ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/config/brakeman.ignore

1708 lines
109 KiB
Plaintext
Raw Blame History

{
"ignored_warnings": [
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "004796896cde893b006bf1856f61eba560b7329e370bd5cf0a071d019acfb05c",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/data_fixup/resend_plagiarism_events.rb",
"line": 66,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Submission.where(\"id in (#{(errors_report_scope(all_configured_submissions(start_time, end_time).select(:id).order(:submitted_at => :desc).limit(limit)) or missing_report_scope(all_configured_submissions(start_time, end_time).select(:id).order(:submitted_at => :desc).limit(limit)))})\")",
"render_path": null,
"location": {
"type": "method",
"class": "DataFixup::ResendPlagiarismEvents",
"method": "s(:self).resend_scope"
},
"user_input": "errors_report_scope(all_configured_submissions(start_time, end_time).select(:id).order(:submitted_at => :desc).limit(limit))",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "00ac66435814833ba7fd15636edce41d40f6587400cf2e86381310d660409149",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/grade_change_audit_api_controller.rb",
"line": 460,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Score.active.joins(:enrollment).preload(:enrollment).where(:course_score => true).where(\"(enrollments.course_id, enrollments.user_id) IN (#{events.reject(&:in_grading_period?).map do\n key = key_from_ids(event.context_id, event.student_id).join(\",\")\n\"(#{key_from_ids(event.context_id, event.student_id).join(\",\")})\"\n end.join(\", \")})\")",
"render_path": null,
"location": {
"type": "method",
"class": "GradeChangeAuditApiController",
"method": "current_override_scores_query"
},
"user_input": "events.reject(&:in_grading_period?).map do\n key = key_from_ids(event.context_id, event.student_id).join(\",\")\n\"(#{key_from_ids(event.context_id, event.student_id).join(\",\")})\"\n end.join(\", \")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "03b292cdba7408f58e10ebcf7ef130b27150143a1594c3148a76e0d23f667778",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/account.rb",
"line": 1062,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Account.connection.select_values(\"WITH RECURSIVE t AS (\\n SELECT * FROM #{Account.quoted_table_name} WHERE id=#{Shard.local_id_for(starting_account_id.parent_account_id).first}\\n UNION\\n SELECT accounts.* FROM #{Account.quoted_table_name} INNER JOIN t ON accounts.id=t.parent_account_id\\n)\\nSELECT id FROM t\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "Account",
"method": "Account.account_chain_ids"
},
"user_input": "Shard.local_id_for(starting_account_id.parent_account_id).first",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "0e15b8a6ab3d2158a04d098f25c49a631614b1fe6fea57e98d52dbe9052e3e80",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/quizzes/quiz.rb",
"line": 1391,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Quizzes::QuizSubmission.from(\"( VALUES #{quizzes.map do\n \"(#{q.id})\"\n end.join(\", \")} ) AS s(quiz_id)\")",
"render_path": null,
"location": {
"type": "method",
"class": "Quizzes::Quiz",
"method": "Quizzes::Quiz.preload_can_unpublish"
},
"user_input": "quizzes.map do\n \"(#{q.id})\"\n end.join(\", \")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "0fa6de183523f46dcea89ac2032d6c127bfd096819b358a808be5e8572198071",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 1044,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "connection.execute(\"CREATE INDEX \\\"temp_primary_key\\\" ON #{connection.quote_local_table_name(\"#{table_name}_in_batches_temp_table_#{apply_limits(self, start, finish, order).to_sql.hash.abs.to_s(36)}\"[(-63..)])}(#{connection.quote_column_name(primary_key)})\")",
"render_path": null,
"location": null,
"user_input": "connection.quote_local_table_name(\"#{table_name}_in_batches_temp_table_#{apply_limits(self, start, finish, order).to_sql.hash.abs.to_s(36)}\"[(-63..)])",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "113ccdd673061935b7a5ef6c1e6683d843514d6719553a87a515d0fc2dd5c446",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/grade_change_audit_api_controller.rb",
"line": 448,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Score.active.joins(:enrollment).preload(:enrollment).where(\"(enrollments.course_id, enrollments.user_id, scores.grading_period_id) IN (#{events.select(&:in_grading_period?).map do\n key = key_from_ids(event.context_id, event.student_id, event.grading_period_id).join(\",\")\n\"(#{key_from_ids(event.context_id, event.student_id, event.grading_period_id).join(\",\")})\"\n end.join(\", \")})\")",
"render_path": null,
"location": {
"type": "method",
"class": "GradeChangeAuditApiController",
"method": "current_override_scores_query"
},
"user_input": "events.select(&:in_grading_period?).map do\n key = key_from_ids(event.context_id, event.student_id, event.grading_period_id).join(\",\")\n\"(#{key_from_ids(event.context_id, event.student_id, event.grading_period_id).join(\",\")})\"\n end.join(\", \")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "150dbd548bbe1af48137626584625d719f51d50fa8c2649e855bf22a18195be6",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/importers/assignment_importer.rb",
"line": 38,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Assignment.connection.execute(\"UPDATE #{Assignment.quoted_table_name} SET position=CASE #{\"#{\" WHEN migration_id=#{Assignment.connection.quote(m[\"assignment_id\"])} THEN #{(((migration.context.assignments.pluck(:position).compact.max or 0) + idx) + 1)} \"}\"} ELSE NULL END WHERE context_id=#{migration.context.id} AND context_type=#{Assignment.connection.quote(migration.context.class.to_s)} AND migration_id IN (#{(data[\"assignments\"] or []).filter_map do\n m[\"assignment_id\"]\n end.map do\n Assignment.connection.quote(id)\n end.join(\",\")})\")",
"render_path": null,
"location": {
"type": "method",
"class": "Importers::AssignmentImporter",
"method": "Importers::AssignmentImporter.process_migration"
},
"user_input": "(((migration.context.assignments.pluck(:position).compact.max or 0) + idx) + 1)",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "1af6d779fa538c578b2cb63fed80210c1fe06ea6f651a21fd0be4edda89f990d",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/discussion_entry_draft.rb",
"line": 77,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "connection.select_values(\" INSERT INTO #{quoted_table_name}\\n (#{\"user_id,discussion_topic_id,discussion_entry_id,root_entry_id,parent_id,attachment_id,message,include_reply_preview,updated_at,created_at\"})\\n VALUES (#{[user.id, topic.id, entry.id, (parent.root_entry_id or parent.id), parent.id, attachment.id, message, reply_preview].map do\n connection.quote(iv)\n end.join(\",\")},NOW(),NOW())\\n ON CONFLICT #{((\"(discussion_topic_id, user_id) WHERE root_entry_id IS NULL AND discussion_entry_id IS NULL\" or \"(root_entry_id, user_id) WHERE discussion_entry_id IS NULL\") or \"(discussion_entry_id, user_id)\")}\\nDO UPDATE SET #{\"#{[\"message\", \"include_reply_preview\", \"parent_id\", \"attachment\"].zip([message, reply_preview, parent.id, attachment.id].map do\n connection.quote(uv)\n end).map do\n a.join(\"=\")\n end.join(\",\")},updated_at=NOW()\"}\\n RETURNING id\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "DiscussionEntryDraft",
"method": "DiscussionEntryDraft.upsert_draft"
},
"user_input": "[user.id, topic.id, entry.id, (parent.root_entry_id or parent.id), parent.id, attachment.id, message, reply_preview].map do\n connection.quote(iv)\n end.join(\",\")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Remote Code Execution",
"warning_code": 24,
"fingerprint": "1cfe984723e00196cfea88b92c2967adfffe747d43508a73aaf045607ad3a241",
"check_name": "UnsafeReflection",
"message": "Unsafe reflection method `const_get` called with model attribute",
"file": "lib/sis/csv/import_refactored.rb",
"line": 246,
"link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
"code": "SIS::CSV.const_get(((id or ParallelImporter.find(id)).importer_type.to_sym.to_s.camelcase + \"Importer\"))",
"render_path": null,
"location": {
"type": "method",
"class": "SIS::CSV::ImportRefactored",
"method": "run_parallel_importer"
},
"user_input": "ParallelImporter.find(id)",
"confidence": "Medium",
"cwe_id": [
470
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "1db30095dcb8b5fc6a3a6d09fb527ae0d7b586ab9b32b8c76cf2da64ef69b1b0",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/score_statistics_generator.rb",
"line": 117,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "ScoreStatistic.connection.execute(\"INSERT INTO #{ScoreStatistic.quoted_table_name}\\n (assignment_id, maximum, minimum, mean, lower_q, median, upper_q, count, created_at, updated_at, root_account_id)\\nVALUES #{bulk_slice.join(\",\")}\\nON CONFLICT (assignment_id)\\nDO UPDATE SET\\n minimum = excluded.minimum,\\n maximum = excluded.maximum,\\n mean = excluded.mean,\\n lower_q = excluded.lower_q,\\n median = excluded.median,\\n upper_q = excluded.upper_q,\\n count = excluded.count,\\n updated_at = excluded.updated_at,\\n root_account_id = #{root_account_id}\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "ScoreStatisticsGenerator",
"method": "s(:self).update_assignment_score_statistics"
},
"user_input": "bulk_slice.join(\",\")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "20b8d23d190696275c75e615ce298a65e6e199f6d783cd7dc415be3756fe8eb0",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/data_fixup/import_instfs_attachments.rb",
"line": 111,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Attachment.connection.execute(\"UPDATE attachments SET instfs_uuid=trim('\\\"' FROM batch.value::text) FROM json_each('#{line}'::json) AS batch WHERE CAST(batch.key AS BIGINT)=attachments.id\")",
"render_path": null,
"location": {
"type": "method",
"class": "DataFixup::ImportInstfsAttachments",
"method": "import_line"
},
"user_input": "line",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "21efc518929f57de2536d97d99f07d9a7425712d11c77234a089eb24a8de39b6",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/calendar_events_api_controller.rb",
"line": 1344,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "InstStatsd::Statsd.count(\"account_calendars.modal.enabled_calendars\", params[:enabled_account_calendars].length)",
"render_path": null,
"location": {
"type": "method",
"class": "CalendarEventsApiController",
"method": "save_enabled_account_calendars"
},
"user_input": "params[:enabled_account_calendars].length",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Dangerous Send",
"warning_code": 23,
"fingerprint": "2734ed0a9a2d2604962cd8232b217636b6aaeaf45f43369a4876197a03387cbc",
"check_name": "Send",
"message": "User controlled method execution",
"file": "app/controllers/appointment_groups_controller.rb",
"line": 577,
"link": "https://brakemanscanner.org/docs/warning_types/dangerous_send/",
"code": "send(\"api_v1_appointment_group_#{params[:action]}_url\", @group)",
"render_path": null,
"location": {
"type": "method",
"class": "AppointmentGroupsController",
"method": "participants"
},
"user_input": "params[:action]",
"confidence": "High",
"cwe_id": [
77
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "2d881ab88942d987968b9fe72f1e9963a90a2c4d2f2e04a5ddfc99e9e061c695",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/submission_lifecycle_manager.rb",
"line": 486,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Submission.connection.execute(\"UPDATE #{Submission.quoted_table_name}\\n SET\\n cached_due_date = vals.due_date::timestamptz,\\n grading_period_id = vals.grading_period_id::integer,\\n workflow_state = COALESCE(NULLIF(workflow_state, 'deleted'), (\\n #{self.class.infer_submission_workflow_state_sql}\\n )),\\n anonymous_id = COALESCE(submissions.anonymous_id, vals.anonymous_id),\\n cached_quiz_lti = vals.cached_quiz_lti,\\n updated_at = now() AT TIME ZONE 'UTC'\\n FROM (VALUES #{batch_values.join(\",\")})\\n AS vals(assignment_id, student_id, due_date, grading_period_id, anonymous_id, cached_quiz_lti, root_account_id)\\n WHERE submissions.user_id = vals.student_id AND\\n submissions.assignment_id = vals.assignment_id AND\\n (\\n (submissions.cached_due_date IS DISTINCT FROM vals.due_date::timestamptz) OR\\n (submissions.grading_period_id IS DISTINCT FROM vals.grading_period_id::integer) OR\\n (submissions.workflow_state <> COALESCE(NULLIF(submissions.workflow_state, 'deleted'),\\n (#{self.class.infer_submission_workflow_state_sql})\\n )) OR\\n (submissions.anonymous_id IS DISTINCT FROM COALESCE(submissions.anonymous_id, vals.anonymous_id)) OR\\n (submissions.cached_quiz_lti IS DISTINCT FROM vals.cached_quiz_lti)\\n );\\nINSERT INTO #{Submission.quoted_table_name}\\n (assignment_id, user_id, workflow_state, created_at, updated_at, course_id,\\n cached_due_date, grading_period_id, anonymous_id, cached_quiz_lti, root_account_id)\\n SELECT\\n assignments.id, vals.student_id, 'unsubmitted',\\n now() AT TIME ZONE 'UTC', now() AT TIME ZONE 'UTC',\\n assignments.context_id, vals.due_date::timestamptz, vals.grading_period_id::integer,\\n vals.anonymous_id,\\n vals.cached_quiz_lti,\\n vals.root_account_id\\n FROM (VALUES #{batch_values.join(\",\")})\\n AS vals(assignment_id, student_id, due_date, grading_period_id, anonymous_id, cached_quiz_lti, root_account_id)\\n INNER JOIN #{Assignment.quoted_table_name} assignments\\n ON assignments.id = vals.assignment_id\\n LEFT OUTER JOIN #{Submission.quoted_table_name} submissions\\n ON submissions.assignment_id = assignments.id\\n AND submissions.user_id = vals.student_id\\n WHERE submissions.id IS NULL;\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "SubmissionLifecycleManager",
"method": "perform_submission_upsert"
},
"user_input": "self.class.infer_submission_workflow_state_sql",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Cross-Site Scripting",
"warning_code": 114,
"fingerprint": "2f29324268f96b4e21c0299738b67bc86028ddc1940f69cbf50c623cc3a4b87e",
"check_name": "JSONEntityEscape",
"message": "HTML entities in JSON are not escaped by default",
"file": "config/environments/production.rb",
"line": 754,
"link": "https://brakemanscanner.org/docs/warning_types/cross-site_scripting/",
"code": "ActiveSupport.escape_html_entities_in_json = false",
"render_path": null,
"location": {
"type": "method",
"class": "ContextModuleItemsApiController",
"method": "disable_escape_html_entities"
},
"user_input": null,
"confidence": "Medium",
"cwe_id": [
79
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "34265f36dd8188fc6fb9da9025880ca88fd44f0d60fbb4a421c43e26b209f59f",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/api/v1/assignment_group.rb",
"line": 140,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "ActiveRecord::Base.connection.select_all(\"SELECT DISTINCT ON (assignment_id) assignment_id, user_id\\nFROM #{Submission.quoted_table_name}\\nWHERE\\n assignment_id IN (#{assignments.pluck(:id).join(\",\")}) AND\\n grading_period_id IN (#{GradingPeriodGroup.for_course(context).grading_periods.closed.pluck(:id).join(\",\")}) AND\\n workflow_state <> 'deleted'\\n\\nUNION\\n\\nSELECT DISTINCT ON (assignment_id) assignment_id, user_id\\nFROM #{Submission.quoted_table_name}\\nWHERE\\n assignment_id IN (#{assignments.pluck(:id).join(\",\")}) AND\\n grading_period_id IS NULL AND NOW() > '#{GradingPeriodGroup.for_course(context).grading_periods.order(:end_date => :desc).first.close_date}'::timestamptz AND\\n workflow_state <> 'deleted'\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "Api::V1::AssignmentGroup",
"method": "in_closed_grading_period_hash"
},
"user_input": "assignments.pluck(:id).join(\",\")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "364b9e86d24b93b583e663f2f5a9385bfb80852531582ad3398147d31a98d498",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/data_fixup/populate_root_account_ids_on_users.rb",
"line": 83,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "User.where(:id => user_id).update_all(\"root_account_ids=(#{\"SELECT ARRAY(SELECT DISTINCT e FROM unnest(array_cat(root_account_ids, ('{#{root_accounts_for_user[(1..)].split(\",\").map(&:to_i).map do\n Shard.relative_id_for(id, Shard.current, Shard.lookup((User.where(\"id>?\", Shard::IDS_PER_SHARD).minimum(:id) / Shard::IDS_PER_SHARD)))\n end.join(\",\")}}'))) AS a(e) ORDER BY e)\"})\")",
"render_path": null,
"location": {
"type": "method",
"class": "DataFixup::PopulateRootAccountIdsOnUsers",
"method": "s(:self).populate_table"
},
"user_input": "User.where(\"id>?\", Shard::IDS_PER_SHARD).minimum(:id)",
"confidence": "High",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "3eaff243d053ea3fc947043dbc45d2fa3e8f0f7b3be372c9c304892afc5766b9",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/conversation_participant.rb",
"line": 74,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where((\"conversation_participants.root_account_ids <> '' AND \" + like_condition(\"?\", \"'%[' || REPLACE(conversation_participants.root_account_ids, ',', ']%[') || ']%'\", false)), ((\"[\" + Shard.birth.activate do\n accts = (masquerading_user.associated_root_accounts.shard(masquerading_user.in_region_associated_shards).to_a + user_being_viewed.associated_root_accounts.shard(user_being_viewed.in_region_associated_shards).to_a).uniq.select do\n a.grants_right?(masquerading_user, :become_user)\n end\n((masquerading_user.associated_root_accounts.shard(masquerading_user.in_region_associated_shards).to_a + user_being_viewed.associated_root_accounts.shard(user_being_viewed.in_region_associated_shards).to_a).uniq.select do\n a.grants_right?(masquerading_user, :become_user)\n end.map(&:id) + (masquerading_user.associated_root_accounts.shard(masquerading_user.in_region_associated_shards).to_a + user_being_viewed.associated_root_accounts.shard(user_being_viewed.in_region_associated_shards).to_a).uniq.select do\n a.grants_right?(masquerading_user, :become_user)\n end.map(&:global_id))\n\n end.join(\"][\")) + \"]\"))",
"render_path": null,
"location": {
"type": "method",
"class": "ConversationParticipant",
"method": "for_masquerading_user"
},
"user_input": "like_condition(\"?\", \"'%[' || REPLACE(conversation_participants.root_account_ids, ',', ']%[') || ']%'\", false)",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "3f0726fdb6a581c21efeb69e929d380edbf480b9410ad8a58cedaa3d66673596",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/grade_calculator.rb",
"line": 729,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "ScoreMetadata.connection.execute(\"\\n INSERT INTO #{ScoreMetadata.quoted_table_name}\\n (score_id, calculation_details, created_at, updated_at)\\n SELECT\\n scores.id AS score_id,\\n CAST(val.calculation_details as json) AS calculation_details,\\n #{updated_at} AS created_at,\\n #{updated_at} AS updated_at\\n FROM (VALUES #{dropped_values.join(\",\")}) val\\n (enrollment_id, assignment_group_id, calculation_details)\\n LEFT OUTER JOIN #{Score.quoted_table_name} scores ON\\n scores.enrollment_id = val.enrollment_id AND\\n scores.assignment_group_id = val.assignment_group_id\\n ORDER BY score_id\\n ON CONFLICT (score_id)\\n DO UPDATE SET\\n calculation_details = excluded.calculation_details,\\n updated_at = excluded.updated_at\\n ;\\n \")",
"render_path": null,
"location": {
"type": "method",
"class": "GradeCalculator",
"method": "save_assignment_group_scores"
},
"user_input": "updated_at",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Remote Code Execution",
"warning_code": 119,
"fingerprint": "42acb42096367d73efe3943f3456226d3d664227e85cf7514c6c8a72b34d8a3e",
"check_name": "UnsafeReflectionMethods",
"message": "Unsafe reflection method `method` called with model attribute",
"file": "app/controllers/grading_periods_controller.rb",
"line": 208,
"link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
"code": "method(\"#{Account.active.where(:id => GradingPeriodGroup.active.select(:account_id).where(:id => params[:set_id])).take.class.to_s.downcase}_batch_update\")",
"render_path": null,
"location": {
"type": "method",
"class": "GradingPeriodsController",
"method": "batch_update"
},
"user_input": "Account.active.where(:id => GradingPeriodGroup.active.select(:account_id).where(:id => params[:set_id]))",
"confidence": "Medium",
"cwe_id": [
470
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "4a61f864c1ece2dda2f4ec6a12a7226b3d028c9da0e27e0fb276f3faebb41c2d",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/lti/ims/providers/memberships_provider.rb",
"line": 81,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Submission.active.for_assignment(assignment).where(\"#{outer_user_id_column} = submissions.user_id\")",
"render_path": null,
"location": {
"type": "method",
"class": "Lti::IMS::Providers::MembershipsProvider",
"method": "correlated_assignment_submissions"
},
"user_input": "outer_user_id_column",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "4afbde61f179b09eb9c908ae134870827d8f6ea07937947e28249549f35e6be6",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 876,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "connection.execute(\"DECLARE #{\"#{table_name}_in_batches_cursor_#{apply_limits(clone, start, finish, order).except(:select).select(primary_key).to_sql.hash.abs.to_s(36)}\"} CURSOR FOR #{apply_limits(clone, start, finish, order).except(:select).select(primary_key).to_sql}\")",
"render_path": null,
"location": null,
"user_input": "apply_limits(clone, start, finish, order).except(:select).select(primary_key).to_sql.hash.abs",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "57bf50dbd2610462dcf2668cee33bc98fa95715b7017fa3ce22202b03a026ef4",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/discussion_entry_participant.rb",
"line": 164,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "connection.exec_insert(\" INSERT INTO #{quoted_table_name}\\n (#{\"discussion_entry_id,user_id,root_account_id,workflow_state,read_at,forced_read_state,rating,report_type\"})\\n VALUES #{[entry_or_topic].map do\n row_values(batch_entry, user.id, entry_or_topic.root_account_id, (new_state or \"unread\"), [connection.quote(forced), connection.quote(rating), connection.quote(:BRAKEMAN_SAFE_LITERAL)])\n end.map do\n \"(#{row.join(\",\")})\"\n end.join(\",\")}\\n ON CONFLICT (discussion_entry_id,user_id)\\nDO UPDATE SET #{[\"forced_read_state\", \"rating\", \"report_type\", \"workflow_state\", \"read_at\"].zip([connection.quote(forced), connection.quote(rating), connection.quote(:BRAKEMAN_SAFE_LITERAL), connection.quote(new_state), connection.quote((Time.now or nil))]).map do\n a.join(\"=\")\n end.join(\",\")}\\n WHERE #{\"(#{quoted_table_name}.#{[\"forced_read_state\", \"rating\", \"report_type\", \"workflow_state\", \"read_at\"].join(\",#{quoted_table_name}.\")})\\n IS DISTINCT FROM (#{\"#{connection.quote(forced)},#{connection.quote(rating)},#{connection.quote(:BRAKEMAN_SAFE_LITERAL)},#{connection.quote(new_state)},#{connection.quote((Time.now or nil))}\"})\"}\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "DiscussionEntryParticipant",
"method": "DiscussionEntryParticipant.upsert_for_entries"
},
"user_input": "[entry_or_topic].map do\n row_values(batch_entry, user.id, entry_or_topic.root_account_id, (new_state or \"unread\"), [connection.quote(forced), connection.quote(rating), connection.quote(:BRAKEMAN_SAFE_LITERAL)])\n end.map do\n \"(#{row.join(\",\")})\"\n end.join(\",\")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "607e0b2fd3ad558c69c74279b0a3ac040cc53f92514027776a793e77145d0e37",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 1078,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "connection.execute(\"DROP TABLE #{\"#{table_name}_in_batches_temp_table_#{apply_limits(self, start, finish, order).to_sql.hash.abs.to_s(36)}\"[(-63..)]}\")",
"render_path": null,
"location": null,
"user_input": "\"#{table_name}_in_batches_temp_table_#{apply_limits(self, start, finish, order).to_sql.hash.abs.to_s(36)}\"[(-63..)]",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "60d79b3e448515aa6141cbfe88c51b91d1cdafc7a766af6c38780307b594f07a",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/account.rb",
"line": 1036,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Account.find_by_sql(\"WITH RECURSIVE t AS (\\n SELECT * FROM #{Account.quoted_table_name} WHERE id=#{Shard.local_id_for(starting_account_id.parent_account_id).first}\\n UNION\\n SELECT accounts.* FROM #{Account.quoted_table_name} INNER JOIN t ON accounts.id=t.parent_account_id\\n)\\nSELECT * FROM t\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "Account",
"method": "Account.account_chain"
},
"user_input": "Shard.local_id_for(starting_account_id.parent_account_id).first",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Redirect",
"warning_code": 18,
"fingerprint": "6322041803bb86407678ba10c0e91454344241b40723b2861d925bccf68b240d",
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/users_controller.rb",
"line": 2271,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to(MediaSourceFetcher.new(CanvasKaltura::ClientV3.new).fetch_preferred_source_url(:media_id => params[:entryId], :file_extension => ((params[:type] or params[:format])), :media_type => params[:media_type]))",
"render_path": null,
"location": {
"type": "method",
"class": "UsersController",
"method": "media_download"
},
"user_input": "MediaSourceFetcher.new(CanvasKaltura::ClientV3.new).fetch_preferred_source_url(:media_id => params[:entryId], :file_extension => ((params[:type] or params[:format])), :media_type => params[:media_type])",
"confidence": "High",
"cwe_id": [
601
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "6493b8a4f9a96a2f3a52ac4343c272a524ad92cccc8bc2c40e450054b8f6ae61",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/effective_due_dates.rb",
"line": 318,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "ActiveRecord::Base.connection.select_all(\"/* fetch the assignment itself */\\nWITH models AS (\\n SELECT *\\n FROM #{Assignment.quoted_table_name}\\n WHERE\\n id IN (#{(([context.active_assignments] or assignment_collection).first.except(:order).select(:id).to_sql or Assignment.where(:id => ([context.active_assignments] or assignment_collection).first.except(:order).select(:id).to_sql).pluck(:id)).join(\",\")}) AND\\n workflow_state <> 'deleted' AND\\n context_id = #{context.id} AND context_type = 'Course'\\n),\\n\\n/* fetch all overrides for this assignment */\\nassignment_overrides AS (\\n SELECT\\n o.id,\\n o.assignment_id,\\n o.set_type,\\n o.set_id,\\n o.due_at_overridden,\\n CASE WHEN o.due_at_overridden IS TRUE THEN o.due_at ELSE a.due_at END AS due_at,\\n o.unassign_item\\n FROM\\n models a\\n INNER JOIN #{AssignmentOverride.quoted_table_name} o ON o.assignment_id = a.id\\n WHERE\\n o.workflow_state = 'active'\\n),\\n\\n#{context_module_overrides}\\n\\n#{union_all_overrides}\\n\\n/* fetch all students affected by adhoc overrides */\\noverride_adhoc_students AS (\\n SELECT\\n os.user_id AS student_id,\\n TRUE as active_in_section,\\n o.assignment_id,\\n o.id AS override_id,\\n date_trunc('minute', o.due_at) AS trunc_due_at,\\n o.due_at,\\n o.set_type AS override_type,\\n o.due_at_overridden,\\n o.unassign_item,\\n 1 AS priority\\n FROM\\n overrides o\\n INNER JOIN #{AssignmentOverrideStudent.quoted_table_name} os ON os.assignment_override_id = o.id AND\\n os.workflow_state = 'active'\\n WHERE\\n o.set_type = 'ADHOC'\\n #{filter_students_sql(\"os\")}\\n),\\n\\n/* fetch all students affected by group overrides */\\noverride_groups_students AS (\\n SELECT\\n gm.user_id AS student_id,\\n TRUE as active_in_section,\\n o.assignment_id,\\n o.id AS override_id,\\n date_trunc('minute', o.due_at) AS trunc_due_at,\\n o.due_at,\\n o.set_type AS override_type,\\n o.due_at_overridden,\\n o.unassign_item,\\n 2 AS priority\\n FROM\\n overrides o\\n INNER JOIN #{Group.quoted_table_name} g ON g.id = o.set_id\\n INNER JOIN #{GroupMembership.quoted_table_name} gm ON gm.group_id = g.id\\n WHERE\\n o.set_type = 'Group' AND\\n g.workflow_state <> 'deleted' AND\\n gm.workflow_state = 'accepted'\\n #{filter_students_sql(\"gm\")}\\n),\\n\\n/* fetch all students affected by section overrides */\\noverride_sections_students AS (\\n SELECT\\n e.user_id AS student_id,\\n #{active_in_section_sql} AS active_in_section,\\n o.assignment_id,\\n o.id AS override_id,\\n date_trunc('minute', o.due_at) AS trunc_due_at,\\n o.due_at,\\n o.set_type AS override_type,\\n o.due_at_overridden,\\n o.unassign_item,\\n 2 AS priority\\n FROM\\n overrides o\\n INNER JOIN #{CourseSection.quoted_table_name} s ON s.id = o.set_id\\n INNER JOIN #{Enrollment.quoted_table_name} e ON e.course_section_id = s.id\\n WHERE\\n o.set_type = 'CourseSection' AND\\n s.workflow_state <> 'deleted' AND\\n e.workflow_state NOT IN ('rejected', 'deleted') AND\\n e.type IN ('StudentEnrollment', 'StudentViewEnrollment')\\n #{filter_students_sql(\"e\")}\\n),\\n\\n#{course_overrides}\\n\\n/* fetch all students who have an 'Everyone Else'\\n due date applied to them from the assignment */\\noverride_everyonelse_students AS (\\n SELECT\\n e.user_id AS student_id,\\n TRUE as active_in_section,\\n a.id as assignment_id,\\n NULL::integer AS override_id,\\n date_trunc('minute', a.due_at) AS trunc_due_at,\\n a.due_at,\\n 'Everyone Else'::varchar AS override_type,\\n FALSE AS due_at_overridden,\\n FALSE AS unassign_item,\\n 3 AS priority\\n FROM\\n models a\\n INNER JOIN #{Enrollment.quoted_table_name} e ON e.course_id = a.context_id\\n WHERE\\n e.workflow_state NOT IN ('rejected', 'deleted') AND\\n e.type IN ('StudentEnrollment', 'StudentViewEnrollment') AND\\n #{visible_to_everyone}\\n #{filter_students_sql(\"e\")}\\n),\\n\\n/* join all these students together into a single table */\\noverride_all_students AS (\\n SELECT * FROM override_adhoc_students\\n UNION ALL\\n SELECT * FROM override_groups_students\\n UNION ALL\\n SELECT * FROM override_sections_students\\n UNION ALL\\n #{union_course_overrides}\\n SELECT * FROM override_everyonelse_students\\n),\\n\\n/* and pick the latest override date as the effective due date */\\ncalculated_overrides AS (\\n SELECT DISTINCT ON (student_id, assignment_id)\\n *\\n FROM override_all_students\\n ORDER BY student_id ASC, assignment_id ASC, active_in_section DESC, due_at_overridden DESC, priority ASC, due_at DESC NULLS FIRST\\n),\\n\\n/* now find all grading periods, including both\\n legacy course periods and newer account-level periods */\\ncourse_and_account_grading_periods AS (\\n SELECT DISTINCT ON (gp.id)\\n gp.id,\\n date_trunc('minute', gp.start_date) AS start_date,\\n date_trunc('minute', gp.end_date) AS end_date,\\n date_trunc('minute', gp.close_date) AS close_date,\\n gpg.course_id,\\n gpg.account_id\\n FROM\\n models a\\n INNER JOIN #{Course.quoted_table_name} c ON c.id = a.context_id\\n INNER JOIN #{EnrollmentTerm.quoted_table_name} term ON c.enrollment_term_id = term.id\\n LEFT OUTER JOIN #{GradingPeriodGroup.quoted_table_name} gpg ON\\n gpg.course_id = c.id OR gpg.id = term.grading_period_group_id\\n LEFT OUTER JOIN #{GradingPeriod.quoted_table_name} gp ON gp.grading_period_group_id = gpg.id\\n WHERE\\n gpg.workflow_state = 'active' AND\\n gp.workflow_state = 'active'\\n),\\n\\n/* then filter down to the grading periods we care about:\\n if legacy periods exist, only return those. Otherwise,\\n return the account-level periods. */\\napplied_grading_periods AS (\\n SELECT *\\n FROM course_and_account_grading_periods\\n WHERE\\n EXISTS (\\n SELECT 1 FROM course_and_account_grading_periods WHERE course_id IS NOT NULL\\n ) AND course_id IS NOT NULL\\n UNION ALL\\n SELECT *\\n FROM course_and_account_grading_periods\\n WHERE\\n NOT EXISTS (\\n SELECT 1 FROM course_and_account_grading_periods WHERE course_id IS NOT NULL\\n ) AND account_id IS NOT NULL\\n),\\n\\n/* infinite due dates are put in the last grading period.\\n better to fetch it once since we'll likely reference it multiple times below */\\nlast_period AS (\\n SELECT id, close_date FROM applied_grading_periods ORDER BY end_date DESC LIMIT 1\\n)\\n\\n/* finally bring it all together! */\\nSELECT\\n overrides.assignment_id,\\n overrides.student_id,\\n overrides.due_at,\\n overrides.override_type,\\n overrides.override_id,\\n CASE\\n /* check whether or not this due date falls in a closed grading period */\\n WHEN overrides.due_at IS NOT NULL AND '#{Time.zone.now.iso8601}'::timestamptz >= periods.close_date THEN TRUE\\n /* when no explicit due date is provided, we treat it as if it's in the latest grading period */\\n WHEN overrides.due_at IS NULL AND\\n overrides.override_type <> 'Submission' AND\\n '#{Time.zone.now.iso8601}'::timestamptz >= (SELECT close_date FROM last_period) THEN TRUE\\n ELSE FALSE\\n END AS closed,\\n CASE\\n /* if infinite due date, put it in the last grading period */\\n WHEN overrides.due_at IS NULL AND\\n overrides.override_type <> 'Submission' THEN (SELECT id FROM last_period)\\n /* otherwise, put it in whatever grading period id we found for it */\\n ELSE periods.id\\n END AS grading_period_id\\nFROM calculated_overrides overrides\\n/* match the effective due date with its grading period */\\nLEFT OUTER JOIN applied_grading_periods periods ON\\n periods.start_date < overrides.trunc_due_at AND overrides.trunc_due_at <= periods.end_date\\n#{unassign_item}\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "EffectiveDueDates",
"method": "query"
},
"user_input": "Assignment.where(:id => ([context.active_assignments] or assignment_collection).first.except(:order).select(:id).to_sql).pluck(:id)",
"confidence": "High",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "689b10c1f76b6025687096dd27fac6c2d7d2bb1490dfc65565cb82f00ce0f7f3",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/microsoft_sync/partial_sync_change.rb",
"line": 46,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"(#{columns.map do\n connection.quote_column_name(col)\n end.join(\",\")}) IN (#{values_arrays.map do\n ((\"(\" + arr.map do\n connection.quote(val)\n end.join(\",\")) + \")\")\n end.join(\",\")})\")",
"render_path": null,
"location": {
"type": "method",
"class": "MicrosoftSync::PartialSyncChange",
"method": null
},
"user_input": "columns.map do\n connection.quote_column_name(col)\n end.join(\",\")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SSL Verification Bypass",
"warning_code": 71,
"fingerprint": "71766e29dc8e6273a59497da6001858b23b05989c9330c94ac2b960c406119c0",
"check_name": "SSLVerify",
"message": "SSL certificate verification was bypassed",
"file": "gems/canvas_kaltura/lib/canvas_kaltura/kaltura_client_v3.rb",
"line": 395,
"link": "https://brakemanscanner.org/docs/warning_types/ssl_verification_bypass/",
"code": "Net::HTTP.new(\"www.kaltura.com\", (if (CanvasKaltura::ClientV3.config[\"protocol\"] != \"http\") then\n Net::HTTP.https_default_port\nelse\n Net::HTTP.http_default_port\nend)).verify_mode = OpenSSL::SSL::VERIFY_NONE",
"render_path": null,
"location": {
"type": "method",
"class": "CanvasKaltura::ClientV3",
"method": "sendRequest"
},
"user_input": null,
"confidence": "High",
"cwe_id": [
295
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "717fe8c412477ae1bd601e83543d17b5e1a9590f8830eaa5d44f55db7362c1e1",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/data_fixup/populate_root_account_id_on_asset_user_accesses.rb",
"line": 29,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "AssetUserAccess.where(:id => ((min..max)), :context_type => \"User\").where(\"asset_code NOT LIKE ALL (ARRAY[#{[*[\"attachment\", \"calendar_event\", \"group\", \"course\"], \"user\"].map do\n \"'%#{t}%'\"\n end.join(\",\")}])\")",
"render_path": null,
"location": {
"type": "method",
"class": "DataFixup::PopulateRootAccountIdOnAssetUserAccesses",
"method": "s(:self).populate"
},
"user_input": "[*[\"attachment\", \"calendar_event\", \"group\", \"course\"], \"user\"].map do\n \"'%#{t}%'\"\n end.join(\",\")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Redirect",
"warning_code": 18,
"fingerprint": "71b088629b59eb0c66dd0aab5736ecda1061b31aeaaf58fbc71dae0114d91fa5",
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/courses_controller.rb",
"line": 3412,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to((params[:continue_to] or course_url(@course)))",
"render_path": null,
"location": {
"type": "method",
"class": "CoursesController",
"method": "render_update_success"
},
"user_input": "params[:continue_to]",
"confidence": "High",
"cwe_id": [
601
],
"note": ""
},
{
"warning_type": "File Access",
"warning_code": 16,
"fingerprint": "74a55118935cb7380eac981c319e00702be0820eba0d660b45435563caceb4ac",
"check_name": "SendFile",
"message": "Model attribute used in file name",
"file": "app/controllers/files_controller.rb",
"line": 1552,
"link": "https://brakemanscanner.org/docs/warning_types/file_access/",
"code": "send_file(Thumbnail.where(:id => params[:id], :uuid => params[:uuid]).first.full_filename, :content_type => Thumbnail.where(:id => params[:id], :uuid => params[:uuid]).first.content_type)",
"render_path": null,
"location": {
"type": "method",
"class": "FilesController",
"method": "show_thumbnail"
},
"user_input": "Thumbnail.where(:id => params[:id], :uuid => params[:uuid]).first.full_filename",
"confidence": "Medium",
"cwe_id": [
22
],
"note": ""
},
{
"warning_type": "Cross-Site Scripting",
"warning_code": 2,
"fingerprint": "781bcd475f1cc9f734536572daca9d75fb12c7a0a6140708522d93126b6e9712",
"check_name": "CrossSiteScripting",
"message": "Unescaped model attribute",
"file": "app/views/shared/_maintenance_window.html.erb",
"line": 11,
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
"code": "Setting.get(\"global_maintenance_notice\", \"\")",
"render_path": [
{
"type": "controller",
"class": "ProfileController",
"method": "settings",
"line": 232,
"file": "app/controllers/profile_controller.rb",
"rendered": {
"name": "profile/profile",
"file": "app/views/profile/profile.html.erb"
}
},
{
"type": "template",
"name": "profile/profile",
"line": 163,
"file": "app/views/profile/profile.html.erb",
"rendered": {
"name": "shared/_maintenance_window",
"file": "app/views/shared/_maintenance_window.html.erb"
}
}
],
"location": {
"type": "template",
"template": "shared/_maintenance_window"
},
"user_input": null,
"confidence": "Medium",
"cwe_id": [
79
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "7a508e1af8899d8b5e2727fdf138717ab1ca1ec71ab4f8544f1acd5fc9078f71",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/unzip_attachment.rb",
"line": 163,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Attachment.where(:id => id_positions.keys).update_all(\"position=CASE #{id_positions.inject([]) do\n memo.tap do\n (m << \"WHEN id=#{id} THEN #{position}\") if id and position\n end\n end.join(\" \")} ELSE position END\")",
"render_path": null,
"location": {
"type": "method",
"class": "UnzipAttachment",
"method": "update_attachment_positions"
},
"user_input": "id_positions.inject([]) do\n memo.tap do\n (m << \"WHEN id=#{id} THEN #{position}\") if id and position\n end\n end.join(\" \")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Command Injection",
"warning_code": 14,
"fingerprint": "816a81c5f19187c4a3855a2d49727ffd2f07c31284f44ba2621ae92b83576bdc",
"check_name": "Execute",
"message": "Possible command injection",
"file": "lib/cc/importer/canvas/quiz_converter.rb",
"line": 46,
"link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
"code": "`#{Qti.get_conversion_command(File.join(qti_folder, \"qti_2_1\"), qti_folder)}`",
"render_path": null,
"location": {
"type": "method",
"class": "CC::Importer::Canvas::QuizConverter",
"method": "run_qti_converter"
},
"user_input": "Qti.get_conversion_command(File.join(qti_folder, \"qti_2_1\"), qti_folder)",
"confidence": "Medium",
"cwe_id": [
77
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "871762919d635836a40277367e84b1427e48755b97056fc79f826168f35ffcbc",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/conversation.rb",
"line": 803,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "self.class.where([\"(#{col} IS NULL OR #{col} < ?)\", val])",
"render_path": null,
"location": {
"type": "method",
"class": "Conversation",
"method": "maybe_update_timestamp"
},
"user_input": "col",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Redirect",
"warning_code": 18,
"fingerprint": "89637035fa3c2dd610d49b418965783e6e3c841d0939c727f3361785cf319ef6",
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/users_controller.rb",
"line": 2461,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to(User.avatar_fallback_url(Shard.shard_for(Shard.global_id_for(User.user_id_from_avatar_key(params[:user_id]))).activate do\n Rails.cache.fetch(Cacher.avatar_cache_key(Shard.global_id_for(User.user_id_from_avatar_key(params[:user_id])), ((request.env[\"canvas.domain_root_account\"] or LoadAccount.default_domain_root_account).settings[:avatars] or \"enabled\"))) do\n user = User.where(:id => Shard.global_id_for(User.user_id_from_avatar_key(params[:user_id]))).first\nif User.where(:id => Shard.global_id_for(User.user_id_from_avatar_key(params[:user_id]))).first then\n User.where(:id => Shard.global_id_for(User.user_id_from_avatar_key(params[:user_id]))).first.avatar_url(nil, ((request.env[\"canvas.domain_root_account\"] or LoadAccount.default_domain_root_account).settings[:avatars] or \"enabled\"))\nelse\n \"/images/messages/avatar-50.png\"\nend\n end\n end, request))",
"render_path": null,
"location": {
"type": "method",
"class": "UsersController",
"method": "avatar_image"
},
"user_input": "User.avatar_fallback_url(Shard.shard_for(Shard.global_id_for(User.user_id_from_avatar_key(params[:user_id]))).activate do\n Rails.cache.fetch(Cacher.avatar_cache_key(Shard.global_id_for(User.user_id_from_avatar_key(params[:user_id])), ((request.env[\"canvas.domain_root_account\"] or LoadAccount.default_domain_root_account).settings[:avatars] or \"enabled\"))) do\n user = User.where(:id => Shard.global_id_for(User.user_id_from_avatar_key(params[:user_id]))).first\nif User.where(:id => Shard.global_id_for(User.user_id_from_avatar_key(params[:user_id]))).first then\n User.where(:id => Shard.global_id_for(User.user_id_from_avatar_key(params[:user_id]))).first.avatar_url(nil, ((request.env[\"canvas.domain_root_account\"] or LoadAccount.default_domain_root_account).settings[:avatars] or \"enabled\"))\nelse\n \"/images/messages/avatar-50.png\"\nend\n end\n end, request)",
"confidence": "High",
"cwe_id": [
601
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "96ad8f781198eb407e8e108f14a4aa2c4d98bf212125ff66f6cde643bc5bf029",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/master_courses/folder_helper.rb",
"line": 50,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Folder.connection.select_values(\"WITH RECURSIVE t AS (\\n SELECT id, parent_folder_id FROM #{Folder.quoted_table_name} WHERE id IN (#{(Set.new << folder_id).to_a.sort.join(\",\")})\\n UNION\\n SELECT folders.id, folders.parent_folder_id FROM #{Folder.quoted_table_name} INNER JOIN t ON folders.id=t.parent_folder_id\\n)\\nSELECT DISTINCT id FROM t\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "MasterCourses::FolderHelper",
"method": "MasterCourses::FolderHelper.locked_folder_ids_for_course"
},
"user_input": "(Set.new << folder_id).to_a.sort.join(\",\")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "9a056ab1dd378ca2b48c03d247f078f182dcd9bf97e1b6523000bc6c19c2069d",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/accounts_controller.rb",
"line": 1270,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "AccountReport.from(\"unnest('{#{AccountReport.available_reports.keys.join(\",\")}}'::text[]) report_types (name),\\n LATERAL (#{@account.account_reports.active.where(\"report_type=name\").most_recent.to_sql}) account_reports \")",
"render_path": null,
"location": {
"type": "method",
"class": "AccountsController",
"method": "reports_tab"
},
"user_input": "AccountReport.available_reports.keys",
"confidence": "High",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "9a6b6fc9cd26ea7f2aad82b855ef41aa7da0d90fb2209a362a9e686a4f8fc3bd",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/grade_calculator.rb",
"line": 627,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "ScoreMetadata.connection.execute(\"\\n INSERT INTO #{ScoreMetadata.quoted_table_name}\\n (score_id, calculation_details, created_at, updated_at)\\n SELECT\\n scores.id AS score_id,\\n CASE enrollments.user_id\\n #{{ user_id => ({ :current => ({ :dropped => scores[:current][:dropped] }), :final => ({ :dropped => scores[:final][:dropped] }) }) }.map do\n \"WHEN #{user_id} THEN cast('#{dropped.to_json}' as json)\"\n end.join(\" \")}\\n ELSE NULL\\n END AS calculation_details,\\n #{updated_at} AS created_at,\\n #{updated_at} AS updated_at\\n FROM #{Score.quoted_table_name} scores\\n INNER JOIN #{Enrollment.quoted_table_name} enrollments ON\\n enrollments.id = scores.enrollment_id\\n LEFT OUTER JOIN #{ScoreMetadata.quoted_table_name} metadata ON\\n metadata.score_id = scores.id\\n WHERE\\n scores.enrollment_id IN (#{joined_enrollment_ids}) AND\\n scores.assignment_group_id IS NULL AND\\n #{if opts.reverse_merge(:emit_live_event => true, :ignore_muted => true, :update_all_grading_period_scores => true, :update_course_score => true, :only_update_course_gp_metadata => false, :only_update_points => false)[:grading_period] then\n \"scores.grading_period_id = #{opts.reverse_merge(:emit_live_event => true, :ignore_muted => true, :update_all_grading_period_scores => true, :update_course_score => true, :only_update_course_gp_metadata => false, :only_update_points => false)[:grading_period].id}\"\nelse\n \"scores.course_score IS TRUE\"\nend}\\n ORDER BY enrollment_id\\n ON CONFLICT (score_id)\\n DO UPDATE SET\\n calculation_details = excluded.calculation_details,\\n updated_at = excluded.updated_at\\n ;\\n \")",
"render_path": null,
"location": {
"type": "method",
"class": "GradeCalculator",
"method": "save_course_and_grading_period_metadata"
},
"user_input": "{ user_id => ({ :current => ({ :dropped => scores[:current][:dropped] }), :final => ({ :dropped => scores[:final][:dropped] }) }) }.map do\n \"WHEN #{user_id} THEN cast('#{dropped.to_json}' as json)\"\n end.join(\" \")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "9b42b79c842d4fd260f8204a367999ddb93a8c6abe72445831f6a491b036eb7b",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/submission_lifecycle_manager.rb",
"line": 369,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Submission.where(\"(assignment_id, user_id) IN (#{assignment_and_student_id_values(:entries => entries).join(\",\")})\")",
"render_path": null,
"location": {
"type": "method",
"class": "SubmissionLifecycleManager",
"method": "current_cached_due_dates"
},
"user_input": "assignment_and_student_id_values(:entries => entries).join(\",\")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "9e213c3440080230acd65f00562b9bd0d1c1c2c673fd32a020d1ca3c6e2cdb82",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/assignment_override.rb",
"line": 339,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"#{field}_overridden\" => true)",
"render_path": null,
"location": {
"type": "method",
"class": "AssignmentOverride",
"method": "AssignmentOverride.override"
},
"user_input": "field",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "a0f1ce90e4aa763c6d7cfdc66b61468e0786329151f922c828db9675c8d66d2a",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/conversations_controller.rb",
"line": 1069,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "InstStatsd::Statsd.count(\"inbox.conversation.unstarred.legacy\", params[:conversation_ids].length)",
"render_path": null,
"location": {
"type": "method",
"class": "ConversationsController",
"method": "batch_update"
},
"user_input": "params[:conversation_ids].length",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Remote Code Execution",
"warning_code": 24,
"fingerprint": "a10a5c57e907f73230c60579e08bc331c9d035418e0d8aafa82892c516b2a439",
"check_name": "UnsafeReflection",
"message": "Unsafe reflection method `const_get` called with parameter value",
"file": "app/controllers/application_controller.rb",
"line": 1459,
"link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
"code": "Object.const_get((params[:feed_code].split(\"_\", 2) or [\"group_membership\", params[:feed_code].split(\"_\", 3)[-1]])[0].classify, false)",
"render_path": null,
"location": {
"type": "method",
"class": "ApplicationController",
"method": "get_feed_context"
},
"user_input": "params[:feed_code].split(\"_\", 2)",
"confidence": "High",
"cwe_id": [
470
],
"note": ""
},
{
"warning_type": "Denial of Service",
"warning_code": 76,
"fingerprint": "a2a6a8e4413742bb617c0d22e1f1a7e475dd474d5812ed9391965b471b5958be",
"check_name": "RegexDoS",
"message": "Model attribute used in regular expression",
"file": "app/models/course.rb",
"line": 2776,
"link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
"code": "/\\A#{(Folder.root_folders(self).first.name + \"/\")}/",
"render_path": null,
"location": {
"type": "method",
"class": "Course",
"method": "copy_attachments_from_course"
},
"user_input": "(Folder.root_folders(self).first.name + \"/\")",
"confidence": "Medium",
"cwe_id": [
20,
185
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "acb766c09a1b84e9ea08d27d1677bf0c0cce0c66003733bb303d7ac71a89ee82",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/accounts_controller.rb",
"line": 1265,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "AccountReport.from(\"unnest('{#{AccountReport.available_reports.keys.join(\",\")}}'::text[]) report_types (name),\\n LATERAL (#{@account.account_reports.active.where(\"report_type=name\").most_recent.complete.to_sql}) account_reports \")",
"render_path": null,
"location": {
"type": "method",
"class": "AccountsController",
"method": "reports_tab"
},
"user_input": "AccountReport.available_reports.keys",
"confidence": "High",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "b3c753e3a88f578bc30834acd3a1229fef11d45e40e9b54a3b1d424267faacab",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/student_enrollment.rb",
"line": 95,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Submission.joins(:assignment).where(:user_id => students.map(&:user_id), :workflow_state => \"deleted\", :assignments => ({ :context_id => course_id })).merge(Assignment.active).in_batches.update_all(\"workflow_state = #{SubmissionLifecycleManager.infer_submission_workflow_state_sql}\")",
"render_path": null,
"location": {
"type": "method",
"class": "StudentEnrollment",
"method": "s(:self).restore_deleted_submissions_for_enrollments"
},
"user_input": "SubmissionLifecycleManager.infer_submission_workflow_state_sql",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Redirect",
"warning_code": 18,
"fingerprint": "b4bda6b6d94b643b15299eded526f9e3f9dfc51f70eda595793d94901233d46a",
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/crocodoc_sessions_controller.rb",
"line": 53,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to(Attachment.find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"crocodoc\")[\"attachment_id\"]).crocodoc_document.session_url(:user => (((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id]))), :annotations => ((value_to_boolean(params[:annotations]) or true)), :enable_annotations => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"crocodoc\")[\"enable_annotations\"], :moderated_grading_allow_list => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"crocodoc\")[\"moderated_grading_allow_list\"]))",
"render_path": null,
"location": {
"type": "method",
"class": "CrocodocSessionsController",
"method": "show"
},
"user_input": "Attachment.find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"crocodoc\")[\"attachment_id\"]).crocodoc_document.session_url(:user => (((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id]))), :annotations => ((value_to_boolean(params[:annotations]) or true)), :enable_annotations => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"crocodoc\")[\"enable_annotations\"], :moderated_grading_allow_list => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"crocodoc\")[\"moderated_grading_allow_list\"])",
"confidence": "High",
"cwe_id": [
601
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "b6944f1077661151ed28a4f2c1c874378a58ac2f622d61a3fec18f74e9db7d5b",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/submission_lifecycle_manager.rb",
"line": 380,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Submission.where(\"(assignment_id, user_id) IN (#{assignment_and_student_id_values(:entries => entries).join(\",\")})\")",
"render_path": null,
"location": {
"type": "method",
"class": "SubmissionLifecycleManager",
"method": "record_due_date_changes_for_auditable_assignments!"
},
"user_input": "assignment_and_student_id_values(:entries => entries).join(\",\")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "b7c9d38286006de6cec6c394b56539441c1fcff05b2fd66c311665f4efa50df5",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 471,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "find_by_sql((((+\"\" << \"SELECT NULL AS #{column.to_s} WHERE EXISTS (SELECT * FROM #{quoted_table_name} WHERE #{column.to_s} IS NULL) UNION ALL (\") << \"WITH RECURSIVE t AS (\\n SELECT MIN(#{column.to_s}) AS #{column.to_s} FROM #{quoted_table_name}\\n UNION ALL\\n SELECT (SELECT MIN(#{column.to_s}) FROM #{quoted_table_name} WHERE #{column.to_s} > t.#{column.to_s})\\n FROM t\\n WHERE t.#{column.to_s} IS NOT NULL\\n)\\nSELECT #{column.to_s} FROM t WHERE #{column.to_s} IS NOT NULL\\n\".squish) << \")\"))",
"render_path": null,
"location": {
"type": "method",
"class": "ActiveRecord::Base",
"method": "distinct_values"
},
"user_input": "column",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "c041acd84098433ca9432cdcd67d0c95382085a6ed4a7ceb73597d9bd235f62a",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 417,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Arel.sql((\"(#{col} COLLATE #{Canvas::ICU.choose_pg12_collation(connection.icu_collations)})\" or \"CAST(LOWER(replace(#{col}, '\\\\', '\\\\\\\\')) AS bytea)\"))",
"render_path": null,
"location": {
"type": "method",
"class": "ActiveRecord::Base",
"method": "best_unicode_collation_key"
},
"user_input": "col",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Redirect",
"warning_code": 18,
"fingerprint": "c6e825e0dac404ef42cb2c45a2ae0b261e506f3c1ccebeadab67e0c289aaf8d6",
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/quizzes/quiz_submissions_controller.rb",
"line": 114,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to((params[:next_question_path] or course_quiz_take_path(@context, require_quiz)))",
"render_path": null,
"location": {
"type": "method",
"class": "Quizzes::QuizSubmissionsController",
"method": "backup"
},
"user_input": "params[:next_question_path]",
"confidence": "High",
"cwe_id": [
601
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "c76f489b64a73c0ca7d8a2e3c7e74d1571d1c5467816a496fa75d8af38eba2b7",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/submission_lifecycle_manager.rb",
"line": 515,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Submission.deleted.joins(\"INNER JOIN (VALUES #{batch.each_with_object([]) do\n next unless entry[5]\n(memo << \"(#{entry.first}, #{entry.second})\")\n end.join(\",\")})\\nAS vals(assignment_id, student_id)\\nON submissions.assignment_id = vals.assignment_id\\nAND submissions.user_id = vals.student_id\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "SubmissionLifecycleManager",
"method": "handle_lti_deleted_submissions"
},
"user_input": "batch.each_with_object([]) do\n next unless entry[5]\n(memo << \"(#{entry.first}, #{entry.second})\")\n end.join(\",\")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "c890ecf49f56bc04f77b5c49645f28eb3dc83c6da9ba94971b9bb8dbb7753c7f",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 446,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Arel.sql((ary.each_with_index.inject(+\"CASE \") do\n (((string << \"WHEN #{col} IN (\") << Array(values).map do\n connection.quote(value)\n end.join(\", \")) << \") THEN #{i} \")\n end << \"ELSE #{ary.size} END\"))",
"render_path": null,
"location": {
"type": "method",
"class": "ActiveRecord::Base",
"method": "rank_sql"
},
"user_input": "ary.size",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "c901e8d9c6d87ae7cd343307e2fdd0dd945d986073fd4f5a95d229f787f2c3aa",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/grade_calculator.rb",
"line": 585,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Score.connection.execute(\"INSERT INTO #{Score.quoted_table_name}\\n (\\n enrollment_id, grading_period_id,\\n #{columns_to_insert_or_update[:columns].join(\", \")},\\n course_score, root_account_id, created_at, updated_at\\n )\\n SELECT\\n enrollments.id as enrollment_id,\\n #{(opts.reverse_merge(:emit_live_event => true, :ignore_muted => true, :update_all_grading_period_scores => true, :update_course_score => true, :only_update_course_gp_metadata => false, :only_update_points => false)[:grading_period].id or \"NULL\")} as grading_period_id,\\n #{columns_to_insert_or_update[:insert_values].join(\", \")},\\n #{if opts.reverse_merge(:emit_live_event => true, :ignore_muted => true, :update_all_grading_period_scores => true, :update_course_score => true, :only_update_course_gp_metadata => false, :only_update_points => false)[:grading_period] then\n \"FALSE\"\nelse\n \"TRUE\"\nend} AS course_score,\\n #{(course or Course.find(course)).root_account_id} AS root_account_id,\\n #{updated_at} as created_at,\\n #{updated_at} as updated_at\\n FROM #{Enrollment.quoted_table_name} enrollments\\n WHERE\\n enrollments.id IN (#{joined_enrollment_ids})\\n ORDER BY enrollment_id\\nON CONFLICT #{(\"(enrollment_id, grading_period_id) WHERE grading_period_id IS NOT NULL\" or \"(enrollment_id) WHERE course_score\")}\\nDO UPDATE SET\\n #{columns_to_insert_or_update[:update_values].join(\", \")},\\n updated_at = excluded.updated_at,\\n root_account_id = #{(course or Course.find(course)).root_account_id},\\n /* if workflow_state was previously deleted for some reason, update it to active */\\n workflow_state = COALESCE(NULLIF(excluded.workflow_state, 'deleted'), 'active')\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "GradeCalculator",
"method": "save_course_and_grading_period_scores"
},
"user_input": "columns_to_insert_or_update[:columns].join(\", \")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "ceace5f886c43ebf68ea786a6db672f2d12d24a19024d5249481953636bb15be",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/grade_calculator.rb",
"line": 690,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Score.connection.execute(\"\\n INSERT INTO #{Score.quoted_table_name} (\\n enrollment_id, assignment_group_id,\\n #{assignment_group_columns_to_insert_or_update[:value_names].join(\", \")},\\n course_score, root_account_id, created_at, updated_at\\n )\\n SELECT\\n val.enrollment_id AS enrollment_id,\\n val.assignment_group_id as assignment_group_id,\\n #{assignment_group_columns_to_insert_or_update[:insert_columns].join(\", \")},\\n FALSE AS course_score,\\n #{(course or Course.find(course)).root_account_id} AS root_account_id,\\n #{updated_at} AS created_at,\\n #{updated_at} AS updated_at\\n FROM (VALUES #{score_values.join(\",\")}) val\\n (\\n enrollment_id,\\n assignment_group_id,\\n #{assignment_group_columns_to_insert_or_update[:value_names].join(\", \")}\\n )\\n ORDER BY assignment_group_id, enrollment_id\\n ON CONFLICT (enrollment_id, assignment_group_id) WHERE assignment_group_id IS NOT NULL\\n DO UPDATE SET\\n #{assignment_group_columns_to_insert_or_update[:update_columns].join(\", \")},\\n updated_at = excluded.updated_at,\\n root_account_id = #{(course or Course.find(course)).root_account_id},\\n workflow_state = COALESCE(NULLIF(excluded.workflow_state, 'deleted'), 'active')\\n \")",
"render_path": null,
"location": {
"type": "method",
"class": "GradeCalculator",
"method": "save_assignment_group_scores"
},
"user_input": "assignment_group_columns_to_insert_or_update[:value_names].join(\", \")",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "cec8031bba49b8646b56c280ca44ed94a1faf8c9acb2bfee6ddcbbc3b8624df4",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/support_helpers/tii.rb",
"line": 114,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Assignment.joins(:submissions).where(updated_field.gt(@after_time)).where(updated_field.lt((Time.now - 1.hour))).where(\"submissions.#{like_error}\")",
"render_path": null,
"location": {
"type": "method",
"class": "SupportHelpers::Tii::ShardFixer",
"method": "load_broken_objects"
},
"user_input": "like_error",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Command Injection",
"warning_code": 14,
"fingerprint": "cf943f27ffad630d4ce885bc26aa6e169a537527edc37391f5b029de8c617ed3",
"check_name": "Execute",
"message": "Possible command injection",
"file": "lib/cc/importer/standard/quiz_converter.rb",
"line": 65,
"link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
"code": "`#{Qti.get_conversion_command(out_folder, qti_file)}`",
"render_path": null,
"location": {
"type": "method",
"class": "CC::Importer::Standard::QuizConverter",
"method": "run_qti_converter"
},
"user_input": "Qti.get_conversion_command(out_folder, qti_file)",
"confidence": "Medium",
"cwe_id": [
77
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "d20c023657e21d01d9b4c16ff26d7b5cc8ba74da73000106494ccb868ee7ba61",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 483,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Arel.sql(\"#{column} #{direction.to_s.upcase}#{(\" NULLS FIRST\" or \" NULLS LAST\" if (first_or_last == :last) and (direction == :desc))}\".strip)",
"render_path": null,
"location": {
"type": "method",
"class": "ActiveRecord::Base",
"method": "nulls"
},
"user_input": "column",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "d3e4717a8916952af677959ee1c92875143eb4e024d3f9816f3d3bd48fc0b620",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/score_statistics_generator.rb",
"line": 61,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "ScoreStatistic.connection.select_all(\"WITH want_assignments AS (\\n SELECT a.id, a.created_at\\n FROM #{Assignment.quoted_table_name} a\\n WHERE a.context_id = #{course_id} AND a.context_type = 'Course' AND a.workflow_state = 'published'\\n), interesting_submissions AS (\\n SELECT s.assignment_id, s.user_id, s.score, a.created_at\\n FROM #{Submission.quoted_table_name} s\\n JOIN want_assignments a ON s.assignment_id = a.id\\n WHERE\\n s.excused IS NOT true\\n AND s.score IS NOT NULL\\n AND s.workflow_state = 'graded'\\n), want_users AS (\\n SELECT e.user_id\\n FROM #{Enrollment.quoted_table_name} e\\n WHERE e.type = 'StudentEnrollment' AND e.course_id = #{course_id} AND e.workflow_state NOT IN ('rejected', 'completed', 'deleted', 'inactive')\\n)\\nSELECT\\n s.assignment_id AS id,\\n MAX(s.score) AS max,\\n MIN(s.score) AS min,\\n AVG(s.score) AS avg,\\n percentile_cont(0.25) WITHIN GROUP (ORDER BY s.score) AS lower_q,\\n percentile_cont(0.5) WITHIN GROUP (ORDER BY s.score) AS median,\\n percentile_cont(0.75) WITHIN GROUP (ORDER BY s.score) AS upper_q,\\n COUNT(*) AS count\\nFROM\\n interesting_submissions s\\nWHERE\\n s.user_id IN (SELECT user_id FROM want_users)\\nGROUP BY s.assignment_id\\nORDER BY MIN(s.created_at)\\n\".squish)",
"render_path": null,
"location": {
"type": "method",
"class": "ScoreStatisticsGenerator",
"method": "s(:self).update_assignment_score_statistics"
},
"user_input": "course_id",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "d9e3d493be1140161ebc0e6c35909dbef58fb8600f7a54a0213ae38fa6896ec0",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/conversations_controller.rb",
"line": 1068,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "InstStatsd::Statsd.count(\"inbox.conversation.starred.legacy\", params[:conversation_ids].length)",
"render_path": null,
"location": {
"type": "method",
"class": "ConversationsController",
"method": "batch_update"
},
"user_input": "params[:conversation_ids].length",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "dabae4a777574d01b57b41ada118b10e493d7d4d45c89a12b71dd497869423e3",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 899,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "connection.execute(\"CLOSE #{cursor}\")",
"render_path": null,
"location": null,
"user_input": "cursor",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "ded9e82288e144d1d531650c2d385aa95a6e3688d4d3ca04757c2c3a61db4119",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/conversations_controller.rb",
"line": 1070,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "InstStatsd::Statsd.count(\"inbox.conversation.unread.legacy\", params[:conversation_ids].length)",
"render_path": null,
"location": {
"type": "method",
"class": "ConversationsController",
"method": "batch_update"
},
"user_input": "params[:conversation_ids].length",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "e14633487d1c9c006defc492141952dfb9a5dc8cd263a9da35e73b41306153fe",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/graphql/loaders/discussion_entry_counts_loader.rb",
"line": 43,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "DiscussionEntry.joins(DiscussionEntry.participant_join_sql(current_user)).where(:discussion_entries => object_specific_hash(objects)).group(\"discussion_entries.#{object_id_string(objects.first)}\")",
"render_path": null,
"location": {
"type": "method",
"class": "Loaders::DiscussionEntryCountsLoader",
"method": "perform"
},
"user_input": "object_id_string(objects.first)",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "e237e4c3b49f118040123823a48d1367eb64a6bdf7e2719f43dc9f8b978ae1fb",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 703,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"#{key}<=? AND #{key}>?\", Shard::IDS_PER_SHARD, 0)",
"render_path": null,
"location": {
"type": "method",
"class": "ActiveRecord::Base",
"method": null
},
"user_input": "key",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "ebd1e0364dd1ddaee4778f4a5febc04517ff68e46110191b79ccdad8be96ee69",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 1047,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "connection.execute(\"ALTER TABLE #{\"#{table_name}_in_batches_temp_table_#{apply_limits(self, start, finish, order).to_sql.hash.abs.to_s(36)}\"[(-63..)]} ADD temp_primary_key SERIAL PRIMARY KEY\")",
"render_path": null,
"location": null,
"user_input": "\"#{table_name}_in_batches_temp_table_#{apply_limits(self, start, finish, order).to_sql.hash.abs.to_s(36)}\"[(-63..)]",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "ec99a7da7f724717d99dc78a5912e54af9681b11832d9e305f3ccf78a9a62299",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 886,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "connection.select_values(\"FETCH FORWARD #{of} FROM #{\"#{table_name}_in_batches_cursor_#{apply_limits(clone, start, finish, order).except(:select).select(primary_key).to_sql.hash.abs.to_s(36)}\"}\")",
"render_path": null,
"location": null,
"user_input": "of",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "ed7c9737aa0322745fdf46f8b995b7cbeb46a1823508dde7374a7a3a290a9ab9",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "config/initializers/active_record.rb",
"line": 1597,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "connection.select_value(\"SELECT COUNT(*) FROM pg_proc WHERE proname='#{procname}'\")",
"render_path": null,
"location": {
"type": "method",
"class": "ActiveRecord::Migration",
"method": "has_postgres_proc?"
},
"user_input": "procname",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Redirect",
"warning_code": 18,
"fingerprint": "f18c6627c65a531716401e8792725bca3c11c11129d387a2aa86074a6c409cd5",
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/canvadoc_sessions_controller.rb",
"line": 165,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to(Attachment.find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"attachment_id\"]).canvadoc.session_url({ :preferred_plugins => ([\"pdfjs\", \"box_view\", \"crocodoc\"]), :enable_annotations => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"enable_annotations\"], :use_cloudfront => true, :send_usage_metrics => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).account.feature_enabled?(:send_usage_metrics), :disable_annotation_notifications => ((extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"disable_annotation_notifications\"] or false)), :enrollment_type => ((extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"enrollment_type\"] or user_type(Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.context, ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id]))))), :canvas_base_url => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.course.root_account.domain, :user_id => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).id, :submission_user_ids => (if Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).group_id then\n Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).group.users.pluck(:id)\nelse\n [Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).user_id]\nend), :course_id => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.context_id, :assignment_id => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.id, :submission_id => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).id, :post_manually => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.post_manually?, :posted_at => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).posted_at, :assignment_name => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.name, :audit_url => submission_docviewer_audit_events_url(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]), :anonymous_instructor_annotations => ((true or false)), :annotation_context => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"annotation_context\"], :read_only => ((not Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).canvadocs_annotation_contexts.find_by(:launch_id => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"annotation_context\"]).grants_right?(((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])), :annotate))) }.merge((Canvadocs.user_session_params(((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])), :submission => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]), :attempt => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).canvadocs_annotation_contexts.find_by(:launch_id => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"annotation_context\"]).submission_attempt) or Canvadocs.user_session_params(((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])), :attachment => Attachment.find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"attachment_id\"]))))))",
"render_path": null,
"location": {
"type": "method",
"class": "CanvadocSessionsController",
"method": "show"
},
"user_input": "Attachment.find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"attachment_id\"]).canvadoc.session_url({ :preferred_plugins => ([\"pdfjs\", \"box_view\", \"crocodoc\"]), :enable_annotations => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"enable_annotations\"], :use_cloudfront => true, :send_usage_metrics => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).account.feature_enabled?(:send_usage_metrics), :disable_annotation_notifications => ((extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"disable_annotation_notifications\"] or false)), :enrollment_type => ((extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"enrollment_type\"] or user_type(Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.context, ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id]))))), :canvas_base_url => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.course.root_account.domain, :user_id => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).id, :submission_user_ids => (if Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).group_id then\n Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).group.users.pluck(:id)\nelse\n [Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).user_id]\nend), :course_id => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.context_id, :assignment_id => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.id, :submission_id => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).id, :post_manually => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.post_manually?, :posted_at => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).posted_at, :assignment_name => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).assignment.name, :audit_url => submission_docviewer_audit_events_url(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]), :anonymous_instructor_annotations => ((true or false)), :annotation_context => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"annotation_context\"], :read_only => ((not Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).canvadocs_annotation_contexts.find_by(:launch_id => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"annotation_context\"]).grants_right?(((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])), :annotate))) }.merge((Canvadocs.user_session_params(((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])), :submission => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]), :attempt => Submission.preload(:assignment).find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"submission_id\"]).canvadocs_annotation_contexts.find_by(:launch_id => extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"annotation_context\"]).submission_attempt) or Canvadocs.user_session_params(((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])), :attachment => Attachment.find(extract_blob(params[:hmac], params[:blob], \"user_id\" => ((((nil or PseudonymSession.find_with_validation.record) or Pseudonym.where(:id => (@policy_pseudonym_id)).first).user or nil) or api_find(User, session[:become_user_id])).global_id, \"type\" => \"canvadoc\")[\"attachment_id\"])))))",
"confidence": "High",
"cwe_id": [
601
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "f96846e71cf53aa7d47526eed20c2ca02e451bff985db00ef3e055729cafa938",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/controllers/user_observees_controller.rb",
"line": 343,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "UserAccountAssociation.joins(:account).where(:accounts => ({ :parent_account_id => nil })).where(:user_id => users.map(&:id)).group(:account_id).having(\"count(*) = #{users.map(&:id).length}\")",
"render_path": null,
"location": {
"type": "method",
"class": "UserObserveesController",
"method": "common_root_accounts_for"
},
"user_input": "users.map(&:id).length",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "fb7c5e3bf261ced366e1de5d90ecd0b3410ce8ba46fc18b3e5062fce721175c4",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/base/active_support/cache/safe_redis_race_condition.rb",
"line": 49,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "lock(\"lock:#{key}\", options)",
"render_path": null,
"location": {
"type": "method",
"class": "ActiveSupport::Cache::SafeRedisRaceCondition",
"method": "handle_expired_entry"
},
"user_input": "key",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "fb7c5e3bf261ced366e1de5d90ecd0b3410ce8ba46fc18b3e5062fce721175c4",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "lib/base/active_support/cache/safe_redis_race_condition.rb",
"line": 58,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "lock(\"lock:#{key}\", options)",
"render_path": null,
"location": {
"type": "method",
"class": "ActiveSupport::Cache::SafeRedisRaceCondition",
"method": "handle_expired_entry"
},
"user_input": "key",
"confidence": "Medium",
"cwe_id": [
89
],
"note": ""
},
{
"warning_type": "Denial of Service",
"warning_code": 76,
"fingerprint": "fc7f2d79b7dc9e8e7ebbde4dedf94b1f749eb741946118259145b5843d75e98a",
"check_name": "RegexDoS",
"message": "Model attribute used in regular expression",
"file": "app/models/content_migration.rb",
"line": 616,
"link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
"code": "/\\A#{(Folder.root_folders(context).first.name + \"/\")}/",
"render_path": null,
"location": {
"type": "method",
"class": "ContentMigration",
"method": "import_content"
},
"user_input": "(Folder.root_folders(context).first.name + \"/\")",
"confidence": "Medium",
"cwe_id": [
20,
185
],
"note": ""
},
{
"warning_type": "Mass Assignment",
"warning_code": 70,
"fingerprint": "fe51dc8ef7eaef41744c62633219ae140f5a2df7c95adc6f7ef126e84860b034",
"check_name": "MassAssignment",
"message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys",
"file": "app/controllers/gradebook_settings_controller.rb",
"line": 71,
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
"code": "params.require(:gradebook_settings).permit({ :filter_columns_by => ([:context_module_id, :grading_period_id, :assignment_group_id, :submissions, :start_date, :end_date]), :filter_rows_by => ([:section_id, :student_group_id]), :selected_view_options_filters => ([]) }, :enter_grades_as, :hide_assignment_group_totals, :hide_total, :show_concluded_enrollments, :show_inactive_enrollments, :show_unpublished_assignments, :show_separate_first_last_names, :student_column_display_as, :student_column_secondary_info, :sort_rows_by_column_id, :sort_rows_by_setting_key, :sort_rows_by_direction, :view_ungraded_as_zero, :colors => ([:late, :missing, :resubmitted, :dropped, :excused, :extended])).permit!",
"render_path": null,
"location": {
"type": "method",
"class": "GradebookSettingsController",
"method": "gradebook_settings_params"
},
"user_input": null,
"confidence": "Medium",
"cwe_id": [
915
],
"note": ""
}
],
"updated": "2023-12-08 11:31:18 -0700",
"brakeman_version": "6.1.0"
}
Reference in New Issue View Git Blame Copy Permalink