canvas-lms/config/brakeman.ignore

{
  "ignored_warnings": [
    {
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "6c187af95302423b293a6ee5fcc3233c199e0f82d858931c478515c5f2d22cad",
      "check_name": "SQL",
      "message": "Possible SQL injection",
      "file": "app/controllers/outcome_results_controller.rb",
      "line": 572,
      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "Arel.sql((User.sortable_name_order_by_clause(User.quoted_table_name) or \"#{User.sortable_name_order_by_clause(User.quoted_table_name)} DESC\"))",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "OutcomeResultsController",
        "method": "apply_sort_order"
      },
      "user_input": "User.sortable_name_order_by_clause(User.quoted_table_name)",
      "confidence": "High",
      "note": "No user input is passed in"
    },
    {
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "799a44268d5cfe1ff43bcd239e02e4dc5fc10545c370095aaed3ec7e9975df6e",
      "check_name": "SQL",
      "message": "Possible SQL injection",
      "file": "app/controllers/lti/ims/providers/memberships_provider.rb",
      "line": 81,
      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "Submission.active.for_assignment(assignment).where(\"#{outer_user_id_column} = submissions.user_id\")",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "Lti::Ims::Providers::MembershipsProvider",
        "method": "correlated_assignment_submissions"
      },
      "user_input": "outer_user_id_column",
      "confidence": "Medium",
      "note": "No user input is passed in"
    },
    {
      "note": "Submission.needs_grading_conditions accepts no user input",
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "90b239bee8ac22b4c5d6c4d81572f155d3c073446542fa3bad6135b4578e2a91",
      "message": "Possible SQL injection",
      "file": "app/models/assignment.rb",
      "line": 1949,
      "link": "http://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "Submission.where(\"assignment_id=assignments.id\").where(Submission.needs_grading_conditions)",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "Assignment",
        "method": "need_grading_info"
      },
      "user_input": "Submission.needs_grading_conditions",
      "confidence": "High"
    },
    {
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "a22e7dbb90204b4b932c4ca659085a3b6c18f43610450c9c59a0a432bbe081fa",
      "check_name": "SQL",
      "message": "Possible SQL injection",
      "file": "lib/submission_search.rb",
      "line": 93,
      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "Arel.sql(\"#{User.sortable_name_order_by_clause(\"users\")} #{(\"DESC NULLS LAST\" or \"ASC\")}\")",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "SubmissionSearch",
        "method": "add_orders"
      },
      "user_input": "User.sortable_name_order_by_clause(\"users\")",
      "confidence": "Medium",
      "note": ""
    },
    {
      "note": "Enrollment.active_student_conditions accepts no user input",
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "aba39acd96b69d6eb24de776b3a972a2d8f68133fe89c477b5acab2cb41a99f6",
      "message": "Possible SQL injection",
      "file": "app/models/enrollment.rb",
      "line": 163,
      "link": "http://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "Enrollment.where(Enrollment.active_student_conditions)",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "Enrollment",
        "method": "touch_assignments"
      },
      "user_input": "Enrollment.active_student_conditions",
      "confidence": "High"
    },
    {
      "warning_type": "Remote Code Execution",
      "warning_code": 24,
      "fingerprint": "b5ba030e599093d2a5047494736d8a61807935ee92704d7f289da07646c862e4",
      "check_name": "UnsafeReflection",
      "message": "Unsafe reflection method const_get called with parameter value",
      "file": "app/controllers/files_controller.rb",
      "line": 810,
      "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
      "code": "Object.const_get(params[:context_type])",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "FilesController",
        "method": "api_capture"
      },
      "user_input": "params[:context_type]",
      "confidence": "High",
      "note": "Value is whitelisted"
    },
    {
      "note": "Enrollment.active_student_conditions accepts no user input",
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "b67a9b9726298fc3e829fd40dd141316eff1c8084cdc07e15a57ecc5b0bbacb9",
      "message": "Possible SQL injection",
      "file": "app/models/submission.rb",
      "line": 213,
      "link": "http://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "Enrollment.where(Enrollment.active_student_conditions)",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "Submission",
        "method": "touch_assignments"
      },
      "user_input": "Enrollment.active_student_conditions",
      "confidence": "High"
    },
    {
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "d8e0d77e896b3da629e04233f458668fff1d130a6b969287822c292af1daeaad",
      "check_name": "SQL",
      "message": "Possible SQL injection",
      "file": "app/models/account.rb",
      "line": 486,
      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "self.associated_courses(:include_crosslisted_courses => opts[:include_crosslisted_courses]).active.order(\"#{Course.best_unicode_collation_key(\"courses.name\")} ASC\")",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "Account",
        "method": "fast_course_base"
      },
      "user_input": "Course.best_unicode_collation_key(\"courses.name\")",
      "confidence": "High",
      "note": "No user input is passed in to via opts['order'] in this function (see accounts_controller:sort_order)"
    },
    {
      "note": "Enrollment.active_student_conditions accepts no user input",
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "f4e920699a6767e36d0e54f5c1ccd7a638a3654e8bef6e3ee6fbccffba76c345",
      "message": "Possible SQL injection",
      "file": "app/models/submission.rb",
      "line": 169,
      "link": "http://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "joins(\"INNER JOIN #{Enrollment.quoted_table_name} ON #{quoted_table_name}.user_id=#{Enrollment.quoted_table_name}.user_id\").where(needs_grading_conditions).where(Enrollment.active_student_conditions)",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "Submission",
        "method": "needs_grading"
      },
      "user_input": "Enrollment.active_student_conditions",
      "confidence": "High"
    }
  ],
  "updated": "2019-03-21 16:01:17 -0600",
  "brakeman_version": "4.5.0"
}