[:content_id])), {})",
+ "code": "render(action => PageVersion.find(params[:page_version_id]).elements.order(:position).includes(*element_includes).not_nested.unfixed.map do\n Alchemy::ElementEditor.new(element)\n end, {})",
"render_path": [
{
"type": "controller",
- "class": "Alchemy::Admin::EssenceFilesController",
- "method": "assign",
- "line": 32,
- "file": "app/controllers/alchemy/admin/essence_files_controller.rb",
+ "class": "Alchemy::Admin::ElementsController",
+ "method": "index",
+ "line": 15,
+ "file": "app/controllers/alchemy/admin/elements_controller.rb",
"rendered": {
- "name": "alchemy/admin/essence_files/assign",
- "file": "app/views/alchemy/admin/essence_files/assign.js.erb"
+ "name": "alchemy/admin/elements/index",
+ "file": "app/views/alchemy/admin/elements/index.html.erb"
}
}
],
"location": {
"type": "template",
- "template": "alchemy/admin/essence_files/assign"
+ "template": "alchemy/admin/elements/index"
},
- "user_input": "params[:content_id]",
+ "user_input": "params[:page_version_id]",
"confidence": "Weak",
"note": ""
+ },
+ {
+ "warning_type": "File Access",
+ "warning_code": 16,
+ "fingerprint": "a1197cfa89e3a66e6d10ee060cd87af97d5e978d6d93b5936eb987288f1c02e6",
+ "check_name": "SendFile",
+ "message": "Parameter value used in file name",
+ "file": "app/controllers/alchemy/attachments_controller.rb",
+ "line": 12,
+ "link": "https://brakemanscanner.org/docs/warning_types/file_access/",
+ "code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type, :disposition => \"inline\")",
+ "render_path": null,
+ "location": {
+ "type": "method",
+ "class": "Alchemy::AttachmentsController",
+ "method": "show"
+ },
+ "user_input": "params[:id]",
+ "confidence": "Weak",
+ "note": ""
}
],
- "updated": "2021-01-04 16:29:42 +0100",
- "brakeman_version": "4.10.1"
+ "updated": "2021-06-29 20:56:10 +0200",
+ "brakeman_version": "5.0.1"
}