From 6de00f6a96ec3f851c45d168badaf1fb66a39869 Mon Sep 17 00:00:00 2001 From: Rajesh Paul Date: Mon, 9 Aug 2021 16:26:33 +0530 Subject: [PATCH 1/2] Added one brakeman test in ignore list; fixed collaboration_controller dynamic resource path brakeman issue Signed-off-by: Rajesh Paul --- .../controllers/collaborators_controller.rb | 4 +-- src/supermarket/config/brakeman.ignore | 32 ++++++++++++++++++- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/src/supermarket/app/controllers/collaborators_controller.rb b/src/supermarket/app/controllers/collaborators_controller.rb index 1a371cab2..648bd0ea5 100644 --- a/src/supermarket/app/controllers/collaborators_controller.rb +++ b/src/supermarket/app/controllers/collaborators_controller.rb @@ -93,9 +93,9 @@ def destroy_group "#{collaborator.user.username} is still a collaborator on this #{params[:resourceable_type]}" " " end end - + resource_path_str = "#{params[:resourceable_type].underscore}_path" redirect_to( - resource + send(resource_path_str, resource) ) else not_found! diff --git a/src/supermarket/config/brakeman.ignore b/src/supermarket/config/brakeman.ignore index 29b09a7dd..6b5f4859f 100644 --- a/src/supermarket/config/brakeman.ignore +++ b/src/supermarket/config/brakeman.ignore @@ -1,5 +1,35 @@ { "ignored_warnings": [ + { + "warning_type": "Cross-Site Scripting", + "warning_code": 4, + "fingerprint": "11a6322283bc54ef48d681d41a4dcd60c59cd3cce38e48d3d8ad28a27c19e242", + "check_name": "LinkToHref", + "message": "Potentially unsafe model attribute in `link_to` href", + "file": "app/views/tools/_tool.html.erb", + "line": 28, + "link": "https://brakemanscanner.org/docs/warning_types/link_to_href", + "code": "link_to(\"View Source\", (Unresolved Model).new.source_url, :class => \"button tiny radius secondary\", :target => \"_blank\", :rel => \"noopener\", :itemprop => \"codeRepository\")", + "render_path": [ + { + "type": "template", + "name": "users/tools", + "line": 15, + "file": "app/views/users/tools.html.erb", + "rendered": { + "name": "tools/_tool", + "file": "app/views/tools/_tool.html.erb" + } + } + ], + "location": { + "type": "template", + "template": "tools/_tool" + }, + "user_input": "(Unresolved Model).new.source_url", + "confidence": "Weak", + "note": "" + }, { "warning_type": "Redirect", "warning_code": 18, @@ -81,6 +111,6 @@ "note": "" } ], - "updated": "2021-08-03 17:58:38 +0530", + "updated": "2021-08-09 12:47:05 +0530", "brakeman_version": "5.1.1" } From 2a5a46fc78c068d5b11959021f01968afc74d310 Mon Sep 17 00:00:00 2001 From: Rajesh Paul Date: Tue, 10 Aug 2021 18:54:47 +0530 Subject: [PATCH 2/2] changed cookie serializer from :hybrid to :json as hybrid serializer has security issues Signed-off-by: Rajesh Paul --- src/supermarket/config/initializers/cookies_serializer.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/supermarket/config/initializers/cookies_serializer.rb b/src/supermarket/config/initializers/cookies_serializer.rb index f51a497e1..886da75b0 100644 --- a/src/supermarket/config/initializers/cookies_serializer.rb +++ b/src/supermarket/config/initializers/cookies_serializer.rb @@ -2,4 +2,10 @@ # Specify a serializer for the signed and encrypted cookie jars. # Valid options are :json, :marshal, and :hybrid. -Rails.application.config.action_dispatch.cookies_serializer = :hybrid + +# NOTE - Changed the serializer from :hybrid to :json as the rails +# has been upgraded to version:5 around 4 years back. +# Changing this now as the chances of preexisting cookies which are more than 4 years old is very less. +# In worst case the cookie will not be supported and the user will be asked to signin again. +# If that's an issue we will revert it back to :hybrid +Rails.application.config.action_dispatch.cookies_serializer = :json