jwks_controller.rb
code Critical
Cross-Site Request Forgery
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Request Forgery
Confidence level: High

Problem

'protect_from_forgery' should be called in JwksController

Location

app/controllers/jwks_controller.rb:3


Category description: Failure to verify that the sender of a web request actually intended to do so.

Solution: fix the issue in app/controllers/jwks_controller.rb or mark it as false positive.

acme_challenges_controller.rb
code Critical
Cross-Site Request Forgery
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Request Forgery
Confidence level: High

Problem

'protect_from_forgery' should be called in AcmeChallengesController

Location

app/controllers/acme_challenges_controller.rb:3


Category description: Failure to verify that the sender of a web request actually intended to do so.

Solution: fix the issue in app/controllers/acme_challenges_controller.rb or mark it as false positive.

chaos_controller.rb
code Critical
Cross-Site Request Forgery
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Request Forgery
Confidence level: High

Problem

'protect_from_forgery' should be called in ChaosController

Location

app/controllers/chaos_controller.rb:3


Category description: Failure to verify that the sender of a web request actually intended to do so.

Solution: fix the issue in app/controllers/chaos_controller.rb or mark it as false positive.

commit_range.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/commit_range.rb:47

/
      (?:#{Project.reference_pattern}#{reference_prefix})?
      (?<commit_range>#{/\h{7,40}\.{2,3}\h{7,40}/.freeze})
    /x

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/commit_range.rb or mark it as false positive.

commit.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/commit.rb:179

/
      (?:#{Project.reference_pattern}#{reference_prefix})?
      (?<commit>#{/\h{#{Gitlab::Git::Commit::MIN_SHA_LENGTH},40}/.freeze})
    /x

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/commit.rb or mark it as false positive.

show.html.haml
code Severe
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe model attribute in link_to href

Location

app/views/invites/show.html.haml:12

link_to(({ :name => Project.full_name, :url => project_url(Project), :title => _("project"), :path => project_path(Project) } or { :name => Group.name, :url => group_url(Group), :title => _("group"), :path => group_path(Group) })[:name], ({ :name => Project.full_name, :url => project_url(Project), :title => _("project"), :path => project_path(Project) } or { :name => Group.name, :url => group_url(Group), :title => _("group"), :path => group_path(Group) })[:url])

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/invites/show.html.haml or mark it as false positive.

unsubscribe.html.haml
code Severe
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe model attribute in link_to href

Location

app/views/sent_notifications/unsubscribe.html.haml:13

link_to(("#{SentNotification.for(params[:id]).noteable.title} (#{SentNotification.for(params[:id]).noteable.to_reference})" or "#{SentNotification.for(params[:id]).noteable.to_reference}"), (url_for([SentNotification.for(params[:id]).project, SentNotification.for(params[:id]).noteable]) or breadcrumb_title_link))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/sent_notifications/unsubscribe.html.haml or mark it as false positive.

traversal_hierarchy.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/namespace/traversal_hierarchy.rb:41

Namespace.connection.exec_query("\n            UPDATE namespaces\n            SET traversal_ids = cte.traversal_ids\n            FROM (#{recursive_traversal_ids}) as cte\n            WHERE namespaces.id = cte.id\n              AND namespaces.traversal_ids <> cte.traversal_ids\n            ")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/namespace/traversal_hierarchy.rb or mark it as false positive.

alert.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/alert_management/alert.rb:194

/
        (#{Project.reference_pattern})?
        #{Regexp.escape(reference_prefix)}(?<alert>\d+)
      /x

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/alert_management/alert.rb or mark it as false positive.

ssh_host_key.rb
code Severe
Command Injection
Discovered 6 months ago
Source: static code analysis
Category: Command Injection
Confidence level: Medium

Problem

Possible command injection

Location

app/models/ssh_host_key.rb:94

Open3.popen3({}, *["ssh-keyscan", "-T", "5", "-p", "#{url.port}", "-f-"])

Category description: Command injection occurs when shell commands unsafely include user-manipulatable values.

Solution: fix the issue in app/models/ssh_host_key.rb or mark it as false positive.

has_environment_scope.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/concerns/has_environment_scope.rb:66

where("        environment_scope IN (:wildcard, :environment_name) OR\n          :environment_name LIKE\n            #{::Gitlab::SQL::Glob.to_like("environment_scope")}\n", :wildcard => "*", :environment_name => environment_name)

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/concerns/has_environment_scope.rb or mark it as false positive.

merge_request.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/merge_request.rb:421

/
      (#{Project.reference_pattern})?
      #{Regexp.escape(reference_prefix)}(?<merge_request>\d+)
    /x

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/merge_request.rb or mark it as false positive.

traversal_hierarchy.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/namespace/traversal_hierarchy.rb:47

Namespace.joins("INNER JOIN (#{recursive_traversal_ids}) as cte ON namespaces.id = cte.id")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/namespace/traversal_hierarchy.rb or mark it as false positive.

sortable.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/concerns/sortable.rb:57

Label.select(LabelPriority.arel_table[:priority].minimum).left_join_priorities.joins(:label_links).where("label_priorities.project_id = #{project_column}").where("label_links.target_id = #{target_column}").reorder(nil).where("label_links.target_type = #{target_type_column}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/concerns/sortable.rb or mark it as false positive.

issuable.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/concerns/issuable.rb:99

where("EXISTS (SELECT TRUE FROM #{to_ability_name}_assignees WHERE #{to_ability_name}_id = #{to_ability_name}s.id)")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/concerns/issuable.rb or mark it as false positive.

milestone.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/milestone.rb:62

/
      (#{Project.reference_pattern})?
      #{Regexp.escape(reference_prefix)}
      (?:
        (?<milestone_iid>
          \d+(?!\S\w)\b # Integer-based milestone iid, or
        ) |
        (?<milestone_name>
          [^"\s]+\b |  # String-based single-word milestone title, or
          "[^"]+"      # String-based multi-word milestone surrounded in quotes
        )
      )
    /x

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/milestone.rb or mark it as false positive.

group.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/group.rb:198

NotificationSetting.where(:source_type => self.class.base_class.name, :source_id => self_and_ancestors_ids).joins("LEFT JOIN (#{self_and_ancestors(:hierarchy_order => hierarchy_order).to_sql}) AS ordered_groups ON notification_settings.source_id = ordered_groups.id").select("notification_settings.*, ordered_groups.depth AS depth").order("ordered_groups.depth #{hierarchy_order}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/group.rb or mark it as false positive.

issue_tracker_service.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/project_services/issue_tracker_service.rb:24

/(\b[A-Z][A-Z0-9_]*-|#{Issue.reference_prefix})#{Gitlab::Regex.issue}/

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/project_services/issue_tracker_service.rb or mark it as false positive.

project.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/project.rb:643

with_project_feature.where("#{ProjectFeature.quoted_access_level_column(feature)} IS NULL OR #{ProjectFeature.quoted_access_level_column(feature)} IN (:public_visible) OR (#{ProjectFeature.quoted_access_level_column(feature)} = :private_visible AND EXISTS (:authorizations))", :public_visible => ([20, 30]), :private_visible => 10, :authorizations => user.authorizations_for_projects(:min_access_level => ProjectFeature.required_minimum_access_level(feature)))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/project.rb or mark it as false positive.

issuable.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/concerns/issuable.rb:102

where("NOT EXISTS (SELECT TRUE FROM #{to_ability_name}_assignees WHERE #{to_ability_name}_id = #{to_ability_name}s.id)")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/concerns/issuable.rb or mark it as false positive.

alerts_controller.rb
code Severe
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Medium

Problem

Parameters should be whitelisted for mass assignment

Location

app/controllers/projects/prometheus/alerts_controller.rb:76

params.permit!

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/projects/prometheus/alerts_controller.rb or mark it as false positive.

sortable.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/concerns/sortable.rb:51

Label.select(LabelPriority.arel_table[:priority].minimum).left_join_priorities.joins(:label_links).where("label_priorities.project_id = #{project_column}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/concerns/sortable.rb or mark it as false positive.

root_storage_statistics.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/namespace/root_storage_statistics.rb:70

PersonalSnippet.joins("INNER JOIN snippet_statistics s ON s.snippet_id = snippets.id").where(:author => namespace.owner_id).select("COALESCE(SUM(s.repository_size), 0) AS #{"snippets_size".freeze}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/namespace/root_storage_statistics.rb or mark it as false positive.

label.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/label.rb:113

/
      (#{Project.reference_pattern})?
      #{Regexp.escape(reference_prefix)}
      (?:
          (?<label_id>\d+(?!\S\w)\b)
        | # Integer-based label ID, or
          (?<label_name>
              # String-based single-word label title, or
              [A-Za-z0-9_\-\?\.&]+
              (?<!\.|\?)
            |
              # String-based multi-word label surrounded in quotes
              ".+?"
          )
      )
    /x

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/label.rb or mark it as false positive.

_general.html.haml
code Severe
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe parameter value in link_to href

Location

app/views/sherlock/queries/_general.html.haml:19

link_to(Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).last_application_frame.path, BetterErrors.editor[Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).last_application_frame.path, Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).last_application_frame.line])

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/sherlock/queries/_general.html.haml or mark it as false positive.

snippet.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/snippet.rb:164

/
      (#{Project.reference_pattern})?
      #{Regexp.escape(reference_prefix)}(?<snippet>\d+)
    /x

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/snippet.rb or mark it as false positive.

show.html.haml
code Severe
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe model attribute in link_to href

Location

app/views/profiles/two_factor_auths/show.html.haml:112

link_to(_("Delete"), (@webauthn_registration or U2fRegistration.register(current_user, u2f_app_id, device_registration_params, session[:challenges]))[:delete_path], :method => :delete, :class => "gl-button btn btn-danger float-right", :data => ({ :confirm => _("Are you sure you want to delete this device? This action cannot be undone.") }))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/profiles/two_factor_auths/show.html.haml or mark it as false positive.

referable.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/concerns/referable.rb:83

/
        (?<url>
          #{Regexp.escape(Gitlab.config.gitlab.url)}
          \/#{Project.reference_pattern}
          (?:\/\-)?
          \/#{route.is_a?(Regexp) ? (route) : (Regexp.escape(route))}
          \/#{pattern}
          (?<path>
            (\/[a-z0-9_=-]+)*\/*
          )?
          (?<query>
            \?[a-z0-9_=-]+
            (&[a-z0-9_=-]+)*
          )?
          (?<anchor>\#[a-z0-9_-]+)?
        )
      /x

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/concerns/referable.rb or mark it as false positive.

issue.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/issue.rb:209

/
      (#{Project.reference_pattern})?
      #{Regexp.escape(reference_prefix)}#{Gitlab::Regex.issue}
    /x

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/issue.rb or mark it as false positive.

youtrack_service.rb
code Severe
Denial of Service
Discovered 6 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/project_services/youtrack_service.rb:11

/(?<issue>\b[A-Za-z][A-Za-z0-9_]*-\d+\b)|(#{Issue.reference_prefix}#{Gitlab::Regex.issue})/

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/project_services/youtrack_service.rb or mark it as false positive.