Sign upLogin

SMERM/EMUForm

View on GitHub
Star

Showing 134 of 134 total issues

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7578). Upgrade to 1.0.3
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/JbvSRpdbFQAJ

Possible SQL injection
Open

    @work = current_account.works.where(params[:work_id]).uniq.first
Severity: Minor
Found in app/controllers/authors_controller.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Possible SQL injection
Open

                                                                             (record.class.where("#{attribute} = ?", :true).count == 0) ||
Severity: Minor
Found in app/models/edition.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Possible SQL injection
Open

                                                                             (record.class.where("#{attribute} = ?", :true).first == record))
Severity: Minor
Found in app/models/edition.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Rails 4.2.5 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.2.5.1
Open

    rails (4.2.5)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7580). Upgrade to 1.0.3
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ

Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2
Open

    loofah (2.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://github.com/flavorjones/loofah/issues/144

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3
Open

    rails (4.2.5)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ

Possible remote code execution vulnerability in Action Pack
Open

    actionpack (4.2.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-2098

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q

Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14

Useless assignment to variable - owner.
Open

    owner = @work.owner
Severity: Minor
Found in app/controllers/works_controller.rb by rubocop

This cop checks for every useless assignment to local variable in every scope. The basic idea for this cop was from the warning of ruby -cw:

assigned but unused variable - foo

Currently this cop has advanced logic that detects unreferenced reassignments and properly handles varied cases such as branch, loop, rescue, ensure, etc.

Example:

# bad

def some_method
  some_var = 1
  do_something
end

Example:

# good

def some_method
  some_var = 1
  do_something(some_var)
end

Variable @_wras_ used in void context.
Open

    @_wras_
Severity: Minor
Found in app/models/work.rb by rubocop

This cop checks for operators, variables and literals used in void context.

Example:

# bad

def some_method
  some_num * 10
  do_something
end

Example:

# bad

def some_method(some_var)
  some_var
  do_something
end

Example:

# good

def some_method
  do_something
  some_num * 10
end

Example:

# good

def some_method(some_var)
  do_something
  some_var
end

Timing attack vulnerability in basic authentication in Action Controller.
Open

    actionpack (4.2.5)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7576

Criticality: Low

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Possible Input Validation Circumvention in Active Model
Open

    activemodel (4.2.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-0753

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Possible Information Leak Vulnerability in Action View
Open

    actionview (4.2.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-0752

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2
Open

    nokogiri (1.6.7.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7499

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM

Solution: upgrade to >= 1.6.7.2

File.exists? is deprecated in favor of File.exist?.
Open

    File.unlink(self.attached_file_full_path) if File.exists?(self.attached_file_full_path)
Severity: Minor
Found in app/models/submitted_file.rb by rubocop

This cop checks for uses of the deprecated class method usages.

Example:

# bad

File.exists?(some_path)

Example:

# good

File.exist?(some_path)

Object leak vulnerability for wildcard controller routes in Action Pack
Open

    actionpack (4.2.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7581

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE

Solution: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Unused method argument - force. If it's necessary, use _ or _force as an argument name to indicate that it won't be used.
Open

    def for_work(work_id, force = false)
Severity: Minor
Found in app/models/author.rb by rubocop

This cop checks for unused method arguments.

Example:

# bad

def some_method(used, unused, _unused_but_allowed)
  puts used
end

Example:

# good

def some_method(used, _unused, _unused_but_allowed)
  puts used
end

Possible Object Leak and Denial of Service attack in Action Pack
Open

    actionpack (4.2.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-0751

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Severity
Category
Status
Source
Language