Open steven-solomon opened 6 years ago
I'm considering implementing a factory method to construct the appropriate type of project in order to fix the constantize
issues
Tasks:
One interesting thing I noticed. Due to the fact that the supported project types are loaded from project-meta.yml
, there seems to be the ability to configure which CIs are supported. Is that a feature or a consequence of the implementation?
I ran a Brakman scan. The result of the scan is below.
I want to assist in moving toward security scans being a part of Project Monitor's CI pipeline once the issues have been resolved.
== Warning Types ==
Command Injection: 5 Cross-Site Request Forgery: 1 Cross-Site Scripting: 1 Remote Code Execution: 3 SQL Injection: 3 Session Setting: 1
== Warnings ==
Confidence: High Category: Cross-Site Scripting Check: ContentTag Message: Rails 4.2.7 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1 File: Gemfile.lock Line: 290
Confidence: High Category: Remote Code Execution Check: UnsafeReflection Message: Unsafe reflection method constantize called with parameter value Code: params[:project][:type].constantize File: app/controllers/projects_controller.rb Line: 81
Confidence: High Category: Remote Code Execution Check: UnsafeReflection Message: Unsafe reflection method constantize called with parameter value Code: params[:project][:type].constantize File: app/controllers/projects_controller.rb Line: 52
Confidence: High Category: Remote Code Execution Check: UnsafeReflection Message: Unsafe reflection method constantize called with parameter value Code: params[:project][:type].constantize File: app/controllers/projects_controller.rb Line: 28
Confidence: High Category: SQL Injection Check: SQLCVEs Message: Rails 4.2.7 contains a SQL injection vulnerability (CVE-2016-6317). Upgrade to 4.2.7.1 File: Gemfile.lock Line: 290
Confidence: High Category: Session Setting Check: SessionSettings Message: Session secret should not be included in version control File: config/initializers/secret_token.rb Line: 7
Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code:
cf auth #{username} #{password}
File: lib/cf_authenticator.rb Line: 7Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code:
cf push #{env}
File: lib/cf_deploy.rb Line: 70Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code:
git tag #{tag} #{commit_sha} -m "#{message}"
File: lib/cf_git_tagger.rb Line: 5Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code:
cf t -o #{org} -s #{space}
File: lib/cf_authenticator.rb Line: 16Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code:
git push origin #{tag}
File: lib/cf_git_tagger.rb Line: 6Confidence: Medium Category: Cross-Site Request Forgery Check: ForgerySetting Message: protect_from_forgery should be configured with 'with: :exception' File: app/controllers/application_controller.rb
Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: joins("INNER JOIN (#{" SELECT id,\n (CASE project_statuses.project_id\n WHEN @curType\n THEN @curRow := @curRow + 1\n ELSE @curRow := 1 AND @curType := project_statuses.project_id END\n ) AS rank\n FROM project_statuses,\n (SELECT @curRow := 0, @curType := '') r\n ORDER BY project_statuses.published_at desc, project_statuses.build_id desc\n".strip_heredoc}) rankings ON rankings.id = project_statuses.id") File: app/models/project_status.rb Line: 20
Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: joins("INNER JOIN (#{" SELECT id,\n (CASE payload_log_entries.project_id\n WHEN @curType\n THEN @curRow := @curRow + 1\n ELSE @curRow := 1 AND @curType := payload_log_entries.project_id END\n ) AS rank\n FROM payload_log_entries,\n (SELECT @curRow := 0, @curType := '') r\n ORDER BY payload_log_entries.created_at desc\n".strip_heredoc}) rankings ON rankings.id = payload_log_entries.id") File: app/models/payload_log_entry.rb Line: 20