Maintenance: Switch to Rails 7.0 default config.

zammad · Feb 19, 2024 · 19bc131 · 19bc131
1 parent 3124c7a
commit 19bc131
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 161 deletions.
diff --git a/app/controllers/external_credentials_controller.rb b/app/controllers/external_credentials_controller.rb
@@ -35,17 +35,17 @@ def link_account
     attributes = ExternalCredential.request_account_to_link(provider, params)
     session[:request_token] = attributes[:request_token]
     session[:channel_id] = params[:channel_id]
-    redirect_to attributes[:authorize_url]
+    redirect_to attributes[:authorize_url], allow_other_host: true
   end
 
   def callback
     provider = params[:provider].downcase
     channel = ExternalCredential.link_account(provider, session[:request_token], link_params)
-    return redirect_to(channel) if channel.instance_of?(String)
+    return redirect_to(channel), allow_other_host: true if channel.instance_of?(String)
 
     session[:request_token] = nil
     session[:channel_id] = nil
-    redirect_to app_url(provider, channel.id)
+    redirect_to app_url(provider, channel.id), allow_other_host: true
   end
 
   private

diff --git a/app/controllers/knowledge_base/public/categories_controller.rb b/app/controllers/knowledge_base/public/categories_controller.rb
@@ -34,7 +34,7 @@ def forward_root
 
     path = help_root_path(locale: primary_locale.locale)
 
-    redirect_to custom_path_if_needed(path, knowledge_base, full: true)
+    redirect_to custom_path_if_needed(path, knowledge_base, full: true), allow_other_host: true
   end
 
   private

diff --git a/app/controllers/knowledge_bases_controller.rb b/app/controllers/knowledge_bases_controller.rb
@@ -24,7 +24,7 @@ def preview
              help_answer_path params[:locale], category_id, params[:id], preview_token: token
            end
 
-    redirect_to custom_path_if_needed(path, KnowledgeBase.first, full: true)
+    redirect_to custom_path_if_needed(path, KnowledgeBase.first, full: true), allow_other_host: true
   end
 
   private

diff --git a/app/controllers/user_agent_test_controller.rb b/app/controllers/user_agent_test_controller.rb
@@ -30,7 +30,7 @@ def delete
 
   # GET test/redirect
   def redirect
-    redirect_to "#{request.protocol}#{request.host_with_port}/test/get/1?submitted=abc"
+    redirect_to "#{request.protocol}#{request.host_with_port}/test/get/1?submitted=abc", allow_other_host: true
   end
 
   private

diff --git a/config/application.rb b/config/application.rb
@@ -30,7 +30,7 @@
 module Zammad
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 6.1
+    config.load_defaults 7.0
 
     Rails.autoloaders.each do |autoloader|
       autoloader.ignore            "#{config.root}/app/frontend"

diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -1,28 +1,5 @@
 {
   "ignored_warnings": [
-    {
-      "warning_type": "Redirect",
-      "warning_code": 18,
-      "fingerprint": "0af1d7942bf73ecd1eb5141ea3a80c32297d9e9f24e411eb2b346af686eef938",
-      "check_name": "Redirect",
-      "message": "Possible unprotected redirect",
-      "file": "app/controllers/external_credentials_controller.rb",
-      "line": 44,
-      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
-      "code": "redirect_to(ExternalCredential.link_account(params[:provider].downcase, session[:request_token], link_params))",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "ExternalCredentialsController",
-        "method": "callback"
-      },
-      "user_input": "ExternalCredential.link_account(params[:provider].downcase, session[:request_token], link_params)",
-      "confidence": "High",
-      "cwe_id": [
-        601
-      ],
-      "note": "https://brakemanscanner.org/docs/warning_types/redirect/"
-    },
     {
       "warning_type": "Remote Code Execution",
       "warning_code": 24,
@@ -117,6 +94,29 @@
       ],
       "note": "ObjectLookup.by_id works as designed"
     },
+    {
+      "warning_type": "Redirect",
+      "warning_code": 18,
+      "fingerprint": "2ebd9f5e35ae11122d5561fdbbef7432eeef6b34d7c61249365be7dc34cbfb82",
+      "check_name": "Redirect",
+      "message": "Possible unprotected redirect",
+      "file": "app/controllers/external_credentials_controller.rb",
+      "line": 38,
+      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
+      "code": "redirect_to(ExternalCredential.request_account_to_link(params[:provider].downcase, params)[:authorize_url], :allow_other_host => true)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "ExternalCredentialsController",
+        "method": "link_account"
+      },
+      "user_input": "ExternalCredential.request_account_to_link(params[:provider].downcase, params)[:authorize_url]",
+      "confidence": "Weak",
+      "cwe_id": [
+        601
+      ],
+      "note": ""
+    },
     {
       "warning_type": "SQL Injection",
       "warning_code": 0,
@@ -353,7 +353,7 @@
       "check_name": "SSLVerify",
       "message": "SSL certificate verification was bypassed",
       "file": "lib/user_agent.rb",
-      "line": 335,
+      "line": 363,
       "link": "https://brakemanscanner.org/docs/warning_types/ssl_verification_bypass/",
       "code": "(Net::HTTP.Proxy($1, $2, ((options[\"proxy_username\"] or Setting.get(\"proxy_username\")) or nil), ((options[\"proxy_password\"] or Setting.get(\"proxy_password\")) or nil)).new(uri.host, uri.port) or Net::HTTP.new(uri.host, uri.port)).verify_mode = OpenSSL::SSL::VERIFY_NONE",
       "render_path": null,
@@ -485,29 +485,6 @@
       ],
       "note": "SqlHelper does properly escape table and column names."
     },
-    {
-      "warning_type": "Redirect",
-      "warning_code": 18,
-      "fingerprint": "a50e32b9e4436adca6c2f789c9fd6371f3e752366821d5b49480f8b004ce5ab7",
-      "check_name": "Redirect",
-      "message": "Possible unprotected redirect",
-      "file": "app/controllers/external_credentials_controller.rb",
-      "line": 38,
-      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
-      "code": "redirect_to(ExternalCredential.request_account_to_link(params[:provider].downcase, params)[:authorize_url])",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "ExternalCredentialsController",
-        "method": "link_account"
-      },
-      "user_input": "ExternalCredential.request_account_to_link(params[:provider].downcase, params)[:authorize_url]",
-      "confidence": "High",
-      "cwe_id": [
-        601
-      ],
-      "note": "https://brakemanscanner.org/docs/warning_types/redirect/"
-    },
     {
       "warning_type": "Cross-Site Scripting",
       "warning_code": 2,
@@ -549,7 +526,7 @@
       "check_name": "UnsafeReflection",
       "message": "Unsafe reflection method `constantize` called on model attribute",
       "file": "app/models/object_manager/attribute.rb",
-      "line": 896,
+      "line": 921,
       "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
       "code": "ObjectLookup.by_id(object_lookup_id).constantize",
       "render_path": null,
@@ -799,7 +776,7 @@
       "check_name": "SQL",
       "message": "Possible SQL injection",
       "file": "lib/models.rb",
-      "line": 171,
+      "line": 172,
       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
       "code": "model_class.where(\"#{reflection_value.name}_id\" => object_id)",
       "render_path": null,
@@ -822,7 +799,7 @@
       "check_name": "SQL",
       "message": "Possible SQL injection",
       "file": "lib/models.rb",
-      "line": 184,
+      "line": 185,
       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
       "code": "model_class.where(\"#{reflection_value.name}_id\" => object_id)",
       "render_path": null,
@@ -860,32 +837,8 @@
         77
       ],
       "note": "Mysql arguments are internal / from config."
-    },
-    {
-      "warning_type": "Denial of Service",
-      "warning_code": 76,
-      "fingerprint": "fe906d9ee6b37c92b7deec029d6a4cca47071006440817e4a50292b2ca956a30",
-      "check_name": "RegexDoS",
-      "message": "Model attribute used in regular expression",
-      "file": "app/models/ticket.rb",
-      "line": 1178,
-      "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
-      "code": "/#{Setting.get(\"send_no_auto_response_reg_exp\")}/i",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Ticket",
-        "method": "send_email_notification"
-      },
-      "user_input": "Setting.get(\"send_no_auto_response_reg_exp\")",
-      "confidence": "Medium",
-      "cwe_id": [
-        20,
-        185
-      ],
-      "note": "Admin configured RegExp"
     }
   ],
-  "updated": "2023-10-31 23:59:53 +0200",
-  "brakeman_version": "6.0.1"
+  "updated": "2024-02-19 12:24:05 +0100",
+  "brakeman_version": "6.1.2"
 }
diff --git a/config/initializers/new_framework_defaults_6_1.rb b/config/initializers/new_framework_defaults_6_1.rb