Fix brakeman warnings

2025-08-09 15:35:22 +02:00 · 2025-04-14 10:39:35 -04:00 · 2025-04-14 10:39:35 -04:00 · a12270b7c9
commit a12270b7c9
parent bf7c84c40d
4 changed files with 12 additions and 70 deletions
--- a/app/controllers/trades_controller.rb
+++ b/app/controllers/trades_controller.rb
@ -42,23 +42,21 @@ class TradesController < ApplicationController

  private
    def build_entry
-      TradeBuilder.new(create_entry_params)
+      account = Current.family.accounts.find(params.dig(:entry, :account_id))
+      TradeBuilder.new(create_entry_params.merge(account: account))
    end

    def entry_params
      params.require(:entry).permit(
-        :account_id, :name, :enriched_name, :date, :amount, :currency, :excluded, :notes, :nature,
+        :name, :enriched_name, :date, :amount, :currency, :excluded, :notes, :nature,
        entryable_attributes: [ :id, :qty, :price ]
      )
    end

    def create_entry_params
      params.require(:entry).permit(
-        :account_id, :date, :amount, :currency, :qty, :price, :ticker, :manual_ticker, :type, :transfer_account_id
-      ).tap do |params|
-        account_id = params.delete(:account_id)
-        params[:account] = Current.family.accounts.find(account_id)
-      end
+        :date, :amount, :currency, :qty, :price, :ticker, :manual_ticker, :type, :transfer_account_id
+      )
    end

    def update_entry_params
--- a/app/controllers/transactions_controller.rb
+++ b/app/controllers/transactions_controller.rb
@ -49,7 +49,8 @@ class TransactionsController < ApplicationController
  end

  def create
-    @entry = Current.family.entries.new(entry_params)
+    account = Current.family.accounts.find(params.dig(:entry, :account_id))
+    @entry = account.entries.new(entry_params)

    if @entry.save
      @entry.sync_account_later
@ -90,7 +91,7 @@ class TransactionsController < ApplicationController
  private
    def entry_params
      entry_params = params.require(:entry).permit(
-        :account_id, :name, :enriched_name, :date, :amount, :currency, :excluded, :notes, :nature, :entryable_type,
+        :name, :enriched_name, :date, :amount, :currency, :excluded, :notes, :nature, :entryable_type,
        entryable_attributes: [ :id, :category_id, :merchant_id, { tag_ids: [] } ]
      )

--- a/app/controllers/valuations_controller.rb
+++ b/app/controllers/valuations_controller.rb
@ -2,8 +2,8 @@ class ValuationsController < ApplicationController
  include EntryableResource

  def create
-    @entry = Current.family.entries.new(entry_params)
-    @entry.entryable = Valuation.new
+    account = Current.family.accounts.find(params.dig(:entry, :account_id))
+    @entry = account.entries.new(entry_params.merge(entryable: Valuation.new))

    if @entry.save
      @entry.sync_account_later
@ -44,6 +44,6 @@ class ValuationsController < ApplicationController
  private
    def entry_params
      params.require(:entry)
-            .permit(:account_id, :name, :enriched_name, :date, :amount, :currency, :notes)
+            .permit(:name, :enriched_name, :date, :amount, :currency, :notes)
    end
 end
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@ -1,28 +1,5 @@
 {
  "ignored_warnings": [
-    {
-      "warning_type": "Mass Assignment",
-      "warning_code": 105,
-      "fingerprint": "5bfdb129316655dc4e02f3a599156660414a6562212a5f61057d376f6888f078",
-      "check_name": "PermitAttributes",
-      "message": "Potentially dangerous key allowed for mass assignment",
-      "file": "app/controllers/concerns/entryable_resource.rb",
-      "line": 124,
-      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
-      "code": "params.require(:account_entry).permit(:account_id, :name, :enriched_name, :date, :amount, :currency, :excluded, :notes, :nature, :entryable_attributes => self.class.permitted_entryable_attributes)",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "EntryableResource",
-        "method": "entry_params"
-      },
-      "user_input": ":account_id",
-      "confidence": "High",
-      "cwe_id": [
-        915
-      ],
-      "note": ""
-    },
    {
      "warning_type": "Mass Assignment",
      "warning_code": 105,
@ -46,40 +23,6 @@
      ],
      "note": ""
    },
-    {
-      "warning_type": "Cross-Site Scripting",
-      "warning_code": 2,
-      "fingerprint": "b1f821a5c03b8aa348fb21b9297081a3bf9e954244290e7e511c67213d35f3dc",
-      "check_name": "CrossSiteScripting",
-      "message": "Unescaped model attribute",
-      "file": "app/views/pages/changelog.html.erb",
-      "line": 18,
-      "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
-      "code": "Provider::Github.new.fetch_latest_release_notes[:body]",
-      "render_path": [
-        {
-          "type": "controller",
-          "class": "PagesController",
-          "method": "changelog",
-          "line": 15,
-          "file": "app/controllers/pages_controller.rb",
-          "rendered": {
-            "name": "pages/changelog",
-            "file": "app/views/pages/changelog.html.erb"
-          }
-        }
-      ],
-      "location": {
-        "type": "template",
-        "template": "pages/changelog"
-      },
-      "user_input": null,
-      "confidence": "High",
-      "cwe_id": [
-        79
-      ],
-      "note": ""
-    },
    {
      "warning_type": "Dangerous Eval",
      "warning_code": 13,
@ -139,5 +82,5 @@
      "note": ""
    }
  ],
-  "brakeman_version": "7.0.0"
+  "brakeman_version": "7.0.2"
 }