Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix sql injection brakeman warning in the aggregation mixin query #20132

Merged
merged 1 commit into from
May 7, 2020
Merged

fix sql injection brakeman warning in the aggregation mixin query #20132

merged 1 commit into from
May 7, 2020

Conversation

d-m-u
Copy link
Contributor

@d-m-u d-m-u commented May 6, 2020
edited
Loading

Hardware.where("#{from}_id" => targets) isn't injection proof but I think this is better?

edit -- #20121

@d-m-u d-m-u requested review from agrare, Fryguy and kbrock as code owners May 6, 2020 19:49
@d-m-u
Copy link
Contributor Author

d-m-u commented May 6, 2020

@miq-bot add_label core/security

@d-m-u d-m-u changed the title fix sql injection brakeman warning in the aggregation mixin query [WIP] fix sql injection brakeman warning in the aggregation mixin query May 6, 2020
@miq-bot miq-bot added the wip label May 6, 2020
@d-m-u d-m-u force-pushed the fixing_brakeman_sql_injection branch from 0ebd39a to b28d197 Compare May 6, 2020 20:26
@d-m-u d-m-u changed the title [WIP] fix sql injection brakeman warning in the aggregation mixin query fix sql injection brakeman warning in the aggregation mixin query May 6, 2020
@miq-bot miq-bot removed the wip label May 6, 2020
@d-m-u d-m-u changed the title fix sql injection brakeman warning in the aggregation mixin query [WIP] fix sql injection brakeman warning in the aggregation mixin query May 6, 2020
@miq-bot miq-bot added the wip label May 6, 2020
@d-m-u d-m-u force-pushed the fixing_brakeman_sql_injection branch from b28d197 to d813ed2 Compare May 6, 2020 23:40
@d-m-u d-m-u changed the title [WIP] fix sql injection brakeman warning in the aggregation mixin query fix sql injection brakeman warning in the aggregation mixin query May 6, 2020
@miq-bot miq-bot removed the wip label May 6, 2020
@d-m-u d-m-u force-pushed the fixing_brakeman_sql_injection branch from d813ed2 to cc7b858 Compare May 7, 2020 00:01
@d-m-u d-m-u requested a review from jrafanie as a code owner May 7, 2020 00:01
@d-m-u
Copy link
Contributor Author

d-m-u commented May 7, 2020

@miq-bot add_label bug, jansa/yes?

@miq-bot
Copy link
Member

miq-bot commented May 7, 2020

Checked commit d-m-u@cc7b858 with ruby 2.5.7, rubocop 0.69.0, haml-lint 0.28.0, and yamllint
1 file checked, 0 offenses detected
Everything looks fine. ⭐

@d-m-u d-m-u closed this May 7, 2020
@d-m-u d-m-u reopened this May 7, 2020
@d-m-u
Copy link
Contributor Author

d-m-u commented May 7, 2020
edited
Loading

i dunno what's up with the travis here, they did all pass: https://travis-ci.com/github/ManageIQ/manageiq/builds/164353778

@Fryguy Fryguy merged commit 478901b into ManageIQ:master May 7, 2020
@Fryguy Fryguy self-assigned this May 7, 2020
@d-m-u d-m-u deleted the fixing_brakeman_sql_injection branch May 7, 2020 15:06
@d-m-u d-m-u mentioned this pull request May 8, 2020
Merged
simaishi pushed a commit that referenced this pull request May 8, 2020
@Fryguy @simaishi
Merge pull request #20132 from d-m-u/fixing_brakeman_sql_injection
f652736 
fix sql injection brakeman warning in the aggregation mixin query

(cherry picked from commit 478901b)
@simaishi
Copy link
Contributor

simaishi commented May 8, 2020

Jansa backport details:

$ git log -1
commit f6527365f45e294acceaf7edab30a3b65028cd2e
Author: Jason Frey <[email protected]>
Date:   Thu May 7 11:06:01 2020 -0400

    Merge pull request #20132 from d-m-u/fixing_brakeman_sql_injection

    fix sql injection brakeman warning in the aggregation mixin query

    (cherry picked from commit 478901b51a537c08f1d3765759210aa1383de7f6)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agrare agrare Awaiting requested review from agrare agrare is a code owner

@Fryguy Fryguy Awaiting requested review from Fryguy Fryguy is a code owner

@kbrock kbrock Awaiting requested review from kbrock kbrock is a code owner

@jrafanie jrafanie Awaiting requested review from jrafanie jrafanie is a code owner

Assignees

@Fryguy Fryguy

Labels
bug core/security jansa/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@d-m-u @miq-bot @simaishi @Fryguy @gtanzillo