Update brakeman.ignore for MiqObjectStorage

- Adds ignore cases for two items that have been there for a bit - Removes an outdated warning.
ManageIQ · Jan 3, 2020 · 338c1a1 · 338c1a1
1 parent b3978e0
commit 338c1a1
Showing 1 changed file with 34 additions and 14 deletions.
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -21,24 +21,44 @@
       "note": "The chomp.to_i ensures we get a number and we protect against 0 with a conditional.  The only other possible avenue for attack is if the attacker could replace pgrep, but then they already have root access, so it's a moot point."
     },
     {
-      "warning_type": "File Access",
-      "warning_code": 16,
-      "fingerprint": "4e1918c2d5ff2beacc21db09f696af724d62f1a2a6a101e8e3cb564d0e8a94cd",
-      "check_name": "FileAccess",
-      "message": "Model attribute used in file name",
-      "file": "app/models/miq_report/import_export.rb",
-      "line": 85,
-      "link": "http://brakemanscanner.org/docs/warning_types/file_access/",
-      "code": "YAML.load_file(MiqReport.view_yaml_filename(db, current_user, options))",
+      "warning_type": "Command Injection",
+      "warning_code": 14,
+      "fingerprint": "6a9ec4613af89e29c750be8db27e7b64118ebef6a458357995c51614f26e4f4a",
+      "check_name": "Execute",
+      "message": "Possible command injection",
+      "file": "lib/mount/miq_generic_mount_session.rb",
+      "line": 34,
+      "link": "http://brakemanscanner.org/docs/warning_types/command_injection/",
+      "code": "`#{cmd_str} 2>&1`",
       "render_path": null,
       "location": {
         "type": "method",
-        "class": "MiqReport::ImportExport::ClassMethods",
-        "method": "load_from_view_options"
+        "class": "MiqGenericMountSession",
+        "method": "s(:self).runcmd"
       },
-      "user_input": "MiqReport.view_yaml_filename(db, current_user, options)",
+      "user_input": "cmd_str",
       "confidence": "Medium",
-      "note": "Temporarily skipped, found in new brakeman version"
+      "note": ""
+    },
+    {
+      "warning_type": "Command Injection",
+      "warning_code": 14,
+      "fingerprint": "84d4a4e5555b6b750216afadc01f9e385a8a1d56c97b1a8aa3f10925f446932b",
+      "check_name": "Execute",
+      "message": "Possible command injection",
+      "file": "lib/mount/miq_generic_mount_session.rb",
+      "line": 40,
+      "link": "http://brakemanscanner.org/docs/warning_types/command_injection/",
+      "code": "`sudo #{cmd_str} 2>&1`",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "MiqGenericMountSession",
+        "method": "s(:self).runcmd"
+      },
+      "user_input": "cmd_str",
+      "confidence": "Medium",
+      "note": ""
     },
     {
       "warning_type": "Command Injection",
@@ -81,6 +101,6 @@
       "note": "Temporarily skipped, found in new brakeman version"
     }
   ],
-  "updated": "2017-11-01 11:16:49 -0400",
+  "updated": "2019-11-22 17:39:13 -0600",
   "brakeman_version": "3.7.2"
 }