Closed crisr15 closed 3 months ago
Updated brakeman audit link: https://docs.google.com/document/d/1lfwAxlsT5s2QHK0tGIAtwljVyPQSJNqQawVI65s9-c0/edit?usp=sharing
== Errors ==
[x] Error: app/views/full_text/_previous_next_doc.html.erb:14 :: parse error on value "$" ($end) Could not parse app/views/full_text/_previous_next_doc.html.erb Location: Could not parse /Users/aprilrieger/softserv/oral-history/app/views/full_text/_previous_next_doc.html.erb
[x] Error: app/views/interviewee/_previous_next_doc.html.erb:14 :: parse error on value "$" ($end) Could not parse app/views/interviewee/_previous_next_doc.html.erb Location: Could not parse /Users/aprilrieger/softserv/oral-history/app/views/interviewee/_previous_next_doc.html.erb
[x] Error: app/views/interviewee/_show.html.erb:10 :: parse error on value "," (tCOMMA:
== Warnings ==
[x] Confidence: High Category: Basic Auth Check: BasicAuth Message: Basic authentication password stored in source code Code: (password == "oralhistory") File: app/controllers/application_controller.rb Line: 15
[x] Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: curl -o #{Tempfile.new.path} #{pdf_text}
File: app/jobs/index_pdf_transcript_job.rb
Line: 12
[x] Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code: spawn(sprintf("ffmpeg -loglevel panic -i %s -acodec pcm_s16le -ar 44100 %s", src, "#{Dir.mktmpdir((tmp_path or "ffmpeg-"), nil)}/audio.wav")) File: app/services/peaks/converter.rb Line: 19
[x] Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code: system("rm -rf #{raw_path.gsub("/audio.wave", "")}") File: app/services/peaks/processor.rb Line: 29
Summary
After Rails upgrade run Bundler Audit to see if any gems need to be updated.
Related
Cannot work on this until rails upgrade is complete Rails Upgrade Ticket: https://github.com/scientist-softserv/oral-history/issues/18
Acceptance Criteria
Notes
Brakeman and Bundler Audit before the upgrades: https://docs.google.com/document/d/1tXW9Jvbk1wx7fE_fOmvvfXfaVL4awpwbfrsvuwgmmKA/edit