Update brakeman config

Ignores the sql injection warning in duplicate claims. Non of the interpolated values in this query are supplable by a user, and using bind params would make this a lot harder to read! Anyone modifying this query needs to be careful not to introduce a sql injection attack!
DFE-Digital · Dec 17, 2024 · 4f7832b · 4f7832b
1 parent 01c5781
commit 4f7832b
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/app/models/admin/reports/duplicate_approved_claims.rb b/app/models/admin/reports/duplicate_approved_claims.rb
@@ -1,3 +1,5 @@
+# This file is ignored in the brakeman config, be careful not to interpolate
+# any user provided parameters!
 module Admin
   module Reports
     class DuplicateApprovedClaims

diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -138,6 +138,29 @@
       ],
       "note": ""
     },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "b0269286fd1ea8251ec5b7680edd39187adb72c1ed2c4bc61e6eec7e14ed24f7",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/admin/reports/duplicate_approved_claims.rb",
+      "line": 191,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "ActiveRecord::Base.connection.execute(((\"WITH current_claims AS (\\n  SELECT claims.id, #{claim_matching_attributes.flatten.join(\", \")}\\n  FROM claims\\n  JOIN decisions ON claims.id = decisions.claim_id\\n  WHERE claims.academic_year = '#{academic_year}'\\n  AND decisions.undone = false\\n  AND decisions.result = 0\\n)\\n\" + \"\\n\") + claim_matching_attributes.flat_map do\n join_condition = attribute_group.map do\n if (Claim.column_for_attribute(attr).type == :string) then\n  \"LOWER(current_claims.#{attr}) = LOWER(other_claims.#{attr})\"\nelse\n  \"current_claims.#{attr} = other_claims.#{attr}\"\nend\n end.join(\" AND \")\n\"SELECT current_claims.id, other_claims.id AS other_claim_id\\nFROM current_claims\\nJOIN current_claims other_claims\\nON #{attribute_group.map do\n if (Claim.column_for_attribute(attr).type == :string) then\n  \"LOWER(current_claims.#{attr}) = LOWER(other_claims.#{attr})\"\nelse\n  \"current_claims.#{attr} = other_claims.#{attr}\"\nend\n end.join(\" AND \")}\\nWHERE current_claims.id != other_claims.id\\n\"\n end.join(\"\\nUNION\\n\")))",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Admin::Reports::DuplicateApprovedClaims",
+        "method": "duplicates_by_attributes"
+      },
+      "user_input": "claim_matching_attributes.flatten.join(\", \")",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
     {
       "warning_type": "SQL Injection",
       "warning_code": 0,
@@ -185,6 +208,6 @@
       "note": ""
     }
   ],
-  "updated": "2024-11-20 17:38:36 +0000",
+  "updated": "2024-12-16 15:02:51 +0000",
   "brakeman_version": "6.2.1"
 }