Showing 134 of 134 total issues
rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7578). Upgrade to 1.0.3 Open
rails-html-sanitizer (1.0.2)
- Read upRead up
- Exclude checks
Possible SQL injection Open
@work = current_account.works.where(params[:work_id]).uniq.first
- Read upRead up
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Possible SQL injection Open
(record.class.where("#{attribute} = ?", :true).count == 0) ||
- Read upRead up
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
rails-html-sanitizer 1.0.2 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4 Open
rails-html-sanitizer (1.0.2)
- Read upRead up
- Exclude checks
Possible SQL injection Open
(record.class.where("#{attribute} = ?", :true).first == record))
- Read upRead up
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Rails 4.2.5 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.2.5.1 Open
rails (4.2.5)
- Read upRead up
- Exclude checks
rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7580). Upgrade to 1.0.3 Open
rails-html-sanitizer (1.0.2)
- Read upRead up
- Exclude checks
Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2 Open
loofah (2.0.3)
- Read upRead up
- Exclude checks
rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3 Open
rails (4.2.5)
- Read upRead up
- Exclude checks
Possible remote code execution vulnerability in Action Pack Open
actionpack (4.2.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2098
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14
Useless assignment to variable - owner
. Open
owner = @work.owner
- Read upRead up
- Exclude checks
This cop checks for every useless assignment to local variable in every
scope.
The basic idea for this cop was from the warning of ruby -cw
:
assigned but unused variable - foo
Currently this cop has advanced logic that detects unreferenced reassignments and properly handles varied cases such as branch, loop, rescue, ensure, etc.
Example:
# bad
def some_method
some_var = 1
do_something
end
Example:
# good
def some_method
some_var = 1
do_something(some_var)
end
Variable @_wras_
used in void context. Open
@_wras_
- Read upRead up
- Exclude checks
This cop checks for operators, variables and literals used in void context.
Example:
# bad
def some_method
some_num * 10
do_something
end
Example:
# bad
def some_method(some_var)
some_var
do_something
end
Example:
# good
def some_method
do_something
some_num * 10
end
Example:
# good
def some_method(some_var)
do_something
some_var
end
Timing attack vulnerability in basic authentication in Action Controller. Open
actionpack (4.2.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7576
Criticality: Low
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Possible Input Validation Circumvention in Active Model Open
activemodel (4.2.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0753
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14
Possible Information Leak Vulnerability in Action View Open
actionview (4.2.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0752
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14
Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Open
nokogiri (1.6.7.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7499
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
Solution: upgrade to >= 1.6.7.2
File.exists?
is deprecated in favor of File.exist?
. Open
File.unlink(self.attached_file_full_path) if File.exists?(self.attached_file_full_path)
- Read upRead up
- Exclude checks
This cop checks for uses of the deprecated class method usages.
Example:
# bad
File.exists?(some_path)
Example:
# good
File.exist?(some_path)
Object leak vulnerability for wildcard controller routes in Action Pack Open
actionpack (4.2.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7581
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
Solution: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14
Unused method argument - force
. If it's necessary, use _
or _force
as an argument name to indicate that it won't be used. Open
def for_work(work_id, force = false)
- Read upRead up
- Exclude checks
This cop checks for unused method arguments.
Example:
# bad
def some_method(used, unused, _unused_but_allowed)
puts used
end
Example:
# good
def some_method(used, _unused, _unused_but_allowed)
puts used
end
Possible Object Leak and Denial of Service attack in Action Pack Open
actionpack (4.2.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0751
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1