diff --git a/.codeclimate.yml b/.codeclimate.yml index dbb3e4bf..5ad9a719 100644 --- a/.codeclimate.yml +++ b/.codeclimate.yml @@ -1,4 +1,6 @@ engines: + brakeman: + enabled: true bundler-audit: enabled: true duplication: diff --git a/Gemfile b/Gemfile index b74f44df..e931e1e9 100644 --- a/Gemfile +++ b/Gemfile @@ -86,6 +86,7 @@ group :development do gem 'letter_opener' gem 'letter_opener_web' gem 'rubocop', '0.46.0', require: false + gem 'brakeman', '~> 3.6.0', require: false gem 'bundler-audit', '~> 0.4.0', require: false gem 'capistrano', '3.8.0' diff --git a/Gemfile.lock b/Gemfile.lock index fdea9564..aba5faf4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -67,6 +67,7 @@ GEM rack (>= 0.9.0) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) + brakeman (3.6.1) builder (3.2.3) bullet (5.5.1) activesupport (>= 3.0.0) @@ -479,6 +480,7 @@ DEPENDENCIES aws-sdk (>= 2.0) better_errors binding_of_caller + brakeman (~> 3.6.0) bullet bundler-audit (~> 0.4.0) capistrano (= 3.8.0) diff --git a/config/brakeman.ignore b/config/brakeman.ignore new file mode 100644 index 00000000..f9bc7706 --- /dev/null +++ b/config/brakeman.ignore @@ -0,0 +1,102 @@ +{ + "ignored_warnings": [ + { + "warning_type": "Dynamic Render Path", + "warning_code": 15, + "fingerprint": "9f31d941f3910dba2e9bfcd81aef4513249bd24c02d0f98e13ad44fdeeccd0e8", + "check_name": "Render", + "message": "Render path contains parameter value", + "file": "app/views/admin/accounts/index.html.haml", + "line": 32, + "link": "http://brakemanscanner.org/docs/warning_types/dynamic_render_path/", + "code": "render(action => filtered_accounts.page(params[:page]), {})", + "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"index","line":7,"file":"app/controllers/admin/accounts_controller.rb"}], + "location": { + "type": "template", + "template": "admin/accounts/index" + }, + "user_input": "params[:page]", + "confidence": "Weak", + "note": "" + }, + { + "warning_type": "Redirect", + "warning_code": 18, + "fingerprint": "bb7e94e60af41decb811bb32171f1b27e9bf3f4d01e9e511127362e22510eb11", + "check_name": "Redirect", + "message": "Possible unprotected redirect", + "file": "app/controllers/remote_follow_controller.rb", + "line": 18, + "link": "http://brakemanscanner.org/docs/warning_types/redirect/", + "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username])))", + "render_path": null, + "location": { + "type": "method", + "class": "RemoteFollowController", + "method": "create" + }, + "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username]))", + "confidence": "High", + "note": "" + }, + { + "warning_type": "Dynamic Render Path", + "warning_code": 15, + "fingerprint": "c417f9d44ab05dd9cf3d5ec9df2324a5036774c151181787b32c4c940623191b", + "check_name": "Render", + "message": "Render path contains parameter value", + "file": "app/views/stream_entries/embed.html.haml", + "line": 2, + "link": "http://brakemanscanner.org/docs/warning_types/dynamic_render_path/", + "code": "render(action => Account.find_local!(params[:account_username]).stream_entries.where(:activity_type => \"Status\").find(params[:id]).activity_type.downcase, { Account.find_local!(params[:account_username]).stream_entries.where(:activity_type => \"Status\").find(params[:id]).activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).stream_entries.where(:activity_type => \"Status\").find(params[:id]).activity, :centered => true })", + "render_path": [{"type":"controller","class":"StreamEntriesController","method":"embed","line":32,"file":"app/controllers/stream_entries_controller.rb"}], + "location": { + "type": "template", + "template": "stream_entries/embed" + }, + "user_input": "params[:id]", + "confidence": "Weak", + "note": "" + }, + { + "warning_type": "Dynamic Render Path", + "warning_code": 15, + "fingerprint": "c5d6945d63264af106d49367228d206aa2f176699ecdce2b98fac101bc6a96cf", + "check_name": "Render", + "message": "Render path contains parameter value", + "file": "app/views/admin/reports/index.html.haml", + "line": 24, + "link": "http://brakemanscanner.org/docs/warning_types/dynamic_render_path/", + "code": "render(action => filtered_reports.page(params[:page]), {})", + "render_path": [{"type":"controller","class":"Admin::ReportsController","method":"index","line":9,"file":"app/controllers/admin/reports_controller.rb"}], + "location": { + "type": "template", + "template": "admin/reports/index" + }, + "user_input": "params[:page]", + "confidence": "Weak", + "note": "" + }, + { + "warning_type": "Dynamic Render Path", + "warning_code": 15, + "fingerprint": "fbd0fc59adb5c6d44b60e02debb31d3af11719f534c9881e21435bbff87404d6", + "check_name": "Render", + "message": "Render path contains parameter value", + "file": "app/views/stream_entries/show.html.haml", + "line": 19, + "link": "http://brakemanscanner.org/docs/warning_types/dynamic_render_path/", + "code": "render(partial => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { :locals => ({ Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :include_threads => true }) })", + "render_path": [{"type":"controller","class":"StatusesController","method":"show","line":15,"file":"app/controllers/statuses_controller.rb"}], + "location": { + "type": "template", + "template": "stream_entries/show" + }, + "user_input": "params[:id]", + "confidence": "Weak", + "note": "" + } + ], + "updated": "2017-05-07 08:26:06 +0900", + "brakeman_version": "3.6.1" +}