From 644c5fddd8d04d3f59a2e9a716614bab748796c3 Mon Sep 17 00:00:00 2001 From: Matt Jankowski Date: Thu, 13 Jul 2023 09:52:37 -0400 Subject: [PATCH] Refactor `Status.tagged_with_all` for brakeman SQL injection warning (#25941) --- app/models/status.rb | 4 +++- config/brakeman.ignore | 25 +------------------------ 2 files changed, 4 insertions(+), 25 deletions(-) diff --git a/app/models/status.rb b/app/models/status.rb index 67463b140b4..ff85ff2388f 100644 --- a/app/models/status.rb +++ b/app/models/status.rb @@ -103,7 +103,9 @@ class Status < ApplicationRecord scope :not_domain_blocked_by_account, ->(account) { account.excluded_from_timeline_domains.blank? ? left_outer_joins(:account) : left_outer_joins(:account).where('accounts.domain IS NULL OR accounts.domain NOT IN (?)', account.excluded_from_timeline_domains) } scope :tagged_with_all, lambda { |tag_ids| Array(tag_ids).map(&:to_i).reduce(self) do |result, id| - result.joins("INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}") + result.where(<<~SQL.squish, tag_id: id) + EXISTS(SELECT 1 FROM statuses_tags WHERE statuses_tags.status_id = statuses.id AND statuses_tags.tag_id = :tag_id) + SQL end } scope :tagged_with_none, lambda { |tag_ids| diff --git a/config/brakeman.ignore b/config/brakeman.ignore index 27d8ff8da55..9b9330a758f 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -1,28 +1,5 @@ { "ignored_warnings": [ - { - "warning_type": "SQL Injection", - "warning_code": 0, - "fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d", - "check_name": "SQL", - "message": "Possible SQL injection", - "file": "app/models/status.rb", - "line": 106, - "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", - "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")", - "render_path": null, - "location": { - "type": "method", - "class": "Status", - "method": null - }, - "user_input": "id", - "confidence": "Weak", - "cwe_id": [ - 89 - ], - "note": "" - }, { "warning_type": "Cross-Site Scripting", "warning_code": 2, @@ -206,6 +183,6 @@ "note": "" } ], - "updated": "2023-07-11 16:08:58 +0200", + "updated": "2023-07-12 11:20:51 -0400", "brakeman_version": "6.0.0" }