From 644c5fddd8d04d3f59a2e9a716614bab748796c3 Mon Sep 17 00:00:00 2001
From: Matt Jankowski <matt@jankowski.online>
Date: Thu, 13 Jul 2023 09:52:37 -0400
Subject: [PATCH] Refactor `Status.tagged_with_all` for brakeman SQL injection
 warning (#25941)

---
 app/models/status.rb   |  4 +++-
 config/brakeman.ignore | 25 +------------------------
 2 files changed, 4 insertions(+), 25 deletions(-)

diff --git a/app/models/status.rb b/app/models/status.rb
index 67463b140b..ff85ff2388 100644
--- a/app/models/status.rb
+++ b/app/models/status.rb
@@ -103,7 +103,9 @@ class Status < ApplicationRecord
   scope :not_domain_blocked_by_account, ->(account) { account.excluded_from_timeline_domains.blank? ? left_outer_joins(:account) : left_outer_joins(:account).where('accounts.domain IS NULL OR accounts.domain NOT IN (?)', account.excluded_from_timeline_domains) }
   scope :tagged_with_all, lambda { |tag_ids|
     Array(tag_ids).map(&:to_i).reduce(self) do |result, id|
-      result.joins("INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}")
+      result.where(<<~SQL.squish, tag_id: id)
+        EXISTS(SELECT 1 FROM statuses_tags WHERE statuses_tags.status_id = statuses.id AND statuses_tags.tag_id = :tag_id)
+      SQL
     end
   }
   scope :tagged_with_none, lambda { |tag_ids|
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
index 27d8ff8da5..9b9330a758 100644
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@@ -1,28 +1,5 @@
 {
   "ignored_warnings": [
-    {
-      "warning_type": "SQL Injection",
-      "warning_code": 0,
-      "fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d",
-      "check_name": "SQL",
-      "message": "Possible SQL injection",
-      "file": "app/models/status.rb",
-      "line": 106,
-      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
-      "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Status",
-        "method": null
-      },
-      "user_input": "id",
-      "confidence": "Weak",
-      "cwe_id": [
-        89
-      ],
-      "note": ""
-    },
     {
       "warning_type": "Cross-Site Scripting",
       "warning_code": 2,
@@ -206,6 +183,6 @@
       "note": ""
     }
   ],
-  "updated": "2023-07-11 16:08:58 +0200",
+  "updated": "2023-07-12 11:20:51 -0400",
   "brakeman_version": "6.0.0"
 }