From 5f993b99efba930be82d46709b28a42b8a69770c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 16:06:23 +0000 Subject: [PATCH 1/2] chore(deps-dev): bump rubocop-rails in the bundler group Bumps the bundler group with 1 update: [rubocop-rails](https://github.com/rubocop/rubocop-rails). Updates `rubocop-rails` from 2.34.3 to 2.35.0 - [Release notes](https://github.com/rubocop/rubocop-rails/releases) - [Changelog](https://github.com/rubocop/rubocop-rails/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop/rubocop-rails/compare/v2.34.3...v2.35.0) --- updated-dependencies: - dependency-name: rubocop-rails dependency-version: 2.35.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: bundler ... Signed-off-by: dependabot[bot] --- Gemfile.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b69c004..999a256 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -149,7 +149,7 @@ GEM prism (>= 1.3.0) rdoc (>= 4.0.0) reline (>= 0.4.2) - json (2.19.4) + json (2.19.5) language_server-protocol (3.17.0.5) lint_roller (1.1.0) listen (3.9.0) @@ -168,7 +168,7 @@ GEM marcel (1.1.0) method_source (1.1.0) mini_mime (1.1.5) - minitest (6.0.4) + minitest (6.0.6) drb (~> 2.0) prism (~> 1.5) msgpack (1.8.0) @@ -204,8 +204,8 @@ GEM childprocess (>= 0.6.3, < 6) iniparse (~> 1.4) rexml (>= 3.3.9) - parallel (1.27.0) - parser (3.3.10.0) + parallel (2.1.0) + parser (3.3.11.1) ast (~> 2.4.1) racc pp (0.6.3) @@ -331,7 +331,7 @@ GEM erb psych (>= 4.0.0) tsort - regexp_parser (2.11.3) + regexp_parser (2.12.0) reline (0.6.3) io-console (~> 0.5) rexml (3.4.4) @@ -352,18 +352,18 @@ GEM rspec-mocks (>= 3.13.0, < 5.0.0) rspec-support (>= 3.13.0, < 5.0.0) rspec-support (3.13.7) - rubocop (1.82.1) + rubocop (1.86.1) json (~> 2.3) language_server-protocol (~> 3.17.0.2) lint_roller (~> 1.1.0) - parallel (~> 1.10) + parallel (>= 1.10) parser (>= 3.3.0.2) rainbow (>= 2.2.2, < 4.0) regexp_parser (>= 2.9.3, < 3.0) - rubocop-ast (>= 1.48.0, < 2.0) + rubocop-ast (>= 1.49.0, < 2.0) ruby-progressbar (~> 1.7) unicode-display_width (>= 2.4.0, < 4.0) - rubocop-ast (1.49.0) + rubocop-ast (1.49.1) parser (>= 3.3.7.2) prism (~> 1.7) rubocop-factory_bot (2.28.0) @@ -381,7 +381,7 @@ GEM lint_roller (~> 1.1) rubocop (>= 1.75.0, < 2.0) rubocop-ast (>= 1.47.1, < 2.0) - rubocop-rails (2.34.3) + rubocop-rails (2.35.0) activesupport (>= 4.2.0) lint_roller (~> 1.1) rack (>= 1.1) From bb1b70841e4992e9138af22aaa6c944bbc25ff34 Mon Sep 17 00:00:00 2001 From: tschaefer Date: Tue, 12 May 2026 18:43:40 +0200 Subject: [PATCH 2/2] ci: fix new rubocop findings --- app/controllers/stacks_controller.rb | 2 +- .../stacks_controller/streams_logs.rb | 2 +- config/brakeman.ignore | 78 +++++++++---------- 3 files changed, 41 insertions(+), 41 deletions(-) diff --git a/app/controllers/stacks_controller.rb b/app/controllers/stacks_controller.rb index 8a5b7bc..671bf26 100644 --- a/app/controllers/stacks_controller.rb +++ b/app/controllers/stacks_controller.rb @@ -99,7 +99,7 @@ def log def set_stack Rails.logger.debug { params.to_json } - @stack = Stack.find_by!(uuid: params[:uuid]) + @stack = Stack.find_by!(uuid: params.expect(:uuid)) rescue ActiveRecord::RecordNotFound render json: { error: 'Stack not found' }, status: :not_found end diff --git a/app/controllers/stacks_controller/streams_logs.rb b/app/controllers/stacks_controller/streams_logs.rb index 75ab43e..17e8e2b 100644 --- a/app/controllers/stacks_controller/streams_logs.rb +++ b/app/controllers/stacks_controller/streams_logs.rb @@ -38,7 +38,7 @@ def open_log_file!(sse) return nil end - log = File.open(log_file, 'r') + log = File.open(log_file, 'r') # rubocop:disable Style/FileOpen log.seek(0, IO::SEEK_END) log end diff --git a/config/brakeman.ignore b/config/brakeman.ignore index 551d660..024b38c 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -1,27 +1,27 @@ { "ignored_warnings": [ { - "warning_type": "Dangerous Send", - "warning_code": 23, - "fingerprint": "63882a8ffe1934e347e4599d7c873cdafd65959dd4ea1ecd627f5f25f8f1a10b", - "check_name": "Send", - "message": "User controlled method execution", - "file": "app/controllers/stacks_controller.rb", - "line": 62, - "link": "https://brakemanscanner.org/docs/warning_types/dangerous_send/", - "code": "Stack.find_by!(:uuid => params[:uuid]).send(params[:command].to_sym)", + "warning_type": "File Access", + "warning_code": 16, + "fingerprint": "4904d0275afd5c2d4fb814d72e167bb544b6dd751e408e81881671fc3c8d3b69", + "check_name": "FileAccess", + "message": "Model attribute used in file name", + "file": "app/controllers/stacks_controller/streams_logs.rb", + "line": 41, + "link": "https://brakemanscanner.org/docs/warning_types/file_access/", + "code": "File.open(Stack.find_by!(:uuid => params.expect(:uuid)).assets.log_file.to_s, \"r\")", "render_path": null, "location": { "type": "method", "class": "StacksController", - "method": "control" + "method": "open_log_file!" }, - "user_input": "params[:command].to_sym", - "confidence": "High", + "user_input": "Stack.find_by!(:uuid => params.expect(:uuid)).assets.log_file.to_s", + "confidence": "Medium", "cwe_id": [ - 77 + 22 ], - "note": "User input is verified in previous code" + "note": "Allow stack log streaming." }, { "warning_type": "File Access", @@ -46,6 +46,29 @@ ], "note": "Allow stack log file download" }, + { + "warning_type": "Dangerous Send", + "warning_code": 23, + "fingerprint": "7e985fe2f6eed90f6be94d15e341029faaf889fddca596fe02ce5fff090cdd46", + "check_name": "Send", + "message": "User controlled method execution", + "file": "app/controllers/stacks_controller.rb", + "line": 62, + "link": "https://brakemanscanner.org/docs/warning_types/dangerous_send/", + "code": "Stack.find_by!(:uuid => params.expect(:uuid)).send(params[:command].to_sym)", + "render_path": null, + "location": { + "type": "method", + "class": "StacksController", + "method": "control" + }, + "user_input": "params[:command].to_sym", + "confidence": "High", + "cwe_id": [ + 77 + ], + "note": "Allow stack log streaming." + }, { "warning_type": "Command Injection", "warning_code": 14, @@ -53,7 +76,7 @@ "check_name": "Execute", "message": "Possible command injection", "file": "app/jobs/stack_job.rb", - "line": 29, + "line": 46, "link": "https://brakemanscanner.org/docs/warning_types/command_injection/", "code": "Open3.capture2e({}, ERB.new(Rails.root.join(\"app/jobs/stack_job/templates/#{self.class.script_template}.sh.tt\").read, :trim_mode => \"-\").result(binding))", "render_path": null, @@ -68,30 +91,7 @@ 77 ], "note": "Script templates are part of the source code" - }, - { - "warning_type": "File Access", - "warning_code": 16, - "fingerprint": "ecd18b0a8cd3cb99d43f5dcb2686642841fc8763951d1748fd7b384ed4cbab93", - "check_name": "FileAccess", - "message": "Model attribute used in file name", - "file": "app/controllers/stacks_controller/streams_logs.rb", - "line": 36, - "link": "https://brakemanscanner.org/docs/warning_types/file_access/", - "code": "File.open(Stack.find_by!(:uuid => params[:uuid]).assets.log_file.to_s, \"r\")", - "render_path": null, - "location": { - "type": "method", - "class": "StacksController", - "method": "open_log_file!" - }, - "user_input": "Stack.find_by!(:uuid => params[:uuid]).assets.log_file.to_s", - "confidence": "Medium", - "cwe_id": [ - 22 - ], - "note": "" } ], - "brakeman_version": "7.0.0" + "brakeman_version": "8.0.4" }