mirror of
https://github.com/we-promise/sure.git
synced 2026-04-18 11:34:13 +00:00
14993d871c
Multi-provider SSO support: - Database-backed SSO provider management with admin UI - Support for OpenID Connect, Google OAuth2, GitHub, and SAML 2.0 - Flipper feature flag (db_sso_providers) for dynamic provider loading - ProviderLoader service for YAML or database configuration Admin functionality: - Admin::SsoProvidersController for CRUD operations - Admin::UsersController for super_admin role management - Pundit policies for authorization - Test connection endpoint for validating provider config User provisioning improvements: - JIT (just-in-time) account creation with configurable default role - Changed default JIT role from admin to member (security) - User attribute sync on each SSO login - Group/role mapping from IdP claims SSO identity management: - Settings::SsoIdentitiesController for users to manage connected accounts - Issuer validation for OIDC identities - Unlink protection when no password set Audit logging: - SsoAuditLog model tracking login, logout, link, unlink, JIT creation - Captures IP address, user agent, and metadata Advanced OIDC features: - Custom scopes per provider - Configurable prompt parameter (login, consent, select_account, none) - RP-initiated logout (federated logout to IdP) - id_token storage for logout SAML 2.0 support: - omniauth-saml gem integration - IdP metadata URL or manual configuration - Certificate and fingerprint validation - NameID format configuration
156 lines
6.0 KiB
Plaintext
156 lines
6.0 KiB
Plaintext
{
|
|
"ignored_warnings": [
|
|
{
|
|
"warning_type": "Redirect",
|
|
"warning_code": 18,
|
|
"fingerprint": "723b1970ca6bf16ea0c2c1afa0c00d3c54854a16568d6cb933e497947565d9ab",
|
|
"check_name": "Redirect",
|
|
"message": "Possible unprotected redirect",
|
|
"file": "app/controllers/family_exports_controller.rb",
|
|
"line": 30,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
|
|
"code": "redirect_to(Current.family.family_exports.find(params[:id]).export_file, :allow_other_host => true)",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "FamilyExportsController",
|
|
"method": "download"
|
|
},
|
|
"user_input": "Current.family.family_exports.find(params[:id]).export_file",
|
|
"confidence": "Weak",
|
|
"cwe_id": [
|
|
601
|
|
],
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "Mass Assignment",
|
|
"warning_code": 105,
|
|
"fingerprint": "85e2c11853dd6c69b1953a6ec3ad661cd0ce3df55e4e5beff92365b6ed601171",
|
|
"check_name": "PermitAttributes",
|
|
"message": "Potentially dangerous key allowed for mass assignment",
|
|
"file": "app/controllers/api/v1/transactions_controller.rb",
|
|
"line": 255,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
|
"code": "params.require(:transaction).permit(:account_id, :date, :amount, :name, :description, :notes, :currency, :category_id, :merchant_id, :nature, :tag_ids => ([]))",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Api::V1::TransactionsController",
|
|
"method": "transaction_params"
|
|
},
|
|
"user_input": ":account_id",
|
|
"confidence": "High",
|
|
"cwe_id": [
|
|
915
|
|
],
|
|
"note": "account_id is properly validated in create action - line 79 ensures account belongs to user's family: family.accounts.find(transaction_params[:account_id])"
|
|
},
|
|
{
|
|
"warning_type": "Mass Assignment",
|
|
"warning_code": 105,
|
|
"fingerprint": "aaccd8db0be34afdc88e5af08d91ae2e8b7765dfea2f3fc6e1c37db0adc7b991",
|
|
"check_name": "PermitAttributes",
|
|
"message": "Potentially dangerous key allowed for mass assignment",
|
|
"file": "app/controllers/invitations_controller.rb",
|
|
"line": 58,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
|
"code": "params.require(:invitation).permit(:email, :role)",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "InvitationsController",
|
|
"method": "invitation_params"
|
|
},
|
|
"user_input": ":role",
|
|
"confidence": "Medium",
|
|
"cwe_id": [
|
|
915
|
|
],
|
|
"note": ""
|
|
},
|
|
{
|
|
"warning_type": "Mass Assignment",
|
|
"warning_code": 105,
|
|
"fingerprint": "01a88a0a17848e70999c17f6438a636b00e01da39a2c0aa0c46f20f0685c7202",
|
|
"check_name": "PermitAttributes",
|
|
"message": "Potentially dangerous key allowed for mass assignment",
|
|
"file": "app/controllers/admin/users_controller.rb",
|
|
"line": 35,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
|
"code": "params.require(:user).permit(:role)",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "Admin::UsersController",
|
|
"method": "user_params"
|
|
},
|
|
"user_input": ":role",
|
|
"confidence": "Medium",
|
|
"cwe_id": [
|
|
915
|
|
],
|
|
"note": "Protected by Pundit authorization - UserPolicy requires super_admin and prevents users from changing their own role"
|
|
},
|
|
{
|
|
"warning_type": "Dangerous Eval",
|
|
"warning_code": 13,
|
|
"fingerprint": "c154514a0f86341473e4abf35e77721495b326c7855e4967d284b4942371819c",
|
|
"check_name": "Evaluation",
|
|
"message": "Dynamic string evaluated as code",
|
|
"file": "app/helpers/styled_form_builder.rb",
|
|
"line": 5,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/dangerous_eval/",
|
|
"code": "class_eval(\" def #{selector}(method, options = {})\\n form_options = options.slice(:label, :label_tooltip, :inline, :container_class, :required)\\n html_options = options.except(:label, :label_tooltip, :inline, :container_class)\\n\\n build_field(method, form_options, html_options) do |merged_options|\\n super(method, merged_options)\\n end\\n end\\n\", \"app/helpers/styled_form_builder.rb\", (5 + 1))",
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "method",
|
|
"class": "StyledFormBuilder",
|
|
"method": null
|
|
},
|
|
"user_input": null,
|
|
"confidence": "Weak",
|
|
"cwe_id": [
|
|
913,
|
|
95
|
|
],
|
|
"note": "Uses similar pattern to Rails internal form builder"
|
|
},
|
|
{
|
|
"warning_type": "Dynamic Render Path",
|
|
"warning_code": 15,
|
|
"fingerprint": "fb6f7abeabc405d6882ffd41dbe8016403ef39307a5c6b4cd7b18adfaf0c24bf",
|
|
"check_name": "Render",
|
|
"message": "Render path contains parameter value",
|
|
"file": "app/views/import/configurations/show.html.erb",
|
|
"line": 34,
|
|
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
|
|
"code": "render(partial => permitted_import_configuration_path(Current.family.imports.find(params[:import_id])), { :locals => ({ :import => Current.family.imports.find(params[:import_id]) }) })",
|
|
"render_path": [
|
|
{
|
|
"type": "controller",
|
|
"class": "Import::ConfigurationsController",
|
|
"method": "show",
|
|
"line": 7,
|
|
"file": "app/controllers/import/configurations_controller.rb",
|
|
"rendered": {
|
|
"name": "import/configurations/show",
|
|
"file": "app/views/import/configurations/show.html.erb"
|
|
}
|
|
}
|
|
],
|
|
"location": {
|
|
"type": "template",
|
|
"template": "import/configurations/show"
|
|
},
|
|
"user_input": "params[:import_id]",
|
|
"confidence": "Weak",
|
|
"cwe_id": [
|
|
22
|
|
],
|
|
"note": ""
|
|
}
|
|
],
|
|
"brakeman_version": "7.1.0"
|
|
}
|