Merge branch 'fix-brakeman-audit-failures' of github.com:fiveNinePlusR/pbm

Author: RyanTG

app/controllers/api/v1/location_machine_xrefs_controller.rb

@@ -38,12 +38,12 @@ def create
 
         return return_response(AUTH_REQUIRED_MSG, 'errors') if user.nil?
 
-        location_id = params[:location_id]
-        machine_id = params[:machine_id]
+        location_id = params[:location_id].to_i
+        machine_id = params[:machine_id].to_i
         condition = params[:condition]
         status_code = 200
 
-        return return_response('Failed to find machine', 'errors') if machine_id.nil? || location_id.nil? || !Machine.exists?(machine_id) || !Location.exists?(location_id)
+        return return_response('Failed to find machine', 'errors') if machine_id.zero? || location_id.zero? || !Machine.exists?(machine_id) || !Location.exists?(location_id)
 
         lmx = LocationMachineXref.find_by_location_id_and_machine_id(location_id, machine_id)
 

app/controllers/api/v1/location_picture_xrefs_controller.rb

@@ -21,8 +21,8 @@ def show
       def create
         return return_response(AUTH_REQUIRED_MSG, 'errors') if current_user.nil?
 
-        location_id = params[:location_id]
-        return return_response('Failed to find location', 'errors') if location_id.nil? || !Location.exists?(location_id)
+        location_id = params[:location_id].to_i
+        return return_response('Failed to find location', 'errors') if location_id.zero? || !Location.exists?(location_id)
 
         photo = params[:photo]
         return return_response('Missing photo to add', 'errors') if photo.nil?

app/controllers/machines_controller.rb

@@ -28,11 +28,11 @@ def autocomplete
       sanitized_sql = ActiveRecord::Base.sanitize_sql_array([sql, { term: params[:term] }])
 
       results = ActiveRecord::Base.connection.select_all(sanitized_sql)
-        .map do |m|
-          name_year = "#{m['name']} (#{m['manufacturer']}, #{m['year']})"
+                                  .map do |m|
+        name_year = "#{m['name']} (#{m['manufacturer']}, #{m['year']})"
 
-          { label: name_year, value: name_year, id: m['id'], group_id: m['machine_group_id'] }
-        end
+        { label: name_year, value: name_year, id: m['id'], group_id: m['machine_group_id'] }
+      end
 
     end
 

app/controllers/pages_controller.rb

@@ -52,7 +52,7 @@ def map
 
     params[:user_faved] = user.id if user && !params[:user_faved].blank?
 
-    if !params[:by_location_id].blank? && loc = Location.where(id: params[:by_location_id]).first
+    if !params[:by_location_id].blank? && (loc = Location.where(id: params[:by_location_id]).first)
       @title_params[:title] = loc.name
       location_type = loc.location_type.name + ' - ' unless loc.location_type.nil?
       machine_list = ' - ' + loc.machine_names_first_no_year.join(', ') unless loc.machine_names_first_no_year.empty?
@@ -74,7 +74,7 @@ def region
     @location_count = @locations.count
     @lmx_count = @region.machines_count
 
-    if !params[:by_location_id].blank? && loc = Location.where(id: params[:by_location_id]).first
+    if !params[:by_location_id].blank? && (loc = Location.where(id: params[:by_location_id]).first)
       @title_params[:title] = loc.name
       location_type = loc.location_type.name + ' - ' unless loc.location_type.nil?
       machine_list = ' - ' + loc.machine_names_first_no_year.join(', ') unless loc.machine_names_first_no_year.empty?

app/models/location.rb

@@ -3,8 +3,8 @@ class Location < ApplicationRecord
 
   validates_presence_of :name, :street, :city, :country
   validates :phone, phone: { possible: true, allow_blank: true, message: 'Phone format not valid.' }
-  validates :website, format: { with: %r{http(s?)://}, message: 'must begin with http:// or https://' }, if: :website?
-  validates :name, :street, :city, format: { with: /^\S.*/, message: "Can't start with a blank", multiline: true }
+  validates :website, format: { with: %r{\Ahttp(s?)://}, message: 'must begin with http:// or https://' }, if: :website?
+  validates :name, :street, :city, format: { with: /\A\S.*/, message: "Can't start with a blank", multiline: true }
   validates :lat, :lon, presence: { message: 'Latitude/Longitude failed to generate. Please double check address and try again, or manually enter the lat/lon' }
 
   belongs_to :location_type, optional: true

app/models/machine_score_xref.rb

@@ -8,17 +8,17 @@ class MachineScoreXref < ApplicationRecord
 
   scope :zone_id, lambda { |id|
     joins(:location_machine_xref).joins(:location).where("
-      locations.zone_id = #{id}
-    ")
+      locations.zone_id = ?
+    ", id)
   }
 
   scope :region, lambda { |name|
     r = Region.find_by_name(name.downcase)
     joins(:location_machine_xref).joins(:location).where("
       location_machine_xrefs.id = machine_score_xrefs.location_machine_xref_id
       and locations.id = location_machine_xrefs.location_id
-      and locations.region_id = #{r.id}
-    ")
+      and locations.region_id = ?
+    ", r.id)
   }
 
   def username

app/models/suggested_location.rb

@@ -5,8 +5,8 @@ class SuggestedLocation < ApplicationRecord
   validates_presence_of :name, :machines, on: :create
   validates_presence_of :street, :city, :zip, on: :update
 
-  validates :website, format: { with: %r{http(s?)://}, message: 'must begin with http:// or https://' }, if: :website?, on: :update
-  validates :name, :street, :city, format: { with: /^\S.*/, message: "Can't start with a blank", multiline: true }, on: :update
+  validates :website, format: { with: %r{\Ahttp(s?)://}, message: 'must begin with http:// or https://' }, if: :website?, on: :update
+  validates :name, :street, :city, format: { with: /\A\S.*/, message: "Can't start with a blank", multiline: true }, on: :update
   validates :lat, :lon, presence: { message: 'Latitude/Longitude failed to generate. Please double check address and try again, or manually enter the lat/lon' }, on: :update
 
   belongs_to :region, optional: true
@@ -97,19 +97,21 @@ def convert_to_location(user_email)
 
       delete
 
-      ActiveRecord::Base.connection.execute(<<HERE)
+      sql = <<HERE
 insert into versions values (
   nextval('versions_id_seq'),
   'Location',
-  #{location.id},
+  :location_id,
   'converted from suggested location',
-  '#{user_email}',
+  :user_email,
   NULL,
   now(),
   NULL,
   NULL
 )
 HERE
+      sanitized_sql = ActiveRecord::Base.sanitize_sql_array([sql, { location_id: location.id, user_email: user_email }])
+      ActiveRecord::Base.connection.execute(sanitized_sql)
     end
   end
 end

app/models/user.rb

@@ -11,7 +11,7 @@ class User < ApplicationRecord
 
   validates :username, presence: true, uniqueness: { case_sensitive: false }
 
-  validates_format_of :username, with: /^[a-zA-Z0-9_\.]*$/, multiline: true
+  validates_format_of :username, with: /\A[a-zA-Z0-9_\.]*\z/, multiline: true
   validates :username, length: { maximum: 20 }
   strip_attributes only: %i[username password]
 

app/views/locations/_form.html.haml

@@ -32,7 +32,7 @@
         :javascript
           $(function () {
             $('#by_#{key}_name').autocomplete({
-              source: '/#{key}s/autocomplete?region_level_search=1;region=#{params[:region]}',
+              source: '/#{key}s/autocomplete?region_level_search=1;region=#{h(params[:region])}',
               minLength: 2,
               delay: 500
               });

app/views/locations/_locations.html.haml

@@ -15,7 +15,7 @@
       [#{[@lat, @lon].join(', ')}]
     );
 
-    var hrefOrig = '#{request.scheme}://#{request.host_with_port}/#{@region ? @region.name.downcase : @operators_map ? @operators_map : "map"}?';
+    var hrefOrig = '#{request.scheme}://#{request.host_with_port}/#{@region ? h(@region.name.downcase) : @operators_map ? @operators_map : "map"}?';
     var def_value = window.location.href;
 
     var url = '';