ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/config/brakeman.ignore

147 lines
11 KiB
Plaintext
Raw Blame History

{
"ignored_warnings": [
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "39e7cf18fc30e291caf214390683dbf5b0d247b0682c18d9ec84f6c5754cbbc1",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/grade_calculator.rb",
"line": 703,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Score.connection.execute(\"\\n INSERT INTO #{Score.quoted_table_name} (\\n enrollment_id, assignment_group_id,\\n #{assignment_group_columns_to_insert_or_update[:value_names].join(\", \")},\\n course_score, root_account_id, created_at, updated_at\\n )\\n SELECT\\n val.enrollment_id AS enrollment_id,\\n val.assignment_group_id as assignment_group_id,\\n #{assignment_group_columns_to_insert_or_update[:insert_columns].join(\", \")},\\n FALSE AS course_score,\\n #{(course or Course.find(course)).root_account_id} AS root_account_id,\\n #{updated_at} AS created_at,\\n #{updated_at} AS updated_at\\n FROM (VALUES #{score_values}) val\\n (\\n enrollment_id,\\n assignment_group_id,\\n #{assignment_group_columns_to_insert_or_update[:value_names].join(\", \")}\\n )\\n ON CONFLICT (enrollment_id, assignment_group_id) WHERE assignment_group_id IS NOT NULL\\n DO UPDATE SET\\n #{assignment_group_columns_to_insert_or_update[:update_columns].join(\", \")},\\n updated_at = excluded.updated_at,\\n root_account_id = #{(course or Course.find(course)).root_account_id},\\n workflow_state = COALESCE(NULLIF(excluded.workflow_state, 'deleted'), 'active')\\n \")",
"render_path": null,
"location": {
"type": "method",
"class": "GradeCalculator",
"method": "save_assignment_group_scores"
},
"user_input": "assignment_group_columns_to_insert_or_update[:value_names].join(\", \")",
"confidence": "Medium",
"note": "values being inserted do not come from user input."
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "6c187af95302423b293a6ee5fcc3233c199e0f82d858931c478515c5f2d22cad",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/outcome_results_controller.rb",
"line": 596,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Arel.sql((User.sortable_name_order_by_clause(User.quoted_table_name) or \"#{User.sortable_name_order_by_clause(User.quoted_table_name)} DESC\"))",
"render_path": null,
"location": {
"type": "method",
"class": "OutcomeResultsController",
"method": "apply_sort_order"
},
"user_input": "User.sortable_name_order_by_clause(User.quoted_table_name)",
"confidence": "High",
"note": "No user input is passed in"
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "6cf45dc47f15a06b8f69c3df2521c24ef83016b18b2c4b9a348c98517d9fa6eb",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/grade_calculator.rb",
"line": 739,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "ScoreMetadata.connection.execute(\"\\n INSERT INTO #{ScoreMetadata.quoted_table_name}\\n (score_id, calculation_details, created_at, updated_at)\\n SELECT\\n scores.id AS score_id,\\n CAST(val.calculation_details as json) AS calculation_details,\\n #{updated_at} AS created_at,\\n #{updated_at} AS updated_at\\n FROM (VALUES #{dropped_values}) val\\n (enrollment_id, assignment_group_id, calculation_details)\\n LEFT OUTER JOIN #{Score.quoted_table_name} scores ON\\n scores.enrollment_id = val.enrollment_id AND\\n scores.assignment_group_id = val.assignment_group_id\\n ON CONFLICT (score_id)\\n DO UPDATE SET\\n calculation_details = excluded.calculation_details,\\n updated_at = excluded.updated_at\\n ;\\n \")",
"render_path": null,
"location": {
"type": "method",
"class": "GradeCalculator",
"method": "save_assignment_group_scores"
},
"user_input": "updated_at",
"confidence": "Medium",
"note": "values being inserted do not come from user input."
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "799a44268d5cfe1ff43bcd239e02e4dc5fc10545c370095aaed3ec7e9975df6e",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/lti/ims/providers/memberships_provider.rb",
"line": 79,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Submission.active.for_assignment(assignment).where(\"#{outer_user_id_column} = submissions.user_id\")",
"render_path": null,
"location": {
"type": "method",
"class": "Lti::Ims::Providers::MembershipsProvider",
"method": "correlated_assignment_submissions"
},
"user_input": "outer_user_id_column",
"confidence": "Medium",
"note": "No user input is passed in"
},
{
"warning_type": "Remote Code Execution",
"warning_code": 24,
"fingerprint": "b5ba030e599093d2a5047494736d8a61807935ee92704d7f289da07646c862e4",
"check_name": "UnsafeReflection",
"message": "Unsafe reflection method `const_get` called with parameter value",
"file": "app/controllers/files_controller.rb",
"line": 879,
"link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
"code": "Object.const_get(params[:context_type])",
"render_path": null,
"location": {
"type": "method",
"class": "FilesController",
"method": "api_capture"
},
"user_input": "params[:context_type]",
"confidence": "High",
"note": "Value is allowed"
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "d4f9e6a8ce7a250aada977714592207aa2f5edeed50a0c63a05fdbfa5bba54f6",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/grade_calculator.rb",
"line": 605,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Score.connection.execute(\"\\n INSERT INTO #{Score.quoted_table_name}\\n (\\n enrollment_id, grading_period_id,\\n #{columns_to_insert_or_update[:columns].join(\", \")},\\n course_score, root_account_id, created_at, updated_at\\n )\\n SELECT\\n enrollments.id as enrollment_id,\\n #{(opts.reverse_merge(:emit_live_event => true, :ignore_muted => true, :update_all_grading_period_scores => true, :update_course_score => true, :only_update_course_gp_metadata => false, :only_update_points => false)[:grading_period].id or \"NULL\")} as grading_period_id,\\n #{columns_to_insert_or_update[:insert_values].join(\", \")},\\n #{if opts.reverse_merge(:emit_live_event => true, :ignore_muted => true, :update_all_grading_period_scores => true, :update_course_score => true, :only_update_course_gp_metadata => false, :only_update_points => false)[:grading_period] then\n \"FALSE\"\nelse\n \"TRUE\"\nend} AS course_score,\\n #{(course or Course.find(course)).root_account_id} AS root_account_id,\\n #{updated_at} as created_at,\\n #{updated_at} as updated_at\\n FROM #{Enrollment.quoted_table_name} enrollments\\n WHERE\\n enrollments.id IN (#{joined_enrollment_ids})\\n ON CONFLICT #{(\"(enrollment_id, grading_period_id) WHERE grading_period_id IS NOT NULL\" or \"(enrollment_id) WHERE course_score\")}\\n DO UPDATE SET\\n #{columns_to_insert_or_update[:update_values].join(\", \")},\\n updated_at = excluded.updated_at,\\n root_account_id = #{(course or Course.find(course)).root_account_id},\\n -- if workflow_state was previously deleted for some reason, update it to active\\n workflow_state = COALESCE(NULLIF(excluded.workflow_state, 'deleted'), 'active')\\n \")",
"render_path": null,
"location": {
"type": "method",
"class": "GradeCalculator",
"method": "save_course_and_grading_period_scores"
},
"user_input": "columns_to_insert_or_update[:columns].join(\", \")",
"confidence": "Medium",
"note": "values being inserted do not come from user input."
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "d8b569ca9d9f1bc701f854f35c463b45b8c69c3e0909033ccf2fc96a9d630130",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/grade_calculator.rb",
"line": 642,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "ScoreMetadata.connection.execute(\"\\n INSERT INTO #{ScoreMetadata.quoted_table_name}\\n (score_id, calculation_details, created_at, updated_at)\\n SELECT\\n scores.id AS score_id,\\n CASE enrollments.user_id\\n #{{ user_id => ({ :current => ({ :dropped => scores[:current][:dropped] }), :final => ({ :dropped => scores[:final][:dropped] }) }) }.map do\n \"WHEN #{user_id} THEN cast('#{dropped.to_json}' as json)\"\n end.join(\" \")}\\n ELSE NULL\\n END AS calculation_details,\\n #{updated_at} AS created_at,\\n #{updated_at} AS updated_at\\n FROM #{Score.quoted_table_name} scores\\n INNER JOIN #{Enrollment.quoted_table_name} enrollments ON\\n enrollments.id = scores.enrollment_id\\n LEFT OUTER JOIN #{ScoreMetadata.quoted_table_name} metadata ON\\n metadata.score_id = scores.id\\n WHERE\\n scores.enrollment_id IN (#{joined_enrollment_ids}) AND\\n scores.assignment_group_id IS NULL AND\\n #{if opts.reverse_merge(:emit_live_event => true, :ignore_muted => true, :update_all_grading_period_scores => true, :update_course_score => true, :only_update_course_gp_metadata => false, :only_update_points => false)[:grading_period] then\n \"scores.grading_period_id = #{opts.reverse_merge(:emit_live_event => true, :ignore_muted => true, :update_all_grading_period_scores => true, :update_course_score => true, :only_update_course_gp_metadata => false, :only_update_points => false)[:grading_period].id}\"\nelse\n \"scores.course_score IS TRUE\"\nend}\\n ON CONFLICT (score_id)\\n DO UPDATE SET\\n calculation_details = excluded.calculation_details,\\n updated_at = excluded.updated_at\\n ;\\n \")",
"render_path": null,
"location": {
"type": "method",
"class": "GradeCalculator",
"method": "save_course_and_grading_period_metadata"
},
"user_input": "{ user_id => ({ :current => ({ :dropped => scores[:current][:dropped] }), :final => ({ :dropped => scores[:final][:dropped] }) }) }.map do\n \"WHEN #{user_id} THEN cast('#{dropped.to_json}' as json)\"\n end.join(\" \")",
"confidence": "Medium",
"note": "values being inserted do not come from user input."
}
],
"updated": "2020-06-09 16:34:47 -0500",
"brakeman_version": "4.8.2"
}
Reference in New Issue View Git Blame Copy Permalink