main
ignore 145 lines 9.59 KB
Raw
1 {
2 "ignored_warnings": [
3 {
4 "warning_type": "Command Injection",
5 "warning_code": 14,
6 "fingerprint": "03f0108aa182ee54b38be945afcbe9c90ffec86500b284510dae38fff5a2d1e0",
7 "check_name": "Execute",
8 "message": "Possible command injection",
9 "file": "app/services/git_repository_service.rb",
10 "line": 228,
11 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base/head refs are passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? rejects either ref if it starts with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a base of \"--output=...\")."
12 },
13 {
14 "warning_type": "Command Injection",
15 "warning_code": 14,
16 "fingerprint": "1dbb9af6b074159eced6b9d2536bec26667c240f09e3a5bb49285b45775cca4b",
17 "check_name": "Execute",
18 "message": "Possible command injection",
19 "file": "app/services/git_repository_service.rb",
20 "line": 107,
21 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref/path is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
22 },
23 {
24 "warning_type": "Command Injection",
25 "warning_code": 14,
26 "fingerprint": "0a470c5a46cd5b8ac1b0487e651f761caeeb961ac9bc408a33d2ca89257085c3",
27 "check_name": "Execute",
28 "message": "Possible command injection",
29 "file": "app/services/git_repository_service.rb",
30 "line": 115,
31 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref/path is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
32 },
33 {
34 "warning_type": "Command Injection",
35 "warning_code": 14,
36 "fingerprint": "586ef55597b40deec327d690a446903cdfb89a65dfeb7962ad0f6f603d16f9fd",
37 "check_name": "Execute",
38 "message": "Possible command injection",
39 "file": "app/services/git_repository_service.rb",
40 "line": 123,
41 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
42 },
43 {
44 "warning_type": "Command Injection",
45 "warning_code": 14,
46 "fingerprint": "fc944c7823b102c74e5d4bfd30183d1f2776b80f00b453e05571815b2fbc26f1",
47 "check_name": "Execute",
48 "message": "Possible command injection",
49 "file": "app/services/git_repository_service.rb",
50 "line": 55,
51 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref/path is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
52 },
53 {
54 "warning_type": "Command Injection",
55 "warning_code": 14,
56 "fingerprint": "d4ffd91b7a130c0d1e51bc90c8b66c51242d4ec7f21201b3acab11f7a3fb7b6b",
57 "check_name": "Execute",
58 "message": "Possible command injection",
59 "file": "app/services/git_repository_service.rb",
60 "line": 98,
61 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref/path is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
62 },
63 {
64 "warning_type": "Command Injection",
65 "warning_code": 14,
66 "fingerprint": "c932f5558ef2885051eeba4c72f436d871323489099c7361cb75f3f3e4d2f155",
67 "check_name": "Execute",
68 "message": "Possible command injection",
69 "file": "app/services/git_repository_service.rb",
70 "line": 133,
71 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
72 },
73 {
74 "warning_type": "Command Injection",
75 "warning_code": 14,
76 "fingerprint": "d802f010326572ecab89535d3c449ac7b6bc9b18b3568197eb302d6875d42c58",
77 "check_name": "Execute",
78 "message": "Possible command injection",
79 "file": "app/services/git_repository_service.rb",
80 "line": 245,
81 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
82 },
83 {
84 "warning_type": "Command Injection",
85 "warning_code": 14,
86 "fingerprint": "9569afc8080f4e1e0e4b4b3de400e2695641b30574fbdb0b421d1b41c5224df1",
87 "check_name": "Execute",
88 "message": "Possible command injection",
89 "file": "app/services/git_repository_service.rb",
90 "line": 269,
91 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base/head refs are passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
92 },
93 {
94 "warning_type": "Command Injection",
95 "warning_code": 14,
96 "fingerprint": "03f0108aa182ee54b38be945afcbe9c90ffec86500b284510dae38fff5a2d1e0",
97 "check_name": "Execute",
98 "message": "Possible command injection",
99 "file": "app/services/git_repository_service.rb",
100 "line": 294,
101 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base/head refs are passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
102 },
103 {
104 "warning_type": "Command Injection",
105 "warning_code": 14,
106 "fingerprint": "405f8ed8c2a9df18ef8591501a996ad3e5ce7fb5eb046c1e1aaddd47e1dc762d",
107 "check_name": "Execute",
108 "message": "Possible command injection",
109 "file": "app/services/git_repository_service.rb",
110 "line": 336,
111 "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base ref reaches `update-ref` as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
112 },
113 {
114 "warning_type": "Command Injection",
115 "warning_code": 14,
116 "fingerprint": "4aff271d89cea00ac9c30356cfc76de7710b2279191dfa8cd3b682cb748cb405",
117 "check_name": "Execute",
118 "message": "Possible command injection",
119 "file": "app/controllers/api/v1/repos_controller.rb",
120 "line": 42,
121 "note": "False positive: default_branch is always the literal string \"main\" set a few lines above (never derived from request params), so nothing user-controlled reaches this Open3.capture3 call."
122 },
123 {
124 "warning_type": "Mass Assignment",
125 "warning_code": 105,
126 "fingerprint": "faef13fd7ff08bed1e6f8739746e5d6af3b6ec0515cb4bc73d856d973d1140b2",
127 "check_name": "PermitAttributes",
128 "message": "Potentially dangerous key allowed for mass assignment",
129 "file": "app/controllers/api/v1/cloud_sessions_controller.rb",
130 "line": 75,
131 "note": "False positive: `role` here is CloudMessage#role, a chat-message role (\"user\"/\"assistant\"/\"system\") restricted by `validates :role, inclusion: { in: ROLES }` in the model — not a user/account privilege field. It's passed as an explicit keyword arg to append_message!, not mass-assigned to a model."
132 },
133 {
134 "warning_type": "Cross-Site Scripting",
135 "warning_code": 4,
136 "fingerprint": "8ef2373ad74f844d863ba6076d392d7b797459ca89a3b30d19137c87a0662fee",
137 "check_name": "LinkToHref",
138 "message": "Potentially unsafe model attribute in `link_to` href",
139 "file": "app/views/admin/repositories/show.html.erb",
140 "line": 15,
141 "note": "False positive: Repository#html_url is built from ENV[\"SIGITSI_URL\"] (trusted, admin-set) plus the owning user's username and the repo name, both restricted by model format validations to safe charsets (letters, digits, hyphen/underscore/dot) — no URL scheme (e.g. javascript:) can appear in this value."
142 }
143 ],
144 "brakeman_version": "8.0.5"
145 }