Initial brakeman config with warning addressed and non-relevant ones …

…ignored.
rubyforgood · Sep 25, 2020 · 96699e8 · 96699e8
1 parent 80f0d60
commit 96699e8
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 1 deletion.
diff --git a/.travis.yml b/.travis.yml
@@ -26,6 +26,7 @@ script:
   - export RAILS_ENV=test
   - bundle exec rake db:create db:schema:load
   - bin/webpack
+  - bundle exec brakeman
   - bundle exec rake factory_bot:lint
   - bundle exec rspec
 after_script:

diff --git a/app/models/organization.rb b/app/models/organization.rb
@@ -30,7 +30,7 @@ class Organization < ApplicationRecord
   validates :name, presence: true
   validates :short_name, presence: true, format: /\A[a-z0-9_]+\z/i
   validates :url, format: { with: URI::DEFAULT_PARSER.make_regexp, message: "it should look like 'http://www.example.com'" }, allow_blank: true
-  validates :email, format: /[^@]+@[^@]+/, allow_blank: true
+  validates :email, format: { with: URI::MailTo::EMAIL_REGEXP }, allow_blank: true
   validate :correct_logo_mime_type
   validates :deadline_day, numericality: { only_integer: true, less_than_or_equal_to: 28, greater_than_or_equal_to: 1, allow_nil: true }
   validates :reminder_day, numericality: { only_integer: true, less_than_or_equal_to: 14, greater_than_or_equal_to: 1, allow_nil: true }

diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -0,0 +1,46 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "53186cd4eccf803f35837392ee3ab4c96cb625fc445628cc3571b5fa42ca9db1",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "config/initializers/postgres.rb",
+      "line": 8,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "connection.select_all(\"select pg_terminate_backend(pg_stat_activity.pid) from pg_stat_activity where datname='#{configuration[\"database\"]}' AND state='idle';\")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "PostgreSQLDatabaseTasks",
+        "method": "drop"
+      },
+      "user_input": "configuration[\"database\"]",
+      "confidence": "Medium",
+      "note": ""
+    },
+    {
+      "warning_type": "Dynamic Render Path",
+      "warning_code": 15,
+      "fingerprint": "82ef033042422190ef49507207d51ed6ccd9593483630925baf0bf6c5e65033e",
+      "check_name": "Render",
+      "message": "Render path contains parameter value",
+      "file": "app/controllers/static_controller.rb",
+      "line": 25,
+      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
+      "code": "render(template => \"static/#{params[:name]}\", {})",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "StaticController",
+        "method": "page"
+      },
+      "user_input": "params[:name]",
+      "confidence": "Medium",
+      "note": ""
+    }
+  ],
+  "updated": "2020-09-25 18:26:33 -0400",
+  "brakeman_version": "4.9.1"
+}