{ "ignored_warnings": [ { "warning_type": "Redirect", "warning_code": 18, "fingerprint": "556f2fdd1f091ed50811cb2cce28dd2b987cd0a2eed4d19bea138c8c083a3a5d", "check_name": "Redirect", "message": "Possible unprotected redirect", "file": "app/controllers/snaptrade_items_controller.rb", "line": 125, "link": "https://brakemanscanner.org/docs/warning_types/redirect/", "code": "redirect_to(Current.family.snaptrade_items.find(params[:id]).connection_portal_url(:redirect_url => callback_snaptrade_items_url(:item_id => Current.family.snaptrade_items.find(params[:id]).id)), :allow_other_host => true)", "render_path": null, "location": { "type": "method", "class": "SnaptradeItemsController", "method": "connect" }, "user_input": "Current.family.snaptrade_items.find(params[:id]).connection_portal_url(:redirect_url => callback_snaptrade_items_url(:item_id => Current.family.snaptrade_items.find(params[:id]).id))", "confidence": "Weak", "cwe_id": [ 601 ], "note": "Intentional redirect to SnapTrade's external OAuth portal for brokerage connection" }, { "warning_type": "Redirect", "warning_code": 18, "fingerprint": "723b1970ca6bf16ea0c2c1afa0c00d3c54854a16568d6cb933e497947565d9ab", "check_name": "Redirect", "message": "Possible unprotected redirect", "file": "app/controllers/family_exports_controller.rb", "line": 30, "link": "https://brakemanscanner.org/docs/warning_types/redirect/", "code": "redirect_to(Current.family.family_exports.find(params[:id]).export_file, :allow_other_host => true)", "render_path": null, "location": { "type": "method", "class": "FamilyExportsController", "method": "download" }, "user_input": "Current.family.family_exports.find(params[:id]).export_file", "confidence": "Weak", "cwe_id": [ 601 ], "note": "" }, { "warning_type": "Mass Assignment", "warning_code": 105, "fingerprint": "85e2c11853dd6c69b1953a6ec3ad661cd0ce3df55e4e5beff92365b6ed601171", "check_name": "PermitAttributes", "message": "Potentially dangerous key allowed for mass assignment", "file": "app/controllers/api/v1/transactions_controller.rb", "line": 255, "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", "code": "params.require(:transaction).permit(:account_id, :date, :amount, :name, :description, :notes, :currency, :category_id, :merchant_id, :nature, :tag_ids => ([]))", "render_path": null, "location": { "type": "method", "class": "Api::V1::TransactionsController", "method": "transaction_params" }, "user_input": ":account_id", "confidence": "High", "cwe_id": [ 915 ], "note": "account_id is properly validated in create action - line 79 ensures account belongs to user's family: family.accounts.find(transaction_params[:account_id])" }, { "warning_type": "Mass Assignment", "warning_code": 105, "fingerprint": "d770e95392c6c69b364dcc0c99faa1c8f4f0cceb085bcc55630213d0b7b8b87f", "check_name": "PermitAttributes", "message": "Potentially dangerous key allowed for mass assignment", "file": "app/controllers/api/v1/trades_controller.rb", "line": 165, "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", "code": "params.require(:trade).permit(:account_id, :date, :qty, :price, :currency, :security_id, :ticker, :manual_ticker, :investment_activity_label, :category_id)", "render_path": null, "location": { "type": "method", "class": "Api::V1::TradesController", "method": "trade_params" }, "user_input": ":account_id", "confidence": "High", "cwe_id": [ 915 ], "note": "account_id and security_id validated in create/update: account via family.accounts.find and supports_trades?, security via resolve_security" }, { "warning_type": "Mass Assignment", "warning_code": 105, "fingerprint": "aaccd8db0be34afdc88e5af08d91ae2e8b7765dfea2f3fc6e1c37db0adc7b991", "check_name": "PermitAttributes", "message": "Potentially dangerous key allowed for mass assignment", "file": "app/controllers/invitations_controller.rb", "line": 58, "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", "code": "params.require(:invitation).permit(:email, :role)", "render_path": null, "location": { "type": "method", "class": "InvitationsController", "method": "invitation_params" }, "user_input": ":role", "confidence": "Medium", "cwe_id": [ 915 ], "note": "" }, { "warning_type": "Mass Assignment", "warning_code": 105, "fingerprint": "01a88a0a17848e70999c17f6438a636b00e01da39a2c0aa0c46f20f0685c7202", "check_name": "PermitAttributes", "message": "Potentially dangerous key allowed for mass assignment", "file": "app/controllers/admin/users_controller.rb", "line": 35, "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", "code": "params.require(:user).permit(:role)", "render_path": null, "location": { "type": "method", "class": "Admin::UsersController", "method": "user_params" }, "user_input": ":role", "confidence": "Medium", "cwe_id": [ 915 ], "note": "Protected by Pundit authorization - UserPolicy requires super_admin and prevents users from changing their own role" }, { "warning_type": "Dangerous Eval", "warning_code": 13, "fingerprint": "c154514a0f86341473e4abf35e77721495b326c7855e4967d284b4942371819c", "check_name": "Evaluation", "message": "Dynamic string evaluated as code", "file": "app/helpers/styled_form_builder.rb", "line": 5, "link": "https://brakemanscanner.org/docs/warning_types/dangerous_eval/", "code": "class_eval(\" def #{selector}(method, options = {})\\n form_options = options.slice(:label, :label_tooltip, :inline, :container_class, :required)\\n html_options = options.except(:label, :label_tooltip, :inline, :container_class)\\n\\n build_field(method, form_options, html_options) do |merged_options|\\n super(method, merged_options)\\n end\\n end\\n\", \"app/helpers/styled_form_builder.rb\", (5 + 1))", "render_path": null, "location": { "type": "method", "class": "StyledFormBuilder", "method": null }, "user_input": null, "confidence": "Weak", "cwe_id": [ 913, 95 ], "note": "Uses similar pattern to Rails internal form builder" }, { "warning_type": "Dynamic Render Path", "warning_code": 15, "fingerprint": "fb6f7abeabc405d6882ffd41dbe8016403ef39307a5c6b4cd7b18adfaf0c24bf", "check_name": "Render", "message": "Render path contains parameter value", "file": "app/views/import/configurations/show.html.erb", "line": 34, "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", "code": "render(partial => permitted_import_configuration_path(Current.family.imports.find(params[:import_id])), { :locals => ({ :import => Current.family.imports.find(params[:import_id]) }) })", "render_path": [ { "type": "controller", "class": "Import::ConfigurationsController", "method": "show", "line": 7, "file": "app/controllers/import/configurations_controller.rb", "rendered": { "name": "import/configurations/show", "file": "app/views/import/configurations/show.html.erb" } } ], "location": { "type": "template", "template": "import/configurations/show" }, "user_input": "params[:import_id]", "confidence": "Weak", "cwe_id": [ 22 ], "note": "" } ], "brakeman_version": "7.1.0" }