| 1 | { |
| 2 | "ignored_warnings": [ |
| 3 | { |
| 4 | "warning_type": "Command Injection", |
| 5 | "warning_code": 14, |
| 6 | "fingerprint": "03f0108aa182ee54b38be945afcbe9c90ffec86500b284510dae38fff5a2d1e0", |
| 7 | "check_name": "Execute", |
| 8 | "message": "Possible command injection", |
| 9 | "file": "app/services/git_repository_service.rb", |
| 10 | "line": 228, |
| 11 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base/head refs are passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? rejects either ref if it starts with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a base of \"--output=...\")." |
| 12 | }, |
| 13 | { |
| 14 | "warning_type": "Command Injection", |
| 15 | "warning_code": 14, |
| 16 | "fingerprint": "1dbb9af6b074159eced6b9d2536bec26667c240f09e3a5bb49285b45775cca4b", |
| 17 | "check_name": "Execute", |
| 18 | "message": "Possible command injection", |
| 19 | "file": "app/services/git_repository_service.rb", |
| 20 | "line": 107, |
| 21 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref/path is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." |
| 22 | }, |
| 23 | { |
| 24 | "warning_type": "Command Injection", |
| 25 | "warning_code": 14, |
| 26 | "fingerprint": "0a470c5a46cd5b8ac1b0487e651f761caeeb961ac9bc408a33d2ca89257085c3", |
| 27 | "check_name": "Execute", |
| 28 | "message": "Possible command injection", |
| 29 | "file": "app/services/git_repository_service.rb", |
| 30 | "line": 115, |
| 31 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref/path is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." |
| 32 | }, |
| 33 | { |
| 34 | "warning_type": "Command Injection", |
| 35 | "warning_code": 14, |
| 36 | "fingerprint": "586ef55597b40deec327d690a446903cdfb89a65dfeb7962ad0f6f603d16f9fd", |
| 37 | "check_name": "Execute", |
| 38 | "message": "Possible command injection", |
| 39 | "file": "app/services/git_repository_service.rb", |
| 40 | "line": 123, |
| 41 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." |
| 42 | }, |
| 43 | { |
| 44 | "warning_type": "Command Injection", |
| 45 | "warning_code": 14, |
| 46 | "fingerprint": "fc944c7823b102c74e5d4bfd30183d1f2776b80f00b453e05571815b2fbc26f1", |
| 47 | "check_name": "Execute", |
| 48 | "message": "Possible command injection", |
| 49 | "file": "app/services/git_repository_service.rb", |
| 50 | "line": 55, |
| 51 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref/path is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." |
| 52 | }, |
| 53 | { |
| 54 | "warning_type": "Command Injection", |
| 55 | "warning_code": 14, |
| 56 | "fingerprint": "d4ffd91b7a130c0d1e51bc90c8b66c51242d4ec7f21201b3acab11f7a3fb7b6b", |
| 57 | "check_name": "Execute", |
| 58 | "message": "Possible command injection", |
| 59 | "file": "app/services/git_repository_service.rb", |
| 60 | "line": 98, |
| 61 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref/path is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." |
| 62 | }, |
| 63 | { |
| 64 | "warning_type": "Command Injection", |
| 65 | "warning_code": 14, |
| 66 | "fingerprint": "c932f5558ef2885051eeba4c72f436d871323489099c7361cb75f3f3e4d2f155", |
| 67 | "check_name": "Execute", |
| 68 | "message": "Possible command injection", |
| 69 | "file": "app/services/git_repository_service.rb", |
| 70 | "line": 133, |
| 71 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." |
| 72 | }, |
| 73 | { |
| 74 | "warning_type": "Command Injection", |
| 75 | "warning_code": 14, |
| 76 | "fingerprint": "d802f010326572ecab89535d3c449ac7b6bc9b18b3568197eb302d6875d42c58", |
| 77 | "check_name": "Execute", |
| 78 | "message": "Possible command injection", |
| 79 | "file": "app/services/git_repository_service.rb", |
| 80 | "line": 245, |
| 81 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." |
| 82 | }, |
| 83 | { |
| 84 | "warning_type": "Command Injection", |
| 85 | "warning_code": 14, |
| 86 | "fingerprint": "9569afc8080f4e1e0e4b4b3de400e2695641b30574fbdb0b421d1b41c5224df1", |
| 87 | "check_name": "Execute", |
| 88 | "message": "Possible command injection", |
| 89 | "file": "app/services/git_repository_service.rb", |
| 90 | "line": 269, |
| 91 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base/head refs are passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." |
| 92 | }, |
| 93 | { |
| 94 | "warning_type": "Command Injection", |
| 95 | "warning_code": 14, |
| 96 | "fingerprint": "03f0108aa182ee54b38be945afcbe9c90ffec86500b284510dae38fff5a2d1e0", |
| 97 | "check_name": "Execute", |
| 98 | "message": "Possible command injection", |
| 99 | "file": "app/services/git_repository_service.rb", |
| 100 | "line": 294, |
| 101 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base/head refs are passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." |
| 102 | }, |
| 103 | { |
| 104 | "warning_type": "Command Injection", |
| 105 | "warning_code": 14, |
| 106 | "fingerprint": "405f8ed8c2a9df18ef8591501a996ad3e5ce7fb5eb046c1e1aaddd47e1dc762d", |
| 107 | "check_name": "Execute", |
| 108 | "message": "Possible command injection", |
| 109 | "file": "app/services/git_repository_service.rb", |
| 110 | "line": 336, |
| 111 | "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base ref reaches `update-ref` as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." |
| 112 | }, |
| 113 | { |
| 114 | "warning_type": "Command Injection", |
| 115 | "warning_code": 14, |
| 116 | "fingerprint": "4aff271d89cea00ac9c30356cfc76de7710b2279191dfa8cd3b682cb748cb405", |
| 117 | "check_name": "Execute", |
| 118 | "message": "Possible command injection", |
| 119 | "file": "app/controllers/api/v1/repos_controller.rb", |
| 120 | "line": 42, |
| 121 | "note": "False positive: default_branch is always the literal string \"main\" set a few lines above (never derived from request params), so nothing user-controlled reaches this Open3.capture3 call." |
| 122 | }, |
| 123 | { |
| 124 | "warning_type": "Mass Assignment", |
| 125 | "warning_code": 105, |
| 126 | "fingerprint": "faef13fd7ff08bed1e6f8739746e5d6af3b6ec0515cb4bc73d856d973d1140b2", |
| 127 | "check_name": "PermitAttributes", |
| 128 | "message": "Potentially dangerous key allowed for mass assignment", |
| 129 | "file": "app/controllers/api/v1/cloud_sessions_controller.rb", |
| 130 | "line": 75, |
| 131 | "note": "False positive: `role` here is CloudMessage#role, a chat-message role (\"user\"/\"assistant\"/\"system\") restricted by `validates :role, inclusion: { in: ROLES }` in the model — not a user/account privilege field. It's passed as an explicit keyword arg to append_message!, not mass-assigned to a model." |
| 132 | }, |
| 133 | { |
| 134 | "warning_type": "Cross-Site Scripting", |
| 135 | "warning_code": 4, |
| 136 | "fingerprint": "8ef2373ad74f844d863ba6076d392d7b797459ca89a3b30d19137c87a0662fee", |
| 137 | "check_name": "LinkToHref", |
| 138 | "message": "Potentially unsafe model attribute in `link_to` href", |
| 139 | "file": "app/views/admin/repositories/show.html.erb", |
| 140 | "line": 15, |
| 141 | "note": "False positive: Repository#html_url is built from ENV[\"SIGITSI_URL\"] (trusted, admin-set) plus the owning user's username and the repo name, both restricted by model format validations to safe charsets (letters, digits, hyphen/underscore/dot) — no URL scheme (e.g. javascript:) can appear in this value." |
| 142 | } |
| 143 | ], |
| 144 | "brakeman_version": "8.0.5" |
| 145 | } |