Sign upLogin

AyuntamientoMadrid/participacion

View on GitHub
Star

Showing 1,085 of 1,085 total issues

Unsafe reflection method constantize called with parameter value
Open

      params[:relatable_type].classify.constantize
Severity: Critical
Found in app/controllers/sdg_management/relations_controller.rb by brakeman

Brakeman reports on several cases of remote code execution, in which a user is able to control and execute code in ways unintended by application authors.

The obvious form of this is the use of eval with user input.

However, Brakeman also reports on dangerous uses of send, constantize, and other methods which allow creation of arbitrary objects or calling of arbitrary methods.

Render path contains parameter value
Open

  path: admin_budget_group_heading_path(@budget, @group, @heading),
Severity: Minor
Found in app/views/admin/budget_headings/edit.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

<%= render Admin::BudgetsWizard::Groups::EditComponent.new(@group) %>
Severity: Minor
Found in app/views/admin/budgets_wizard/groups/edit.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Possible SQL injection
Open

    self.class.with_hidden.where(id: id).update_all("tsv = (#{searchable_values_sql})")
Severity: Minor
Found in app/models/concerns/search_cache.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Render path contains parameter value
Open

<%= render Admin::BudgetInvestments::InvestmentsComponent.new(@budget, @investments) %>
Severity: Minor
Found in app/views/admin/budget_investments/index.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

<%= render Admin::BudgetsWizard::Headings::EditComponent.new(@heading) %>
Severity: Minor
Found in app/views/admin/budgets_wizard/headings/edit.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

<%= render Admin::BudgetsWizard::Headings::IndexComponent.new(@headings, @heading) %>
Severity: Minor
Found in app/views/admin/budgets_wizard/headings/index.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

      path: admin_official_path(@user),
Severity: Minor
Found in app/views/admin/officials/edit.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

<%= render Shared::CommentsComponent.new(@debate, @comment_tree) do %>
Severity: Minor
Found in app/views/debates/_comments.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

  <%= render Shared::CommentsComponent.new(@investment, @comment_tree, valuation: true) %>
Severity: Minor
Found in app/views/valuation/budget_investments/_valuation_comments.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

        <%= render Shared::CommentsComponent.new(@annotation, @comment_tree) do %>
Severity: Minor
Found in app/views/legislation/annotations/show.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

    investment_ids: @investment_ids
Severity: Minor
Found in app/views/budgets/ballot/lines/create.js.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

  <%= render Documents::DocumentsComponent.new(@proposal.documents) %>
Severity: Minor
Found in app/views/proposals/_info.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

           new_content: render(Admin::Proposals::ToggleSelectionComponent.new(@proposal)) %>
Severity: Minor
Found in app/views/admin/proposals/toggle_selection.js.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

<%= render Admin::Stats::ChartComponent.new(@chart) %>
Severity: Minor
Found in app/views/admin/stats/graph.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

<%= render Shared::CommentsComponent.new(@proposal, @comment_tree) do %>
Severity: Minor
Found in app/views/proposals/_comments.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

  <%= render Management::Budgets::PrintInvestments::TableComponent.new(@budgets) %>
Severity: Minor
Found in app/views/management/budgets/print_investments.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

  describedby: params[:setting][:describedby]
Severity: Minor
Found in app/views/admin/settings/update.js.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

<%= render Admin::SDG::Managers::IndexComponent.new(@users) %>
Severity: Minor
Found in app/views/admin/sdg/managers/index.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Render path contains parameter value
Open

  <%= render Shared::CommentsComponent.new(@question, @comment_tree) do %>
Severity: Minor
Found in app/views/legislation/questions/show.html.erb by brakeman

When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.

This warning is shown whenever the path to be rendered is not a static string or symbol.

These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.

Severity
Category
Status
Source
Language