From cd9d3b32e1e8d6d98775f8fe640154f4322d857c Mon Sep 17 00:00:00 2001 From: Richard Lynch Date: Mon, 16 Dec 2024 15:03:16 +0000 Subject: [PATCH] Update brakeman config Ignores the sql injection warning in duplicate claims. Non of the interpolated values in this query are supplable by a user, and using bind params would make this a lot harder to read! Anyone modifying this query needs to be careful not to introduce a sql injection attack! --- .../reports/duplicate_approved_claims.rb | 2 ++ config/brakeman.ignore | 25 ++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/app/models/admin/reports/duplicate_approved_claims.rb b/app/models/admin/reports/duplicate_approved_claims.rb index f26f3793b3..436c76f000 100644 --- a/app/models/admin/reports/duplicate_approved_claims.rb +++ b/app/models/admin/reports/duplicate_approved_claims.rb @@ -1,3 +1,5 @@ +# This file is ignored in the brakeman config, be careful not to interpolate +# any user provided parameters! module Admin module Reports class DuplicateApprovedClaims diff --git a/config/brakeman.ignore b/config/brakeman.ignore index ce5d27724d..39dcedc147 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -138,6 +138,29 @@ ], "note": "" }, + { + "warning_type": "SQL Injection", + "warning_code": 0, + "fingerprint": "b0269286fd1ea8251ec5b7680edd39187adb72c1ed2c4bc61e6eec7e14ed24f7", + "check_name": "SQL", + "message": "Possible SQL injection", + "file": "app/models/admin/reports/duplicate_approved_claims.rb", + "line": 191, + "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", + "code": "ActiveRecord::Base.connection.execute(((\"WITH current_claims AS (\\n SELECT claims.id, #{claim_matching_attributes.flatten.join(\", \")}\\n FROM claims\\n JOIN decisions ON claims.id = decisions.claim_id\\n WHERE claims.academic_year = '#{academic_year}'\\n AND decisions.undone = false\\n AND decisions.result = 0\\n)\\n\" + \"\\n\") + claim_matching_attributes.flat_map do\n join_condition = attribute_group.map do\n if (Claim.column_for_attribute(attr).type == :string) then\n \"LOWER(current_claims.#{attr}) = LOWER(other_claims.#{attr})\"\nelse\n \"current_claims.#{attr} = other_claims.#{attr}\"\nend\n end.join(\" AND \")\n\"SELECT current_claims.id, other_claims.id AS other_claim_id\\nFROM current_claims\\nJOIN current_claims other_claims\\nON #{attribute_group.map do\n if (Claim.column_for_attribute(attr).type == :string) then\n \"LOWER(current_claims.#{attr}) = LOWER(other_claims.#{attr})\"\nelse\n \"current_claims.#{attr} = other_claims.#{attr}\"\nend\n end.join(\" AND \")}\\nWHERE current_claims.id != other_claims.id\\n\"\n end.join(\"\\nUNION\\n\")))", + "render_path": null, + "location": { + "type": "method", + "class": "Admin::Reports::DuplicateApprovedClaims", + "method": "duplicates_by_attributes" + }, + "user_input": "claim_matching_attributes.flatten.join(\", \")", + "confidence": "Medium", + "cwe_id": [ + 89 + ], + "note": "" + }, { "warning_type": "SQL Injection", "warning_code": 0, @@ -185,6 +208,6 @@ "note": "" } ], - "updated": "2024-11-20 17:38:36 +0000", + "updated": "2024-12-16 15:02:51 +0000", "brakeman_version": "6.2.1" }