Merge branch 'master' into restricting-queryparams

piyusshkumar · web-flow · commit eb3c761c8105 · 2025-12-05T21:47:24.000+05:30
diff --git a/src/api/Gemfile.lock b/src/api/Gemfile.lock
@@ -254,7 +254,7 @@ GEM
       thor (>= 0.14, < 2.0)
     jquery-ui-rails (8.0.0)
       railties (>= 3.2.16)
-    json (2.16.0)
+    json (2.17.1)
     kaminari (1.2.2)
       activesupport (>= 4.1.0)
       kaminari-actionview (= 1.2.2)
diff --git a/src/api/app/controllers/statistics_controller.rb b/src/api/app/controllers/statistics_controller.rb
@@ -35,7 +35,7 @@ def most_active_projects
 
   def most_active_packages
     # get all packages including activity values
-    @packages = Package.select(Arel.sql("packages.*, #{Package.activity_algorithm}"))
+    @packages = Package.select("packages.*, #{Package.activity_algorithm}")
                        .limit(@limit).order(activity_value: :desc)
     @packages
   end
diff --git a/src/api/app/models/local_build_result/for_package.rb b/src/api/app/models/local_build_result/for_package.rb
@@ -46,7 +46,7 @@ def repository_in_db?(repository, architecture)
     end
 
     def set_architectures_for
-      repos_archs = project.repositories.joins(:architectures).pluck(:name, Arel.sql('architectures.name'))
+      repos_archs = project.repositories.joins(:architectures).pluck(:name, 'architectures.name')
       @architectures_for = {}
       repos_archs.each do |element|
         @architectures_for[element.first] ||= []
diff --git a/src/api/config/brakeman.ignore b/src/api/config/brakeman.ignore
@@ -275,6 +275,29 @@
       ],
       "note": ""
     },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "45840f44547aeced1506343b80e3fe0ad1b6262ae3799e5086907ff71bddb03c",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/controllers/statistics_controller.rb",
+      "line": 38,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "Package.select(\"packages.*, #{Package.activity_algorithm}\")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "StatisticsController",
+        "method": "most_active_packages"
+      },
+      "user_input": "Package.activity_algorithm",
+      "confidence": "High",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
     {
       "warning_type": "SQL Injection",
       "warning_code": 0,
diff --git a/src/api/vendor/cache/json-2.16.0.gem b/src/api/vendor/cache/json-2.16.0.gem
diff --git a/src/api/vendor/cache/json-2.17.1.gem b/src/api/vendor/cache/json-2.17.1.gem
