Merge pull request #14074 from eduardoj/refactoring/sanitize_strings_…

…in_where_clauses Use sanitized strings for `where` clauses
openSUSE · Mar 27, 2023 · f8f8c23 · f8f8c23
2 parents 37c02f4 + 86cbb2f
commit f8f8c23
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 72 deletions.
diff --git a/src/api/app/controllers/webui/request_controller.rb b/src/api/app/controllers/webui/request_controller.rb
@@ -63,7 +63,7 @@ def show
 
       if @refresh
         bs_request_action = BsRequestAction.find(@action[:id])
-        job = Delayed::Job.where("handler LIKE '%job_class: BsRequestActionWebuiInfosJob%#{bs_request_action.to_global_id.uri}%'").count
+        job = Delayed::Job.where('handler LIKE ?', "%job_class: BsRequestActionWebuiInfosJob%#{bs_request_action.to_global_id.uri}%").count
         BsRequestActionWebuiInfosJob.perform_later(bs_request_action) if job.zero?
       end
 
@@ -210,7 +210,7 @@ def request_action
 
     if @refresh
       bs_request_action = BsRequestAction.find(@action[:id])
-      job = Delayed::Job.where("handler LIKE '%job_class: BsRequestActionWebuiInfosJob%#{bs_request_action.to_global_id.uri}%'").count
+      job = Delayed::Job.where('handler LIKE ?', "%job_class: BsRequestActionWebuiInfosJob%#{bs_request_action.to_global_id.uri}%").count
       BsRequestActionWebuiInfosJob.perform_later(bs_request_action) if job.zero?
     end
 
@@ -234,7 +234,7 @@ def request_action_changes
 
     if @refresh
       bs_request_action = BsRequestAction.find(@action[:id])
-      job = Delayed::Job.where("handler LIKE '%job_class: BsRequestActionWebuiInfosJob%#{bs_request_action.to_global_id.uri}%'").count
+      job = Delayed::Job.where('handler LIKE ?', "%job_class: BsRequestActionWebuiInfosJob%#{bs_request_action.to_global_id.uri}%").count
       BsRequestActionWebuiInfosJob.perform_later(bs_request_action) if job.zero?
     end
 

diff --git a/src/api/config/brakeman.ignore b/src/api/config/brakeman.ignore
@@ -69,29 +69,6 @@
       ],
       "note": ""
     },
-    {
-      "warning_type": "SQL Injection",
-      "warning_code": 0,
-      "fingerprint": "425cc6614ece3076fd4dee2f72c0dea417e7ee2b20962f48eaaed13d7f22d82f",
-      "check_name": "SQL",
-      "message": "Possible SQL injection",
-      "file": "app/controllers/webui/request_controller.rb",
-      "line": 204,
-      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
-      "code": "Delayed::Job.where(\"handler LIKE '%job_class: BsRequestActionWebuiInfosJob%#{BsRequestAction.find(BsRequest.find_by!(:number => params[:number]).webui_actions(:filelimit => ((0 or nil)), :tarlimit => ((0 or nil)), :diff_to_superseded => BsRequest.find_by!(:number => params[:number]).superseding.find_by(:number => params[:diff_to_superseded]), :diffs => true, :action_id => params[\"id\"].to_i, :cacheonly => 1).find do\n (action[:id] == params[\"id\"].to_i)\n end[:id]).to_global_id.uri}%'\")",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Webui::RequestController",
-        "method": "request_action"
-      },
-      "user_input": "BsRequestAction.find(BsRequest.find_by!(:number => params[:number]).webui_actions(:filelimit => ((0 or nil)), :tarlimit => ((0 or nil)), :diff_to_superseded => BsRequest.find_by!(:number => params[:number]).superseding.find_by(:number => params[:diff_to_superseded]), :diffs => true, :action_id => params[\"id\"].to_i, :cacheonly => 1).find do\n (action[:id] == params[\"id\"].to_i)\n end[:id]).to_global_id",
-      "confidence": "Medium",
-      "cwe_id": [
-        89
-      ],
-      "note": ""
-    },
     {
       "warning_type": "SQL Injection",
       "warning_code": 0,
@@ -478,29 +455,6 @@
       ],
       "note": ""
     },
-    {
-      "warning_type": "SQL Injection",
-      "warning_code": 0,
-      "fingerprint": "e1bbb06930340f39e377f9e599a372d33b45861686454d7775bf5961f22a5e55",
-      "check_name": "SQL",
-      "message": "Possible SQL injection",
-      "file": "app/controllers/webui/request_controller.rb",
-      "line": 228,
-      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
-      "code": "Delayed::Job.where(\"handler LIKE '%job_class: BsRequestActionWebuiInfosJob%#{BsRequestAction.find(BsRequest.find_by!(:number => params[:number]).webui_actions(:filelimit => ((0 or nil)), :tarlimit => ((0 or nil)), :diff_to_superseded => BsRequest.find_by!(:number => params[:number]).superseding.find_by(:number => params[:diff_to_superseded]), :diffs => true, :action_id => params[\"id\"].to_i, :cacheonly => 1).find do\n (action[:id] == params[\"id\"].to_i)\n end[:id]).to_global_id.uri}%'\")",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Webui::RequestController",
-        "method": "request_action_changes"
-      },
-      "user_input": "BsRequestAction.find(BsRequest.find_by!(:number => params[:number]).webui_actions(:filelimit => ((0 or nil)), :tarlimit => ((0 or nil)), :diff_to_superseded => BsRequest.find_by!(:number => params[:number]).superseding.find_by(:number => params[:diff_to_superseded]), :diffs => true, :action_id => params[\"id\"].to_i, :cacheonly => 1).find do\n (action[:id] == params[\"id\"].to_i)\n end[:id]).to_global_id",
-      "confidence": "Medium",
-      "cwe_id": [
-        89
-      ],
-      "note": ""
-    },
     {
       "warning_type": "SQL Injection",
       "warning_code": 0,
@@ -524,29 +478,6 @@
       ],
       "note": ""
     },
-    {
-      "warning_type": "SQL Injection",
-      "warning_code": 0,
-      "fingerprint": "e5e5f63e6b870bf0a96201519e57a40efba6183a455e565cf14c842d1e0525d3",
-      "check_name": "SQL",
-      "message": "Possible SQL injection",
-      "file": "app/controllers/webui/request_controller.rb",
-      "line": 57,
-      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
-      "code": "Delayed::Job.where(\"handler LIKE '%job_class: BsRequestActionWebuiInfosJob%#{BsRequestAction.find(BsRequest.find_by!(:number => params[:number]).webui_actions(:filelimit => ((0 or nil)), :tarlimit => ((0 or nil)), :diff_to_superseded => BsRequest.find_by!(:number => params[:number]).superseding.find_by(:number => params[:diff_to_superseded]), :diffs => true, :action_id => (params[:request_action_id] or BsRequest.find_by!(:number => params[:number]).bs_request_actions.first.id).to_i, :cacheonly => 1).first[:id]).to_global_id.uri}%'\")",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Webui::RequestController",
-        "method": "show"
-      },
-      "user_input": "BsRequestAction.find(BsRequest.find_by!(:number => params[:number]).webui_actions(:filelimit => ((0 or nil)), :tarlimit => ((0 or nil)), :diff_to_superseded => BsRequest.find_by!(:number => params[:number]).superseding.find_by(:number => params[:diff_to_superseded]), :diffs => true, :action_id => (params[:request_action_id] or BsRequest.find_by!(:number => params[:number]).bs_request_actions.first.id).to_i, :cacheonly => 1).first[:id]).to_global_id",
-      "confidence": "Medium",
-      "cwe_id": [
-        89
-      ],
-      "note": ""
-    },
     {
       "warning_type": "Weak Cryptography",
       "warning_code": 126,