From 9dbbdf11500d5c8c37061241ce8096b3ffa7fec1 Mon Sep 17 00:00:00 2001 From: Devin Howard Date: Sat, 11 Feb 2017 20:00:42 -0800 Subject: [PATCH] brakeman csrf warning suppressed :| --- config/brakeman.ignore | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/config/brakeman.ignore b/config/brakeman.ignore index 9e29ff0d..c2491dcd 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -1,24 +1,24 @@ { "ignored_warnings": [ { - "warning_type": "Cross Site Scripting", - "warning_code": 2, - "fingerprint": "88694dca0bcc2226859746f9ed40cc682d6e5eaec1e73f2be557770a854ede0b", - "message": "Unescaped model attribute", - "file": "app/views/notifications/show.html.erb", - "line": 7, - "link": "http://brakemanscanner.org/docs/warning_types/cross_site_scripting", - "code": "current_user.mailbox.notifications.find_by(:id => params[:id]).body", - "render_path": [{"type":"controller","class":"NotificationsController","method":"show","line":24,"file":"app/controllers/notifications_controller.rb"}], + "warning_type": "Cross-Site Request Forgery", + "warning_code": 7, + "fingerprint": "59d73ce0b791aa7ed532510c780235a8b23f7cd1246dbf9da258e36f5d1e2b0a", + "message": "'protect_from_forgery' should be called in Api::V2::RestfulController", + "file": "app/controllers/api/v2/restful_controller.rb", + "line": 4, + "link": "http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery/", + "code": null, + "render_path": null, "location": { - "type": "template", - "template": "notifications/show" + "type": "controller", + "controller": "Api::V2::RestfulController" }, - "user_input": "current_user.mailbox.notifications", - "confidence": "Weak", - "note": "" + "user_input": null, + "confidence": "High", + "note": "Cookie-based auth is disabled for the API except for the tokens endpoint. We're hoping this is sufficiently secure, because CSRF-forged links might get clicked on another site, but the generated tokens won't go back to the attacker. Also, an attacker would need a token to delete it, which means they've got access at that point anyways. - Devin, Feb 2017" } ], - "updated": "2016-11-29 13:01:34 -0500", - "brakeman_version": "3.4.0" + "updated": "2017-02-11 20:00:09 -0800", + "brakeman_version": "3.4.1" }