diff --git a/config/brakeman.ignore b/config/brakeman.ignore index de2755302c01..219ae2fee6cd 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -21,24 +21,44 @@ "note": "The chomp.to_i ensures we get a number and we protect against 0 with a conditional. The only other possible avenue for attack is if the attacker could replace pgrep, but then they already have root access, so it's a moot point." }, { - "warning_type": "File Access", - "warning_code": 16, - "fingerprint": "4e1918c2d5ff2beacc21db09f696af724d62f1a2a6a101e8e3cb564d0e8a94cd", - "check_name": "FileAccess", - "message": "Model attribute used in file name", - "file": "app/models/miq_report/import_export.rb", - "line": 85, - "link": "http://brakemanscanner.org/docs/warning_types/file_access/", - "code": "YAML.load_file(MiqReport.view_yaml_filename(db, current_user, options))", + "warning_type": "Command Injection", + "warning_code": 14, + "fingerprint": "6a9ec4613af89e29c750be8db27e7b64118ebef6a458357995c51614f26e4f4a", + "check_name": "Execute", + "message": "Possible command injection", + "file": "lib/mount/miq_generic_mount_session.rb", + "line": 34, + "link": "http://brakemanscanner.org/docs/warning_types/command_injection/", + "code": "`#{cmd_str} 2>&1`", "render_path": null, "location": { "type": "method", - "class": "MiqReport::ImportExport::ClassMethods", - "method": "load_from_view_options" + "class": "MiqGenericMountSession", + "method": "s(:self).runcmd" }, - "user_input": "MiqReport.view_yaml_filename(db, current_user, options)", + "user_input": "cmd_str", "confidence": "Medium", - "note": "Temporarily skipped, found in new brakeman version" + "note": "" + }, + { + "warning_type": "Command Injection", + "warning_code": 14, + "fingerprint": "84d4a4e5555b6b750216afadc01f9e385a8a1d56c97b1a8aa3f10925f446932b", + "check_name": "Execute", + "message": "Possible command injection", + "file": "lib/mount/miq_generic_mount_session.rb", + "line": 40, + "link": "http://brakemanscanner.org/docs/warning_types/command_injection/", + "code": "`sudo #{cmd_str} 2>&1`", + "render_path": null, + "location": { + "type": "method", + "class": "MiqGenericMountSession", + "method": "s(:self).runcmd" + }, + "user_input": "cmd_str", + "confidence": "Medium", + "note": "" }, { "warning_type": "Command Injection", @@ -81,6 +101,6 @@ "note": "Temporarily skipped, found in new brakeman version" } ], - "updated": "2017-11-01 11:16:49 -0400", + "updated": "2019-11-22 17:39:13 -0600", "brakeman_version": "3.7.2" }