From e11032585b68dde7119c667c3ef7c2438f285c17 Mon Sep 17 00:00:00 2001
From: Nick Schonning <nschonni@gmail.com>
Date: Tue, 11 Jul 2023 09:23:57 -0400
Subject: [PATCH] Run brakeman in GitHub Actions (#23713)

---
 .github/workflows/bundler-audit.yml | 40 ++++++++++++++++++++++
 .github/workflows/lint-ruby.yml     |  9 ++---
 Gemfile                             |  2 +-
 Gemfile.lock                        |  4 +--
 config/brakeman.ignore              | 51 +++++++++++++++++++++++++++--
 5 files changed, 97 insertions(+), 9 deletions(-)
 create mode 100644 .github/workflows/bundler-audit.yml

diff --git a/.github/workflows/bundler-audit.yml b/.github/workflows/bundler-audit.yml
new file mode 100644
index 000000000..6c4869f12
--- /dev/null
+++ b/.github/workflows/bundler-audit.yml
@@ -0,0 +1,40 @@
+name: Bundler Audit
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'Gemfile*'
+      - '.ruby-version'
+      - '.bundler-audit.yml'
+      - '.github/workflows/bundler-audit.yml'
+
+  pull_request:
+    paths:
+      - 'Gemfile*'
+      - '.ruby-version'
+      - '.bundler-audit.yml'
+      - '.github/workflows/bundler-audit.yml'
+
+  schedule:
+    - cron: '0 5 * * 1'
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v3
+
+      - name: Install native Ruby dependencies
+        run: sudo apt-get install -y libicu-dev libidn11-dev
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+
+      - name: Run bundler-audit
+        run: bundle exec bundler-audit
diff --git a/.github/workflows/lint-ruby.yml b/.github/workflows/lint-ruby.yml
index 0395c8639..c898b2632 100644
--- a/.github/workflows/lint-ruby.yml
+++ b/.github/workflows/lint-ruby.yml
@@ -8,7 +8,7 @@ on:
       - 'Gemfile*'
       - '.rubocop*.yml'
       - '.ruby-version'
-      - '.bundler-audit.yml'
+      - 'config/brakeman.ignore'
       - '**/*.rb'
       - '**/*.rake'
       - '.github/workflows/lint-ruby.yml'
@@ -18,7 +18,7 @@ on:
       - 'Gemfile*'
       - '.rubocop*.yml'
       - '.ruby-version'
-      - '.bundler-audit.yml'
+      - 'config/brakeman.ignore'
       - '**/*.rb'
       - '**/*.rake'
       - '.github/workflows/lint-ruby.yml'
@@ -46,5 +46,6 @@ jobs:
       - name: Run rubocop
         run: bundle exec rubocop
 
-      - name: Run bundler-audit
-        run: bundle exec bundler-audit
+      - name: Run brakeman
+        if: always() # Run both checks, even if the first failed
+        run: bundle exec brakeman
diff --git a/Gemfile b/Gemfile
index 24cb43e65..61b9588e4 100644
--- a/Gemfile
+++ b/Gemfile
@@ -158,7 +158,7 @@ group :development do
   gem 'letter_opener_web', '~> 2.0'
 
   # Security analysis CLI tools
-  gem 'brakeman', '~> 5.4', require: false
+  gem 'brakeman', '~> 6.0', require: false
   gem 'bundler-audit', '~> 0.9', require: false
 
   # Linter CLI for HAML files
diff --git a/Gemfile.lock b/Gemfile.lock
index 9bd708d61..29adaf9cf 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -130,7 +130,7 @@ GEM
     blurhash (0.1.7)
     bootsnap (1.16.0)
       msgpack (~> 1.2)
-    brakeman (5.4.1)
+    brakeman (6.0.0)
     browser (5.3.1)
     brpoplpush-redis_script (0.1.3)
       concurrent-ruby (~> 1.0, >= 1.0.5)
@@ -765,7 +765,7 @@ DEPENDENCIES
   binding_of_caller (~> 1.0)
   blurhash (~> 0.1)
   bootsnap (~> 1.16.0)
-  brakeman (~> 5.4)
+  brakeman (~> 6.0)
   browser
   bundler-audit (~> 0.9)
   capistrano (~> 3.17)
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
index d89591cfe..93bee64af 100644
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@@ -102,6 +102,30 @@
       ],
       "note": ""
     },
+    {
+      "warning_type": "Denial of Service",
+      "warning_code": 76,
+      "fingerprint": "7b6abba5699755348e7ee82a4694bfbf574b41c7cce2d0db0f7c11ae3f983c72",
+      "check_name": "RegexDoS",
+      "message": "Model attribute used in regular expression",
+      "file": "lib/mastodon/cli/domains.rb",
+      "line": 128,
+      "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
+      "code": "/\\.?(#{DomainBlock.where(:severity => 1).pluck(:domain).map do\n Regexp.escape(domain)\n end.join(\"|\")})$/",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Mastodon::CLI::Domains",
+        "method": "crawl"
+      },
+      "user_input": "DomainBlock.where(:severity => 1).pluck(:domain)",
+      "confidence": "Weak",
+      "cwe_id": [
+        20,
+        185
+      ],
+      "note": ""
+    },
     {
       "warning_type": "Mass Assignment",
       "warning_code": 105,
@@ -148,6 +172,29 @@
       ],
       "note": ""
     },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "b0dd0a26d24f5ede9713fe49210e9638be5f5548af9eee0b5a16fe9dbc80ffcd",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/controllers/api/v2/search_controller.rb",
+      "line": 42,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Api::V2::SearchController",
+        "method": "search_params"
+      },
+      "user_input": ":account_id",
+      "confidence": "High",
+      "cwe_id": [
+        915
+      ],
+      "note": ""
+    },
     {
       "warning_type": "Cross-Site Scripting",
       "warning_code": 4,
@@ -205,6 +252,6 @@
       "note": ""
     }
   ],
-  "updated": "2023-07-05 14:34:42 -0400",
-  "brakeman_version": "5.4.1"
+  "updated": "2023-07-08 14:48:58 -0400",
+  "brakeman_version": "6.0.0"
 }