diff --git a/Gemfile.lock b/Gemfile.lock index bf55dcbe5a..26bbce6c15 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -828,7 +828,7 @@ GEM http-cookie (>= 1.0.2, < 2.0) mime-types (>= 1.16, < 4.0) netrc (~> 0.8) - rexml (3.3.8) + rexml (3.3.9) rgeo (2.4.0) rgeo-activerecord (7.0.1) activerecord (>= 5.0) diff --git a/app/models/grda_warehouse/client_file.rb b/app/models/grda_warehouse/client_file.rb index 56d81b2d8c..46a3110803 100644 --- a/app/models/grda_warehouse/client_file.rb +++ b/app/models/grda_warehouse/client_file.rb @@ -15,6 +15,7 @@ class ClientFile < GrdaWarehouse::File CONSENT_FORM_TAG_CACHE_KEY = 'consent_form_tagging_ids/tag_ids'.freeze mount_uploader :file, FileUploader # This is probably no necessary, but added to be safe + has_paper_trail acts_as_taggable belongs_to :client, class_name: 'GrdaWarehouse::Hud::Client' diff --git a/app/models/grda_warehouse/file.rb b/app/models/grda_warehouse/file.rb index 97ce1cdc72..ed32d4ac50 100644 --- a/app/models/grda_warehouse/file.rb +++ b/app/models/grda_warehouse/file.rb @@ -7,7 +7,6 @@ module GrdaWarehouse class File < GrdaWarehouseBase acts_as_paranoid - has_paper_trail belongs_to :user, optional: true end end diff --git a/config/brakeman.ignore b/config/brakeman.ignore index 2361b1aee6..8fd9b66d2c 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -617,7 +617,7 @@ "check_name": "Execute", "message": "Possible command injection", "file": "drivers/hmis/app/models/hmis/form/definition.rb", - "line": 359, + "line": 365, "link": "https://brakemanscanner.org/docs/warning_types/command_injection/", "code": "`No Definition found for System form #{role}`", "render_path": null, @@ -1048,7 +1048,7 @@ "check_name": "UnsafeReflection", "message": "Unsafe reflection method `constantize` called on model attribute", "file": "drivers/hmis/app/models/hmis/form/definition.rb", - "line": 414, + "line": 420, "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/", "code": "{ :SERVICE => ({ :owner_class => \"Hmis::Hud::HmisService\", :permission => :can_edit_enrollments }), :PROJECT => ({ :owner_class => \"Hmis::Hud::Project\", :permission => :can_edit_project_details }), :ORGANIZATION => ({ :owner_class => \"Hmis::Hud::Organization\", :permission => :can_edit_organization }), :CLIENT => ({ :owner_class => \"Hmis::Hud::Client\", :permission => :can_edit_clients }), :FUNDER => ({ :owner_class => \"Hmis::Hud::Funder\", :permission => :can_edit_project_details }), :INVENTORY => ({ :owner_class => \"Hmis::Hud::Inventory\", :permission => :can_edit_project_details }), :PROJECT_COC => ({ :owner_class => \"Hmis::Hud::ProjectCoc\", :permission => :can_edit_project_details }), :HMIS_PARTICIPATION => ({ :owner_class => \"Hmis::Hud::HmisParticipation\", :permission => :can_edit_project_details }), :CE_PARTICIPATION => ({ :owner_class => \"Hmis::Hud::CeParticipation\", :permission => :can_edit_project_details }), :CE_ASSESSMENT => ({ :owner_class => \"Hmis::Hud::Assessment\", :permission => :can_edit_enrollments }), :CE_EVENT => ({ :owner_class => \"Hmis::Hud::Event\", :permission => :can_edit_enrollments }), :CASE_NOTE => ({ :owner_class => \"Hmis::Hud::CustomCaseNote\", :permission => :can_edit_enrollments }), :FILE => ({ :owner_class => \"Hmis::File\", :permission => ([:can_manage_any_client_files, :can_manage_own_client_files]), :authorize => (lambda do\n Hmis::File.authorize_proc.call(entity_base, user)\n end) }), :REFERRAL_REQUEST => ({ :owner_class => \"HmisExternalApis::AcHmis::ReferralRequest\", :permission => :can_manage_incoming_referrals }), :REFERRAL => ({ :owner_class => \"HmisExternalApis::AcHmis::ReferralPosting\", :permission => :can_manage_outgoing_referrals }), :CURRENT_LIVING_SITUATION => ({ :owner_class => \"Hmis::Hud::CurrentLivingSituation\", :permission => :can_edit_enrollments }), :OCCURRENCE_POINT => ({ :owner_class => \"Hmis::Hud::Enrollment\", :permission => :can_edit_enrollments }), :ENROLLMENT => ({ :owner_class => \"Hmis::Hud::Enrollment\", :permission => :can_edit_enrollments }), :NEW_CLIENT_ENROLLMENT => ({ :permission => :can_edit_enrollments, :owner_class => \"Hmis::Hud::Enrollment\" }), :CLIENT_DETAIL => ({ :owner_class => \"Hmis::Hud::Client\", :permission => :can_edit_clients }), :EXTERNAL_FORM => ({ :owner_class => \"HmisExternalApis::ExternalForms::FormSubmission\", :permission => :can_manage_external_form_submissions }) }[role.to_sym][:owner_class].constantize", "render_path": null, @@ -1163,7 +1163,7 @@ "check_name": "SQL", "message": "Possible SQL injection", "file": "lib/rds_sql_server/rds.rb", - "line": 243, + "line": 244, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "SqlServerBootstrapModel.connection.execute(\"if not exists(select * from sys.databases where name = '#{database}')\\n select 0;\\nelse\\n select 1;\\n\")", "render_path": null, @@ -1225,6 +1225,29 @@ ], "note": "" }, + { + "warning_type": "Redirect", + "warning_code": 18, + "fingerprint": "704745811a99d55eb2c8459caa8cd2a8e34486b3b6f1f77f51ce64252262220f", + "check_name": "Redirect", + "message": "Possible unprotected redirect", + "file": "app/controllers/user_training_controller.rb", + "line": 56, + "link": "https://brakemanscanner.org/docs/warning_types/redirect/", + "code": "redirect_to(Talentlms::Facade.new(current_user).course_url(course.config, course.courseid, (clients_url or root_url), logout_talentlms_url), :allow_other_host => true)", + "render_path": null, + "location": { + "type": "method", + "class": "UserTrainingController", + "method": "index" + }, + "user_input": "Talentlms::Facade.new(current_user).course_url(course.config, course.courseid, (clients_url or root_url), logout_talentlms_url)", + "confidence": "Weak", + "cwe_id": [ + 601 + ], + "note": "" + }, { "warning_type": "Cross-Site Scripting", "warning_code": 2, @@ -1305,29 +1328,6 @@ ], "note": "" }, - { - "warning_type": "Command Injection", - "warning_code": 14, - "fingerprint": "781aac46e7b1378f886f2b9f429b4b36766b82a3ce2c8453f8be825781ea49b5", - "check_name": "Execute", - "message": "Possible command injection", - "file": "app/models/glacier/runner.rb", - "line": 37, - "link": "https://brakemanscanner.org/docs/warning_types/command_injection/", - "code": "system(\"psql -d postgres --username=#{db_user} --no-password --host=#{(provided_db_host or db_host)} -c 'create database #{database_name}'\")", - "render_path": null, - "location": { - "type": "method", - "class": "Glacier::Runner", - "method": "restore_database!" - }, - "user_input": "db_user", - "confidence": "Medium", - "cwe_id": [ - 77 - ], - "note": "" - }, { "warning_type": "Cross-Site Scripting", "warning_code": 2, @@ -2171,29 +2171,6 @@ ], "note": "" }, - { - "warning_type": "Redirect", - "warning_code": 18, - "fingerprint": "bd9f8cdc95ec9905f13a5cf6a7c5d3c477b24d145188564f6a93c2df51d089b7", - "check_name": "Redirect", - "message": "Possible unprotected redirect", - "file": "app/controllers/user_training_controller.rb", - "line": 41, - "link": "https://brakemanscanner.org/docs/warning_types/redirect/", - "code": "redirect_to(Talentlms::Facade.new.course_url(current_user, Talentlms::Config.first.courseid, (clients_url or root_url), logout_talentlms_url), :allow_other_host => true)", - "render_path": null, - "location": { - "type": "method", - "class": "UserTrainingController", - "method": "index" - }, - "user_input": "Talentlms::Facade.new.course_url(current_user, Talentlms::Config.first.courseid, (clients_url or root_url), logout_talentlms_url)", - "confidence": "Weak", - "cwe_id": [ - 601 - ], - "note": "" - }, { "warning_type": "Command Injection", "warning_code": 14, @@ -2521,7 +2498,7 @@ "check_name": "SQL", "message": "Possible SQL injection", "file": "lib/rds_sql_server/rds.rb", - "line": 257, + "line": 258, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "SqlServerBootstrapModel.connection.execute(\"if not exists(select * from sys.databases where name = '#{database}')\\n create database #{database}\\n\")", "render_path": null, @@ -2860,6 +2837,6 @@ "note": "" } ], - "updated": "2024-10-08 21:18:41 +0000", + "updated": "2024-10-29 12:24:27 +0000", "brakeman_version": "6.2.1" }