alchemy_cms 5.1.2 → 5.2.0.b1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/ci.yml +2 -1
- data/CHANGELOG.md +27 -0
- data/Gemfile +2 -1
- data/alchemy_cms.gemspec +2 -2
- data/app/assets/stylesheets/alchemy/_variables.scss +2 -0
- data/app/assets/stylesheets/alchemy/elements.scss +38 -5
- data/app/controllers/alchemy/admin/base_controller.rb +1 -0
- data/app/controllers/alchemy/admin/trash_controller.rb +2 -0
- data/app/decorators/alchemy/content_editor.rb +64 -0
- data/app/decorators/alchemy/element_editor.rb +42 -0
- data/app/helpers/alchemy/admin/contents_helper.rb +3 -8
- data/app/helpers/alchemy/elements_helper.rb +0 -18
- data/app/models/alchemy/attachment.rb +4 -0
- data/app/models/alchemy/content.rb +7 -0
- data/app/models/alchemy/element.rb +38 -0
- data/app/models/alchemy/element/definitions.rb +5 -22
- data/app/models/alchemy/page/page_elements.rb +9 -2
- data/app/models/alchemy/picture_variant.rb +1 -1
- data/app/views/alchemy/admin/elements/_element_header.html.erb +2 -0
- data/config/brakeman.ignore +305 -17
- data/config/locales/alchemy.en.yml +40 -24
- data/lib/alchemy/deprecation.rb +1 -1
- data/lib/alchemy/element_definition.rb +70 -0
- data/lib/alchemy/elements_finder.rb +6 -2
- data/lib/alchemy/essence.rb +4 -4
- data/lib/alchemy/filetypes.rb +13 -0
- data/lib/alchemy/forms/builder.rb +1 -1
- data/lib/alchemy/i18n.rb +4 -5
- data/lib/alchemy/page_layout.rb +1 -0
- data/lib/alchemy/test_support/integration_helpers.rb +5 -5
- data/lib/alchemy/version.rb +1 -1
- data/lib/alchemy_cms.rb +1 -0
- metadata +9 -8
|
@@ -13,41 +13,24 @@ module Alchemy
|
|
|
13
13
|
# your own set of elements
|
|
14
14
|
#
|
|
15
15
|
def definitions
|
|
16
|
-
|
|
16
|
+
ElementDefinition.all
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
# Returns one element definition by given name.
|
|
20
20
|
#
|
|
21
21
|
def definition_by_name(name)
|
|
22
|
-
|
|
23
|
-
end
|
|
24
|
-
|
|
25
|
-
private
|
|
26
|
-
|
|
27
|
-
# Reads the element definitions file named +elements.yml+ from +config/alchemy/+ folder.
|
|
28
|
-
#
|
|
29
|
-
def read_definitions_file
|
|
30
|
-
if ::File.exist?(definitions_file_path)
|
|
31
|
-
::YAML.safe_load(ERB.new(File.read(definitions_file_path)).result, YAML_WHITELIST_CLASSES, [], true) || []
|
|
32
|
-
else
|
|
33
|
-
raise LoadError, "Could not find elements.yml file! Please run `rails generate alchemy:install`"
|
|
34
|
-
end
|
|
35
|
-
end
|
|
36
|
-
|
|
37
|
-
# Returns the +elements.yml+ file path
|
|
38
|
-
#
|
|
39
|
-
def definitions_file_path
|
|
40
|
-
Rails.root.join "config/alchemy/elements.yml"
|
|
22
|
+
ElementDefinition.get(name)
|
|
41
23
|
end
|
|
42
24
|
end
|
|
43
25
|
|
|
44
26
|
# The definition of this element.
|
|
45
27
|
#
|
|
46
28
|
def definition
|
|
47
|
-
if definition = self.class.
|
|
29
|
+
if definition = self.class.definition_by_name(name)
|
|
48
30
|
definition
|
|
49
31
|
else
|
|
50
|
-
log_warning "Could not find element definition for #{name}.
|
|
32
|
+
log_warning "Could not find element definition for #{name}. " \
|
|
33
|
+
"Please check your elements.yml file!"
|
|
51
34
|
{}
|
|
52
35
|
end
|
|
53
36
|
end
|
|
@@ -38,11 +38,17 @@ module Alchemy
|
|
|
38
38
|
after_update :trash_not_allowed_elements!,
|
|
39
39
|
if: :saved_change_to_page_layout?
|
|
40
40
|
|
|
41
|
-
after_update :
|
|
42
|
-
|
|
41
|
+
after_update(if: :saved_change_to_page_layout?) do
|
|
42
|
+
Alchemy::Deprecation.warn(
|
|
43
|
+
"Autogenerating elements on page_layout change is deprecated and will be removed from Alchemy 6.0"
|
|
44
|
+
)
|
|
45
|
+
generate_elements
|
|
46
|
+
end
|
|
43
47
|
end
|
|
44
48
|
|
|
45
49
|
module ClassMethods
|
|
50
|
+
deprecate :trashed_elements, deprecator: Alchemy::Deprecation
|
|
51
|
+
|
|
46
52
|
# Copy page elements
|
|
47
53
|
#
|
|
48
54
|
# @param source [Alchemy::Page]
|
|
@@ -210,6 +216,7 @@ module Alchemy
|
|
|
210
216
|
])
|
|
211
217
|
not_allowed_elements.to_a.map(&:trash!)
|
|
212
218
|
end
|
|
219
|
+
deprecate :trash_not_allowed_elements!, deprecator: Alchemy::Deprecation
|
|
213
220
|
|
|
214
221
|
# Deletes unique and already present definitions from @_element_definitions.
|
|
215
222
|
#
|
|
@@ -93,7 +93,7 @@ module Alchemy
|
|
|
93
93
|
|
|
94
94
|
convert_format = render_format.sub("jpeg", "jpg") != picture.image_file_format.sub("jpeg", "jpg")
|
|
95
95
|
|
|
96
|
-
if render_format =~ /jpe?g/ && convert_format
|
|
96
|
+
if render_format =~ /jpe?g/ && (convert_format || options[:quality])
|
|
97
97
|
quality = options[:quality] || Config.get(:output_image_jpg_quality)
|
|
98
98
|
encoding_options << "-quality #{quality}"
|
|
99
99
|
end
|
|
@@ -2,6 +2,8 @@
|
|
|
2
2
|
<span class="element-handle">
|
|
3
3
|
<% if element.definition.blank? %>
|
|
4
4
|
<%= hint_with_tooltip Alchemy.t(:element_definition_missing) %>
|
|
5
|
+
<% elsif element.deprecated? %>
|
|
6
|
+
<%= hint_with_tooltip element.deprecation_notice %>
|
|
5
7
|
<% else %>
|
|
6
8
|
<% if element.public? %>
|
|
7
9
|
<%= render_icon('window-maximize', style: 'regular', class: 'element') %>
|
data/config/brakeman.ignore
CHANGED
|
@@ -1,14 +1,65 @@
|
|
|
1
1
|
{
|
|
2
2
|
"ignored_warnings": [
|
|
3
|
+
{
|
|
4
|
+
"warning_type": "Cross-Site Scripting",
|
|
5
|
+
"warning_code": 2,
|
|
6
|
+
"fingerprint": "0551e3f9180b85fca4b17fe3c7cbbac1611d2ef8d385f77e9445c562c471d688",
|
|
7
|
+
"check_name": "CrossSiteScripting",
|
|
8
|
+
"message": "Unescaped parameter value",
|
|
9
|
+
"file": "app/views/alchemy/admin/elements/update.js.erb",
|
|
10
|
+
"line": 18,
|
|
11
|
+
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
|
|
12
|
+
"code": "j(Element.find(params[:id]).essence_error_messages.join(\"</li><li>\"))",
|
|
13
|
+
"render_path": [
|
|
14
|
+
{
|
|
15
|
+
"type": "controller",
|
|
16
|
+
"class": "Alchemy::Admin::ElementsController",
|
|
17
|
+
"method": "update",
|
|
18
|
+
"line": 55,
|
|
19
|
+
"file": "app/controllers/alchemy/admin/elements_controller.rb",
|
|
20
|
+
"rendered": {
|
|
21
|
+
"name": "alchemy/admin/elements/update",
|
|
22
|
+
"file": "app/views/alchemy/admin/elements/update.js.erb"
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
],
|
|
26
|
+
"location": {
|
|
27
|
+
"type": "template",
|
|
28
|
+
"template": "alchemy/admin/elements/update"
|
|
29
|
+
},
|
|
30
|
+
"user_input": "params[:id]",
|
|
31
|
+
"confidence": "Weak",
|
|
32
|
+
"note": ""
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
"warning_type": "File Access",
|
|
36
|
+
"warning_code": 16,
|
|
37
|
+
"fingerprint": "154e5d85347ab40256b60182d3143830247b33b81de2ae9ac0622155a1de8e51",
|
|
38
|
+
"check_name": "SendFile",
|
|
39
|
+
"message": "Parameter value used in file name",
|
|
40
|
+
"file": "app/controllers/alchemy/admin/attachments_controller.rb",
|
|
41
|
+
"line": 65,
|
|
42
|
+
"link": "https://brakemanscanner.org/docs/warning_types/file_access/",
|
|
43
|
+
"code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type)",
|
|
44
|
+
"render_path": null,
|
|
45
|
+
"location": {
|
|
46
|
+
"type": "method",
|
|
47
|
+
"class": "Alchemy::Admin::AttachmentsController",
|
|
48
|
+
"method": "download"
|
|
49
|
+
},
|
|
50
|
+
"user_input": "params[:id]",
|
|
51
|
+
"confidence": "Weak",
|
|
52
|
+
"note": ""
|
|
53
|
+
},
|
|
3
54
|
{
|
|
4
55
|
"warning_type": "Mass Assignment",
|
|
5
56
|
"warning_code": 70,
|
|
6
57
|
"fingerprint": "1dd8f69d9b1bdd4017212f38098f03d2ecb2db06269fb940090f209eee7570c6",
|
|
7
58
|
"check_name": "MassAssignment",
|
|
8
|
-
"message": "
|
|
59
|
+
"message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys",
|
|
9
60
|
"file": "app/controllers/alchemy/admin/resources_controller.rb",
|
|
10
|
-
"line":
|
|
11
|
-
"link": "
|
|
61
|
+
"line": 136,
|
|
62
|
+
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
|
12
63
|
"code": "params.require(resource_handler.namespaced_resource_name).permit!",
|
|
13
64
|
"render_path": null,
|
|
14
65
|
"location": {
|
|
@@ -20,34 +71,170 @@
|
|
|
20
71
|
"confidence": "Medium",
|
|
21
72
|
"note": "Because we actually can't know all attributes each inheriting controller supports, we permit all resource model params. It is adviced that all inheriting controllers implement this method and provide its own set of permitted attributes. As this all happens inside the password protected /admin namespace this can be considered a false positive."
|
|
22
73
|
},
|
|
74
|
+
{
|
|
75
|
+
"warning_type": "Cross-Site Scripting",
|
|
76
|
+
"warning_code": 2,
|
|
77
|
+
"fingerprint": "293a6f5581ba3f0e7aa4f81b38d68baf21f1219c8f3bae3eca6b3e1776b734df",
|
|
78
|
+
"check_name": "CrossSiteScripting",
|
|
79
|
+
"message": "Unescaped parameter value",
|
|
80
|
+
"file": "app/views/alchemy/admin/elements/order.js.erb",
|
|
81
|
+
"line": 17,
|
|
82
|
+
"link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
|
|
83
|
+
"code": "Element.trashed.where(:id => params[:element_ids]).pluck(:id).collect do\n \"#element_area [data-element-id=\\\"#{id}\\\"]\"\n end.join(\", \")",
|
|
84
|
+
"render_path": [
|
|
85
|
+
{
|
|
86
|
+
"type": "controller",
|
|
87
|
+
"class": "Alchemy::Admin::ElementsController",
|
|
88
|
+
"method": "order",
|
|
89
|
+
"line": 78,
|
|
90
|
+
"file": "app/controllers/alchemy/admin/elements_controller.rb",
|
|
91
|
+
"rendered": {
|
|
92
|
+
"name": "alchemy/admin/elements/order",
|
|
93
|
+
"file": "app/views/alchemy/admin/elements/order.js.erb"
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
],
|
|
97
|
+
"location": {
|
|
98
|
+
"type": "template",
|
|
99
|
+
"template": "alchemy/admin/elements/order"
|
|
100
|
+
},
|
|
101
|
+
"user_input": "params[:element_ids]",
|
|
102
|
+
"confidence": "Weak",
|
|
103
|
+
"note": ""
|
|
104
|
+
},
|
|
23
105
|
{
|
|
24
106
|
"warning_type": "Dynamic Render Path",
|
|
25
107
|
"warning_code": 15,
|
|
26
|
-
"fingerprint": "
|
|
108
|
+
"fingerprint": "2eb67abb2b025c3446afa2f9b8d48c6b6a05379234a9228c9af4c25b7e672b00",
|
|
27
109
|
"check_name": "Render",
|
|
28
110
|
"message": "Render path contains parameter value",
|
|
29
|
-
"file": "app/views/alchemy/admin/
|
|
30
|
-
"line":
|
|
31
|
-
"link": "
|
|
32
|
-
"code": "render(action =>
|
|
33
|
-
"render_path": [
|
|
111
|
+
"file": "app/views/alchemy/admin/elements/index.html.erb",
|
|
112
|
+
"line": 18,
|
|
113
|
+
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
|
|
114
|
+
"code": "render(action => Page.find(params[:page_id]).all_elements.not_nested.unfixed.not_trashed.includes(*element_includes).map do\n Alchemy::ElementEditor.new(element)\n end, {})",
|
|
115
|
+
"render_path": [
|
|
116
|
+
{
|
|
117
|
+
"type": "controller",
|
|
118
|
+
"class": "Alchemy::Admin::ElementsController",
|
|
119
|
+
"method": "index",
|
|
120
|
+
"line": 13,
|
|
121
|
+
"file": "app/controllers/alchemy/admin/elements_controller.rb",
|
|
122
|
+
"rendered": {
|
|
123
|
+
"name": "alchemy/admin/elements/index",
|
|
124
|
+
"file": "app/views/alchemy/admin/elements/index.html.erb"
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
],
|
|
34
128
|
"location": {
|
|
35
129
|
"type": "template",
|
|
36
|
-
"template": "alchemy/admin/
|
|
130
|
+
"template": "alchemy/admin/elements/index"
|
|
37
131
|
},
|
|
38
|
-
"user_input": "params[:
|
|
132
|
+
"user_input": "params[:page_id]",
|
|
39
133
|
"confidence": "Weak",
|
|
40
|
-
"note": "
|
|
134
|
+
"note": ""
|
|
135
|
+
},
|
|
136
|
+
{
|
|
137
|
+
"warning_type": "Dynamic Render Path",
|
|
138
|
+
"warning_code": 15,
|
|
139
|
+
"fingerprint": "2eb67abb2b025c3446afa2f9b8d48c6b6a05379234a9228c9af4c25b7e672b00",
|
|
140
|
+
"check_name": "Render",
|
|
141
|
+
"message": "Render path contains parameter value",
|
|
142
|
+
"file": "app/views/alchemy/admin/elements/index.html.erb",
|
|
143
|
+
"line": 31,
|
|
144
|
+
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
|
|
145
|
+
"code": "render(action => Page.find(params[:page_id]).all_elements.not_nested.unfixed.not_trashed.includes(*element_includes).map do\n Alchemy::ElementEditor.new(element)\n end, {})",
|
|
146
|
+
"render_path": [
|
|
147
|
+
{
|
|
148
|
+
"type": "controller",
|
|
149
|
+
"class": "Alchemy::Admin::ElementsController",
|
|
150
|
+
"method": "index",
|
|
151
|
+
"line": 13,
|
|
152
|
+
"file": "app/controllers/alchemy/admin/elements_controller.rb",
|
|
153
|
+
"rendered": {
|
|
154
|
+
"name": "alchemy/admin/elements/index",
|
|
155
|
+
"file": "app/views/alchemy/admin/elements/index.html.erb"
|
|
156
|
+
}
|
|
157
|
+
}
|
|
158
|
+
],
|
|
159
|
+
"location": {
|
|
160
|
+
"type": "template",
|
|
161
|
+
"template": "alchemy/admin/elements/index"
|
|
162
|
+
},
|
|
163
|
+
"user_input": "params[:page_id]",
|
|
164
|
+
"confidence": "Weak",
|
|
165
|
+
"note": ""
|
|
166
|
+
},
|
|
167
|
+
{
|
|
168
|
+
"warning_type": "Dynamic Render Path",
|
|
169
|
+
"warning_code": 15,
|
|
170
|
+
"fingerprint": "2fa9bf5c73b4e6e3c272f0b14635f96efbd763e9a2c5b785caefffe3589ac461",
|
|
171
|
+
"check_name": "Render",
|
|
172
|
+
"message": "Render path contains parameter value",
|
|
173
|
+
"file": "app/views/alchemy/admin/essence_pictures/assign.js.erb",
|
|
174
|
+
"line": 2,
|
|
175
|
+
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
|
|
176
|
+
"code": "render(action => Alchemy::ContentEditor.new(Content.find(params[:content_id])), {})",
|
|
177
|
+
"render_path": [
|
|
178
|
+
{
|
|
179
|
+
"type": "controller",
|
|
180
|
+
"class": "Alchemy::Admin::EssencePicturesController",
|
|
181
|
+
"method": "assign",
|
|
182
|
+
"line": 49,
|
|
183
|
+
"file": "app/controllers/alchemy/admin/essence_pictures_controller.rb",
|
|
184
|
+
"rendered": {
|
|
185
|
+
"name": "alchemy/admin/essence_pictures/assign",
|
|
186
|
+
"file": "app/views/alchemy/admin/essence_pictures/assign.js.erb"
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
],
|
|
190
|
+
"location": {
|
|
191
|
+
"type": "template",
|
|
192
|
+
"template": "alchemy/admin/essence_pictures/assign"
|
|
193
|
+
},
|
|
194
|
+
"user_input": "params[:content_id]",
|
|
195
|
+
"confidence": "Weak",
|
|
196
|
+
"note": ""
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"warning_type": "Dynamic Render Path",
|
|
200
|
+
"warning_code": 15,
|
|
201
|
+
"fingerprint": "384ec61125c6390d59fb7ebcf52792ba284bfd463d70d4ef552ab6c328e776f6",
|
|
202
|
+
"check_name": "Render",
|
|
203
|
+
"message": "Render path contains parameter value",
|
|
204
|
+
"file": "app/views/alchemy/admin/elements/fold.js.erb",
|
|
205
|
+
"line": 11,
|
|
206
|
+
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
|
|
207
|
+
"code": "render(action => Alchemy::ElementEditor.new(Element.find(params[:id])), {})",
|
|
208
|
+
"render_path": [
|
|
209
|
+
{
|
|
210
|
+
"type": "controller",
|
|
211
|
+
"class": "Alchemy::Admin::ElementsController",
|
|
212
|
+
"method": "fold",
|
|
213
|
+
"line": 95,
|
|
214
|
+
"file": "app/controllers/alchemy/admin/elements_controller.rb",
|
|
215
|
+
"rendered": {
|
|
216
|
+
"name": "alchemy/admin/elements/fold",
|
|
217
|
+
"file": "app/views/alchemy/admin/elements/fold.js.erb"
|
|
218
|
+
}
|
|
219
|
+
}
|
|
220
|
+
],
|
|
221
|
+
"location": {
|
|
222
|
+
"type": "template",
|
|
223
|
+
"template": "alchemy/admin/elements/fold"
|
|
224
|
+
},
|
|
225
|
+
"user_input": "params[:id]",
|
|
226
|
+
"confidence": "Weak",
|
|
227
|
+
"note": ""
|
|
41
228
|
},
|
|
42
229
|
{
|
|
43
230
|
"warning_type": "Mass Assignment",
|
|
44
231
|
"warning_code": 70,
|
|
45
232
|
"fingerprint": "4b4dc24a6f5251bc1a6851597dfcee39608a2932eb7f81a4a241c00fca8a3043",
|
|
46
233
|
"check_name": "MassAssignment",
|
|
47
|
-
"message": "
|
|
234
|
+
"message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys",
|
|
48
235
|
"file": "app/controllers/alchemy/admin/elements_controller.rb",
|
|
49
|
-
"line":
|
|
50
|
-
"link": "
|
|
236
|
+
"line": 146,
|
|
237
|
+
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
|
|
51
238
|
"code": "params.fetch(:contents, {}).permit!",
|
|
52
239
|
"render_path": null,
|
|
53
240
|
"location": {
|
|
@@ -58,8 +245,109 @@
|
|
|
58
245
|
"user_input": null,
|
|
59
246
|
"confidence": "Medium",
|
|
60
247
|
"note": "`Alchemy::Content` is a polymorphic association of any kind of model extending `Alchemy::Essence`. Since we can't know the attributes of all potential essences we need to permit all attributes. As this all happens inside the password protected /admin namespace this can be considered a false positive."
|
|
248
|
+
},
|
|
249
|
+
{
|
|
250
|
+
"warning_type": "Cross-Site Scripting",
|
|
251
|
+
"warning_code": 4,
|
|
252
|
+
"fingerprint": "6e6ed4f8b20c07868bc04a4dc419103ecce33bb514eff77790abd57246a4513f",
|
|
253
|
+
"check_name": "LinkToHref",
|
|
254
|
+
"message": "Potentially unsafe model attribute in `link_to` href",
|
|
255
|
+
"file": "app/views/alchemy/admin/nodes/_node.html.erb",
|
|
256
|
+
"line": 62,
|
|
257
|
+
"link": "https://brakemanscanner.org/docs/warning_types/link_to_href",
|
|
258
|
+
"code": "link_to((Unresolved Model).new.url, (Unresolved Model).new.url, :target => \"_blank\", :title => (Unresolved Model).new.url)",
|
|
259
|
+
"render_path": [
|
|
260
|
+
{
|
|
261
|
+
"type": "template",
|
|
262
|
+
"name": "alchemy/admin/nodes/_node",
|
|
263
|
+
"line": 71,
|
|
264
|
+
"file": "app/views/alchemy/admin/nodes/_node.html.erb",
|
|
265
|
+
"rendered": {
|
|
266
|
+
"name": "alchemy/admin/nodes/_node",
|
|
267
|
+
"file": "app/views/alchemy/admin/nodes/_node.html.erb"
|
|
268
|
+
}
|
|
269
|
+
}
|
|
270
|
+
],
|
|
271
|
+
"location": {
|
|
272
|
+
"type": "template",
|
|
273
|
+
"template": "alchemy/admin/nodes/_node"
|
|
274
|
+
},
|
|
275
|
+
"user_input": "(Unresolved Model).new.url",
|
|
276
|
+
"confidence": "Weak",
|
|
277
|
+
"note": ""
|
|
278
|
+
},
|
|
279
|
+
{
|
|
280
|
+
"warning_type": "File Access",
|
|
281
|
+
"warning_code": 16,
|
|
282
|
+
"fingerprint": "6f642c32a45d9f6bbdff89c51873485c930479f4d72885ad0a1883c4372140bf",
|
|
283
|
+
"check_name": "SendFile",
|
|
284
|
+
"message": "Parameter value used in file name",
|
|
285
|
+
"file": "app/controllers/alchemy/attachments_controller.rb",
|
|
286
|
+
"line": 25,
|
|
287
|
+
"link": "https://brakemanscanner.org/docs/warning_types/file_access/",
|
|
288
|
+
"code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type)",
|
|
289
|
+
"render_path": null,
|
|
290
|
+
"location": {
|
|
291
|
+
"type": "method",
|
|
292
|
+
"class": "Alchemy::AttachmentsController",
|
|
293
|
+
"method": "download"
|
|
294
|
+
},
|
|
295
|
+
"user_input": "params[:id]",
|
|
296
|
+
"confidence": "Weak",
|
|
297
|
+
"note": ""
|
|
298
|
+
},
|
|
299
|
+
{
|
|
300
|
+
"warning_type": "File Access",
|
|
301
|
+
"warning_code": 16,
|
|
302
|
+
"fingerprint": "a1197cfa89e3a66e6d10ee060cd87af97d5e978d6d93b5936eb987288f1c02e6",
|
|
303
|
+
"check_name": "SendFile",
|
|
304
|
+
"message": "Parameter value used in file name",
|
|
305
|
+
"file": "app/controllers/alchemy/attachments_controller.rb",
|
|
306
|
+
"line": 12,
|
|
307
|
+
"link": "https://brakemanscanner.org/docs/warning_types/file_access/",
|
|
308
|
+
"code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type, :disposition => \"inline\")",
|
|
309
|
+
"render_path": null,
|
|
310
|
+
"location": {
|
|
311
|
+
"type": "method",
|
|
312
|
+
"class": "Alchemy::AttachmentsController",
|
|
313
|
+
"method": "show"
|
|
314
|
+
},
|
|
315
|
+
"user_input": "params[:id]",
|
|
316
|
+
"confidence": "Weak",
|
|
317
|
+
"note": ""
|
|
318
|
+
},
|
|
319
|
+
{
|
|
320
|
+
"warning_type": "Dynamic Render Path",
|
|
321
|
+
"warning_code": 15,
|
|
322
|
+
"fingerprint": "b9f63fd46d0ebd6684b649ab260f27df8a6422d44fed4769273d8e6a6a30397c",
|
|
323
|
+
"check_name": "Render",
|
|
324
|
+
"message": "Render path contains parameter value",
|
|
325
|
+
"file": "app/views/alchemy/admin/essence_files/assign.js.erb",
|
|
326
|
+
"line": 1,
|
|
327
|
+
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
|
|
328
|
+
"code": "render(action => Alchemy::ContentEditor.new(Content.find_by(:id => params[:content_id])), {})",
|
|
329
|
+
"render_path": [
|
|
330
|
+
{
|
|
331
|
+
"type": "controller",
|
|
332
|
+
"class": "Alchemy::Admin::EssenceFilesController",
|
|
333
|
+
"method": "assign",
|
|
334
|
+
"line": 32,
|
|
335
|
+
"file": "app/controllers/alchemy/admin/essence_files_controller.rb",
|
|
336
|
+
"rendered": {
|
|
337
|
+
"name": "alchemy/admin/essence_files/assign",
|
|
338
|
+
"file": "app/views/alchemy/admin/essence_files/assign.js.erb"
|
|
339
|
+
}
|
|
340
|
+
}
|
|
341
|
+
],
|
|
342
|
+
"location": {
|
|
343
|
+
"type": "template",
|
|
344
|
+
"template": "alchemy/admin/essence_files/assign"
|
|
345
|
+
},
|
|
346
|
+
"user_input": "params[:content_id]",
|
|
347
|
+
"confidence": "Weak",
|
|
348
|
+
"note": ""
|
|
61
349
|
}
|
|
62
350
|
],
|
|
63
|
-
"updated": "
|
|
64
|
-
"brakeman_version": "4.
|
|
351
|
+
"updated": "2021-01-04 16:29:42 +0100",
|
|
352
|
+
"brakeman_version": "4.10.1"
|
|
65
353
|
}
|