Whitelist security checks for gem 0.0.5add-rubocop-gitlab-security

author: Brian Neel <brian@gitlab.com> 2017-07-10 17:27:53 -0400
committer: Brian Neel <brian@gitlab.com> 2017-07-10 17:27:53 -0400
commit: 2e062bae74563550b0324e5644ec8a5f5161e9e9 (patch)
tree: d988de771b1e12714b0a99491222cbed8e8aa1de
parent: 86dcba470ebc6093eedabe56d8b4acf4ed65c212 (diff)
download: gitlab-ce-add-rubocop-gitlab-security.tar.gz
7 files changed, 8 insertions, 8 deletions
diff --git a/app/helpers/issuables_helper.rb b/app/helpers/issuables_helper.rb
index b5366519ed9..9aa059c3d61 100644
--- a/app/helpers/issuables_helper.rb
+++ b/app/helpers/issuables_helper.rb
@@ -234,7 +234,7 @@ module IssuablesHelper
   end
 
   def issuables_count_for_state(issuable_type, state, finder: nil)
-    finder ||= public_send("#{issuable_type}_finder")
+    finder ||= public_send("#{issuable_type}_finder") # rubocop:disable GitlabSecurity/PublicSend
     cache_key = finder.state_counter_cache_key(state)
 
     @counts ||= {}
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index 808212c780c..cbd6f6a8d5d 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -172,7 +172,7 @@ class MergeRequest < ActiveRecord::Base
     target = unscoped.where(target_project_id: relation).select(:id)
     union  = Gitlab::SQL::Union.new([source, target])
 
-    where("merge_requests.id IN (#{union.to_sql})")
+    where("merge_requests.id IN (#{union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
   end
 
   WIP_REGEX = /\A\s*(\[WIP\]\s*|WIP:\s*|WIP\s+)+\s*/i.freeze
diff --git a/app/models/project.rb b/app/models/project.rb
index d58846a25fe..38240963167 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -391,7 +391,7 @@ class Project < ActiveRecord::Base
 
       union = Gitlab::SQL::Union.new([projects, namespaces])
 
-      where("projects.id IN (#{union.to_sql})")
+      where("projects.id IN (#{union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
     end
 
     def search_by_title(query)
diff --git a/app/models/user.rb b/app/models/user.rb
index f593fdc10dd..a19edef3aa5 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -514,7 +514,7 @@ class User < ActiveRecord::Base
     union = Gitlab::SQL::Union
       .new([groups.select(:id), authorized_projects.select(:namespace_id)])
 
-    Group.where("namespaces.id IN (#{union.to_sql})")
+    Group.where("namespaces.id IN (#{union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
   end
 
   # Returns a relation of groups the user has access to, including their parent
@@ -899,7 +899,7 @@ class User < ActiveRecord::Base
   def ci_authorized_runners
     @ci_authorized_runners ||= begin
       runner_ids = Ci::RunnerProject
-        .where("ci_runner_projects.project_id IN (#{ci_projects_union.to_sql})")
+        .where("ci_runner_projects.project_id IN (#{ci_projects_union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
         .select(:runner_id)
       Ci::Runner.specific.where(id: runner_ids)
     end
diff --git a/app/services/labels/transfer_service.rb b/app/services/labels/transfer_service.rb
index d2ece354efc..775efed48eb 100644
--- a/app/services/labels/transfer_service.rb
+++ b/app/services/labels/transfer_service.rb
@@ -37,7 +37,7 @@ module Labels
 
       union = Gitlab::SQL::Union.new(label_ids)
 
-      Label.where("labels.id IN (#{union.to_sql})").reorder(nil).uniq
+      Label.where("labels.id IN (#{union.to_sql})").reorder(nil).uniq # rubocop:disable GitlabSecurity/SqlInjection
     end
 
     def group_labels_applied_to_issues
diff --git a/config/application.rb b/config/application.rb
index a9a961d7520..548031e72b0 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -171,7 +171,7 @@ module Gitlab
           next unless name.include?('namespace_project')
 
           define_method(name.sub('namespace_project', 'project')) do |project, *args|
-            send(name, project&.namespace, project, *args)
+            send(name, project&.namespace, project, *args) # rubocop:disable GitlabSecurity/PublicSend
           end
         end
       end
diff --git a/lib/ci/charts.rb b/lib/ci/charts.rb
index 872e418c788..76a69bf8a83 100644
--- a/lib/ci/charts.rb
+++ b/lib/ci/charts.rb
@@ -47,7 +47,7 @@ module Ci
 
       def collect
         query = project.pipelines
-          .where("? > #{Ci::Pipeline.table_name}.created_at AND #{Ci::Pipeline.table_name}.created_at > ?", @to, @from)
+          .where("? > #{Ci::Pipeline.table_name}.created_at AND #{Ci::Pipeline.table_name}.created_at > ?", @to, @from) # rubocop:disable GitlabSecurity/SqlInjection
 
         totals_count  = grouped_count(query)
         success_count = grouped_count(query.success)
author	Brian Neel <brian@gitlab.com>	2017-07-10 17:27:53 -0400
committer	Brian Neel <brian@gitlab.com>	2017-07-10 17:27:53 -0400
commit	2e062bae74563550b0324e5644ec8a5f5161e9e9 (patch)
tree	d988de771b1e12714b0a99491222cbed8e8aa1de
parent	86dcba470ebc6093eedabe56d8b4acf4ed65c212 (diff)
download	gitlab-ce-add-rubocop-gitlab-security.tar.gz