mirror of
https://github.com/mastodon/mastodon.git
synced 2024-11-30 16:41:55 +00:00
0a120d86d2
* Fix error-prone SQL queries in Account search
While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.
This PR parameterises the `to_tsquery` input to make the query more robust.
* Harden code for Status#tagged_with_all and Status#tagged_with_none
Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.
* Remove unneeded spaces surrounding tsquery term
* Please CodeClimate
* Move advanced_search_for SQL template to its own function
This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.
* Add tests covering tagged_with, tagged_with_all and tagged_with_none
* Rewrite tagged_with_none to avoid multiple joins and make it more robust
* Remove obsolete brakeman warnings
* Revert "Remove unneeded spaces surrounding tsquery term"
The two queries are not strictly equivalent.
This reverts commit 86f16c537e
.
237 lines
10 KiB
Plaintext
237 lines
10 KiB
Plaintext
{
|
|
"ignored_warnings": [
|
|
{
|
|
"warning_type": "SQL Injection",
|
|
"warning_code": 0,
|
|
"fingerprint": "04dbbc249b989db2e0119bbb0f59c9818e12889d2b97c529cdc0b1526002ba4b",
|
|
"check_name": "SQL",
|
|
"message": "Possible SQL injection",
|
|
"file": "app/models/report.rb",
|
|
"line": 113,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
|
"code": "Admin::ActionLog.from(\"(#{[Admin::ActionLog.where(:target_type => \"Report\", :target_id => id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Account\", :target_id => target_account_id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)].map do\n \"(#{query.to_sql})\"\n end.join(\" UNION ALL \")}) AS admin_action_logs\")",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Report",
|
|
"method": "history"
|
|
},
|
|
"user_input": "Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)",
|
|
"confidence": "High",
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "SQL Injection",
|
|
"warning_code": 0,
|
|
"fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d",
|
|
"check_name": "SQL",
|
|
"message": "Possible SQL injection",
|
|
"file": "app/models/status.rb",
|
|
"line": 100,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
|
"code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Status",
|
|
"method": null
|
|
},
|
|
"user_input": "id",
|
|
"confidence": "Weak",
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "Redirect",
|
|
"warning_code": 18,
|
|
"fingerprint": "5fad11cd67f905fab9b1d5739d01384a1748ebe78c5af5ac31518201925265a7",
|
|
"check_name": "Redirect",
|
|
"message": "Possible unprotected redirect",
|
|
"file": "app/controllers/remote_interaction_controller.rb",
|
|
"line": 24,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
|
|
"code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "RemoteInteractionController",
|
|
"method": "create"
|
|
},
|
|
"user_input": "RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id]))",
|
|
"confidence": "High",
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "SQL Injection",
|
|
"warning_code": 0,
|
|
"fingerprint": "75fcd147b7611763ab6915faf8c5b0709e612b460f27c05c72d8b9bd0a6a77f8",
|
|
"check_name": "SQL",
|
|
"message": "Possible SQL injection",
|
|
"file": "lib/mastodon/snowflake.rb",
|
|
"line": 87,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
|
"code": "connection.execute(\"CREATE OR REPLACE FUNCTION timestamp_id(table_name text)\\nRETURNS bigint AS\\n$$\\n DECLARE\\n time_part bigint;\\n sequence_base bigint;\\n tail bigint;\\n BEGIN\\n time_part := (\\n -- Get the time in milliseconds\\n ((date_part('epoch', now()) * 1000))::bigint\\n -- And shift it over two bytes\\n << 16);\\n\\n sequence_base := (\\n 'x' ||\\n -- Take the first two bytes (four hex characters)\\n substr(\\n -- Of the MD5 hash of the data we documented\\n md5(table_name || '#{SecureRandom.hex(16)}' || time_part::text),\\n 1, 4\\n )\\n -- And turn it into a bigint\\n )::bit(16)::bigint;\\n\\n -- Finally, add our sequence number to our base, and chop\\n -- it to the last two bytes\\n tail := (\\n (sequence_base + nextval(table_name || '_id_seq'))\\n & 65535);\\n\\n -- Return the time part and the sequence part. OR appears\\n -- faster here than addition, but they're equivalent:\\n -- time_part has no trailing two bytes, and tail is only\\n -- the last two bytes.\\n RETURN time_part | tail;\\n END\\n$$ LANGUAGE plpgsql VOLATILE;\\n\")",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Mastodon::Snowflake",
|
|
"method": "define_timestamp_id"
|
|
},
|
|
"user_input": "SecureRandom.hex(16)",
|
|
"confidence": "Medium",
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "Mass Assignment",
|
|
"warning_code": 105,
|
|
"fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a",
|
|
"check_name": "PermitAttributes",
|
|
"message": "Potentially dangerous key allowed for mass assignment",
|
|
"file": "app/controllers/api/v2/search_controller.rb",
|
|
"line": 28,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
|
"code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Api::V2::SearchController",
|
|
"method": "search_params"
|
|
},
|
|
"user_input": ":account_id",
|
|
"confidence": "High",
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "Mass Assignment",
|
|
"warning_code": 105,
|
|
"fingerprint": "874be88fedf4c680926845e9a588d3197765a6ccbfdd76466b44cc00151c612e",
|
|
"check_name": "PermitAttributes",
|
|
"message": "Potentially dangerous key allowed for mass assignment",
|
|
"file": "app/controllers/api/v1/admin/reports_controller.rb",
|
|
"line": 78,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
|
"code": "params.permit(:resolved, :account_id, :target_account_id)",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Api::V1::Admin::ReportsController",
|
|
"method": "filter_params"
|
|
},
|
|
"user_input": ":account_id",
|
|
"confidence": "High",
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "SQL Injection",
|
|
"warning_code": 0,
|
|
"fingerprint": "8c1d8c4b76c1cd3960e90dff999f854a6ff742fcfd8de6c7184ac5a1b1a4d7dd",
|
|
"check_name": "SQL",
|
|
"message": "Possible SQL injection",
|
|
"file": "app/models/preview_card_filter.rb",
|
|
"line": 50,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
|
"code": "PreviewCard.joins(\"join unnest(array[#{(Trends.links.currently_trending_ids(true, -1) or Trends.links.currently_trending_ids(false, -1)).map(&:to_i).join(\",\")}]::integer[]) with ordinality as x (id, ordering) on preview_cards.id = x.id\")",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "PreviewCardFilter",
|
|
"method": "trending_scope"
|
|
},
|
|
"user_input": "(Trends.links.currently_trending_ids(true, -1) or Trends.links.currently_trending_ids(false, -1)).map(&:to_i).join(\",\")",
|
|
"confidence": "Medium",
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "Redirect",
|
|
"warning_code": 18,
|
|
"fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50",
|
|
"check_name": "Redirect",
|
|
"message": "Possible unprotected redirect",
|
|
"file": "app/controllers/remote_follow_controller.rb",
|
|
"line": 21,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
|
|
"code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "RemoteFollowController",
|
|
"method": "create"
|
|
},
|
|
"user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)",
|
|
"confidence": "High",
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "SQL Injection",
|
|
"warning_code": 0,
|
|
"fingerprint": "c32a484ccd9da46abd3bc93d08b72029d7dbc0576ccf4e878a9627e9a83cad2e",
|
|
"check_name": "SQL",
|
|
"message": "Possible SQL injection",
|
|
"file": "app/models/tag_filter.rb",
|
|
"line": 50,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
|
"code": "Tag.joins(\"join unnest(array[#{Trends.tags.currently_trending_ids(false, -1).map(&:to_i).join(\",\")}]::integer[]) with ordinality as x (id, ordering) on tags.id = x.id\")",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "TagFilter",
|
|
"method": "trending_scope"
|
|
},
|
|
"user_input": "Trends.tags.currently_trending_ids(false, -1).map(&:to_i).join(\",\")",
|
|
"confidence": "Medium",
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "Cross-Site Scripting",
|
|
"warning_code": 4,
|
|
"fingerprint": "cd5cfd7f40037fbfa753e494d7129df16e358bfc43ef0da3febafbf4ee1ed3ac",
|
|
"check_name": "LinkToHref",
|
|
"message": "Potentially unsafe model attribute in `link_to` href",
|
|
"file": "app/views/admin/trends/links/_preview_card.html.haml",
|
|
"line": 7,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/link_to_href",
|
|
"code": "link_to((Unresolved Model).new.title, (Unresolved Model).new.url)",
|
|
"render_path": [
|
|
{
|
|
"type": "template",
|
|
"name": "admin/trends/links/index",
|
|
"line": 37,
|
|
"file": "app/views/admin/trends/links/index.html.haml",
|
|
"rendered": {
|
|
"name": "admin/trends/links/_preview_card",
|
|
"file": "app/views/admin/trends/links/_preview_card.html.haml"
|
|
}
|
|
}
|
|
],
|
|
"location": {
|
|
"type": "template",
|
|
"template": "admin/trends/links/_preview_card"
|
|
},
|
|
"user_input": "(Unresolved Model).new.url",
|
|
"confidence": "Weak",
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "Mass Assignment",
|
|
"warning_code": 105,
|
|
"fingerprint": "e867661b2c9812bc8b75a5df12b28e2a53ab97015de0638b4e732fe442561b28",
|
|
"check_name": "PermitAttributes",
|
|
"message": "Potentially dangerous key allowed for mass assignment",
|
|
"file": "app/controllers/api/v1/reports_controller.rb",
|
|
"line": 36,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
|
"code": "params.permit(:account_id, :comment, :forward, :status_ids => ([]))",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Api::V1::ReportsController",
|
|
"method": "report_params"
|
|
},
|
|
"user_input": ":account_id",
|
|
"confidence": "High",
|
|
"note": ""
|
|
}
|
|
],
|
|
"updated": "2021-11-14 05:26:09 +0100",
|
|
"brakeman_version": "5.1.2"
|
|
}
|