Insufficient validation for 'directory' using /^[^ \'\"<>&,\/\\?]*$/. Use \A and \z as anchors Open
validates_format_of :directory, with: /^[^ \'\"<>\&,\/\\\?]*$/, message: lambda { I18n.t('import_model.invalid_chars', invalid_chars: "spaces and \', \\, /, &, \", ?, <, and >") }
- Read upRead up
- Exclude checks
Calls to validates_format_of ..., :with => //
which do not use \A
and \z
as anchors will cause this warning. Using ^
and $
is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.
See the Ruby Security Guide for details.
Mass assignment is not restricted using attr_accessible Open
class Import < ActiveRecord::Base
- Read upRead up
- Exclude checks
This warning comes up if a model does not limit what attributes can be set through mass assignment.
In particular, this check looks for attr_accessible
inside model definitions. If it is not found, this warning will be issued.
Brakeman also warns on use of attr_protected
- especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected
will be reported, but at a lower confidence level.
Note that disabling mass assignment globally will suppress these warnings.
HACK found Open
# HACK: -- directory appears to have become a reserved word in some context
- Exclude checks
Use the -> { ... }
lambda literal syntax for single line lambdas. Open
validates_numericality_of :interval_between_records, only_integer: true, message: lambda { I18n.t('import_model.must_be_seconds') }
- Read upRead up
- Exclude checks
This cop (by default) checks for uses of the lambda literal syntax for single line lambdas, and the method call syntax for multiline lambdas. It is configurable to enforce one of the styles for both single line and multiline lambdas as well.
Example: EnforcedStyle: linecountdependent (default)
# bad
f = lambda { |x| x }
f = ->(x) do
x
end
# good
f = ->(x) { x }
f = lambda do |x|
x
end
Example: EnforcedStyle: lambda
# bad
f = ->(x) { x }
f = ->(x) do
x
end
# good
f = lambda { |x| x }
f = lambda do |x|
x
end
Example: EnforcedStyle: literal
# bad
f = lambda { |x| x }
f = lambda do |x|
x
end
# good
f = ->(x) { x }
f = ->(x) do
x
end
Use %r
around regular expression. Open
validates_format_of :directory, with: /^[^ \'\"<>\&,\/\\\?]*$/, message: lambda { I18n.t('import_model.invalid_chars', invalid_chars: "spaces and \', \\, /, &, \", ?, <, and >") }
- Read upRead up
- Exclude checks
This cop enforces using // or %r around regular expressions.
Example: EnforcedStyle: slashes (default)
# bad
snake_case = %r{^[\dA-Z_]+$}
# bad
regex = %r{
foo
(bar)
(baz)
}x
# good
snake_case = /^[\dA-Z_]+$/
# good
regex = /
foo
(bar)
(baz)
/x
Example: EnforcedStyle: percent_r
# bad
snake_case = /^[\dA-Z_]+$/
# bad
regex = /
foo
(bar)
(baz)
/x
# good
snake_case = %r{^[\dA-Z_]+$}
# good
regex = %r{
foo
(bar)
(baz)
}x
Example: EnforcedStyle: mixed
# bad
snake_case = %r{^[\dA-Z_]+$}
# bad
regex = /
foo
(bar)
(baz)
/x
# good
snake_case = /^[\dA-Z_]+$/
# good
regex = %r{
foo
(bar)
(baz)
}x
Example: AllowInnerSlashes: false (default)
# If `false`, the cop will always recommend using `%r` if one or more
# slashes are found in the regexp string.
# bad
x =~ /home\//
# good
x =~ %r{home/}
Example: AllowInnerSlashes: true
# good
x =~ /home\//
Use the -> { ... }
lambda literal syntax for single line lambdas. Open
validates_format_of :directory, with: /^[^ \'\"<>\&,\/\\\?]*$/, message: lambda { I18n.t('import_model.invalid_chars', invalid_chars: "spaces and \', \\, /, &, \", ?, <, and >") }
- Read upRead up
- Exclude checks
This cop (by default) checks for uses of the lambda literal syntax for single line lambdas, and the method call syntax for multiline lambdas. It is configurable to enforce one of the styles for both single line and multiline lambdas as well.
Example: EnforcedStyle: linecountdependent (default)
# bad
f = lambda { |x| x }
f = ->(x) do
x
end
# good
f = ->(x) { x }
f = lambda do |x|
x
end
Example: EnforcedStyle: lambda
# bad
f = ->(x) { x }
f = ->(x) do
x
end
# good
f = lambda { |x| x }
f = lambda do |x|
x
end
Example: EnforcedStyle: literal
# bad
f = lambda { |x| x }
f = lambda do |x|
x
end
# good
f = ->(x) { x }
f = ->(x) do
x
end