thepracticaldev/dev.to

View on GitHub

Showing 156 of 156 total issues

Similar blocks of code found in 3 locations. Consider refactoring.
Open

          <Navigation
            prev={prev}
            next={this.handleComplete}
            canSkip={canSkip}
            slidesCount={slidesCount}
Severity: Minor
Found in app/javascript/onboarding/components/FollowTags.jsx and 2 other locations - About 35 mins to fix
app/javascript/onboarding/components/FollowUsers.jsx on lines 148..154
app/javascript/onboarding/components/ProfileForm.jsx on lines 82..88

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 46.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 3 locations. Consider refactoring.
Open

          <Navigation
            prev={prev}
            next={this.onSubmit}
            canSkip={canSkip}
            slidesCount={slidesCount}
Severity: Minor
Found in app/javascript/onboarding/components/ProfileForm.jsx and 2 other locations - About 35 mins to fix
app/javascript/onboarding/components/FollowTags.jsx on lines 108..114
app/javascript/onboarding/components/FollowUsers.jsx on lines 148..154

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 46.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 3 locations. Consider refactoring.
Open

          <Navigation
            prev={prev}
            next={this.handleComplete}
            canSkip={canSkip}
            slidesCount={slidesCount}
Severity: Minor
Found in app/javascript/onboarding/components/FollowUsers.jsx and 2 other locations - About 35 mins to fix
app/javascript/onboarding/components/FollowTags.jsx on lines 108..114
app/javascript/onboarding/components/ProfileForm.jsx on lines 82..88

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 46.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Possible unprotected redirect
Open

      redirect_to daily_thread.path
Severity: Critical
Found in app/controllers/pages_controller.rb by brakeman

Unvalidated redirects and forwards are #10 on the OWASP Top Ten.

Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.

Brakeman will raise warnings whenever redirect_to appears to be used with a user-supplied value that may allow them to change the :host option.

For example,

redirect_to params.merge(:action => :home)

will create a warning like

Possible unprotected redirect near line 46: redirect_to(params)

This is because params could contain :host => 'evilsite.com' which would redirect away from your site and to a malicious site.

If the first argument to redirect_to is a hash, then adding :only_path => true will limit the redirect to the current host. Another option is to specify the host explicitly.

redirect_to params.merge(:only_path => true)

redirect_to params.merge(:host => 'myhost.com')

If the first argument is a string, then it is possible to parse the string and extract the path:

redirect_to URI.parse(some_url).path

If the URL does not contain a protocol (e.g., http://), then you will probably get unexpected results, as redirect_to will prepend the current host name and a protocol.

Unescaped model attribute
Open

          <%= @left_sidebar_ad.processed_html.html_safe %>

Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.

XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..

In Rails 2.x, values need to be explicitly escaped (e.g., by using the h method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw or html_safe methods to output a value directly.

See the Ruby Security Guide for more details.

Query Parameters and Cookies

ERB example:

Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params or cookies is being directly output to a view. In such cases, it will issue a warning like:

Unescaped parameter value near line 3: params[:query]

By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

For example:

This raises a warning like:

Unescaped cookie value near line 5: some_method(cookies[:oreo])

However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

Some methods are known to Brakeman to either be dangerous (link_to is one) or safe (escape_once). Users can specify safe methods using the --safe-methods option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct option.

Model Attributes

Because (many) models come from database values, Brakeman mistrusts them by default.

For example, if @user is an instance of a model set in an action like

def set_user
  @user = User.first
end

and there is a view with

Brakeman will raise a warning like

Unescaped model attribute near line 3: User.first.name

If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output.

Unescaped model attribute
Open

<%= @html_variant.html.html_safe %>
Severity: Minor
Found in app/views/pages/badge.html.erb by brakeman

Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.

XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..

In Rails 2.x, values need to be explicitly escaped (e.g., by using the h method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw or html_safe methods to output a value directly.

See the Ruby Security Guide for more details.

Query Parameters and Cookies

ERB example:

Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params or cookies is being directly output to a view. In such cases, it will issue a warning like:

Unescaped parameter value near line 3: params[:query]

By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

For example:

This raises a warning like:

Unescaped cookie value near line 5: some_method(cookies[:oreo])

However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

Some methods are known to Brakeman to either be dangerous (link_to is one) or safe (escape_once). Users can specify safe methods using the --safe-methods option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct option.

Model Attributes

Because (many) models come from database values, Brakeman mistrusts them by default.

For example, if @user is an instance of a model set in an action like

def set_user
  @user = User.first
end

and there is a view with

Brakeman will raise a warning like

Unescaped model attribute near line 3: User.first.name

If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output.

Unescaped model attribute
Open

            <%= SiteConfig.right_navbar_svg_icon.html_safe %>
Severity: Minor
Found in app/views/articles/index.html.erb by brakeman

Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.

XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..

In Rails 2.x, values need to be explicitly escaped (e.g., by using the h method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw or html_safe methods to output a value directly.

See the Ruby Security Guide for more details.

Query Parameters and Cookies

ERB example:

Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params or cookies is being directly output to a view. In such cases, it will issue a warning like:

Unescaped parameter value near line 3: params[:query]

By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

For example:

This raises a warning like:

Unescaped cookie value near line 5: some_method(cookies[:oreo])

However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

Some methods are known to Brakeman to either be dangerous (link_to is one) or safe (escape_once). Users can specify safe methods using the --safe-methods option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct option.

Model Attributes

Because (many) models come from database values, Brakeman mistrusts them by default.

For example, if @user is an instance of a model set in an action like

def set_user
  @user = User.first
end

and there is a view with

Brakeman will raise a warning like

Unescaped model attribute near line 3: User.first.name

If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output.

Avoid too many return statements within this method.
Open

      return [tag_article, false] if tag
Severity: Major
Found in app/services/articles/builder.rb - About 30 mins to fix

    Possible unprotected redirect
    Open

          redirect_to daily_thread.path
    Severity: Critical
    Found in app/controllers/pages_controller.rb by brakeman

    Unvalidated redirects and forwards are #10 on the OWASP Top Ten.

    Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.

    Brakeman will raise warnings whenever redirect_to appears to be used with a user-supplied value that may allow them to change the :host option.

    For example,

    redirect_to params.merge(:action => :home)

    will create a warning like

    Possible unprotected redirect near line 46: redirect_to(params)

    This is because params could contain :host => 'evilsite.com' which would redirect away from your site and to a malicious site.

    If the first argument to redirect_to is a hash, then adding :only_path => true will limit the redirect to the current host. Another option is to specify the host explicitly.

    redirect_to params.merge(:only_path => true)
    
    redirect_to params.merge(:host => 'myhost.com')

    If the first argument is a string, then it is possible to parse the string and extract the path:

    redirect_to URI.parse(some_url).path

    If the URL does not contain a protocol (e.g., http://), then you will probably get unexpected results, as redirect_to will prepend the current host name and a protocol.

    Possible SQL injection
    Open

            "UPDATE comments SET public_reactions_count = positive_reactions_count WHERE id <= #{comment_count / 2}",

    Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

    Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

    A basic (Rails 2.x) example looks like this:

    User.first(:conditions => "username = '#{params[:username]}'")

    Brakeman would produce a warning like this:

    Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

    The safe way to do this query is to use a parameterized query:

    User.first(:conditions => ["username = ?", params[:username]])

    Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

    username = params[:user][:name].downcase
    password = params[:user][:password]
    
    User.first.where("username = '" + username + "' AND password = '" + password + "'")

    This results in this kind of warning:

    Possible SQL injection near line 37:
    User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

    See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

    Avoid too many return statements within this method.
    Open

          return [user_editor_v2, false] if editor_version2
    Severity: Major
    Found in app/services/articles/builder.rb - About 30 mins to fix

      Possible SQL injection
      Open

              "previous_positive_reactions_count WHERE id > #{article_count / 2}",

      Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

      Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

      A basic (Rails 2.x) example looks like this:

      User.first(:conditions => "username = '#{params[:username]}'")

      Brakeman would produce a warning like this:

      Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

      The safe way to do this query is to use a parameterized query:

      User.first(:conditions => ["username = ?", params[:username]])

      Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

      username = params[:user][:name].downcase
      password = params[:user][:password]
      
      User.first.where("username = '" + username + "' AND password = '" + password + "'")

      This results in this kind of warning:

      Possible SQL injection near line 37:
      User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

      See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

      Unescaped model attribute
      Open

            <%= @html_variant.html.html_safe %>
      Severity: Critical
      Found in app/views/html_variants/show.html.erb by brakeman

      Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.

      XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..

      In Rails 2.x, values need to be explicitly escaped (e.g., by using the h method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw or html_safe methods to output a value directly.

      See the Ruby Security Guide for more details.

      Query Parameters and Cookies

      ERB example:

      Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params or cookies is being directly output to a view. In such cases, it will issue a warning like:

      Unescaped parameter value near line 3: params[:query]

      By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

      For example:

      This raises a warning like:

      Unescaped cookie value near line 5: some_method(cookies[:oreo])

      However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

      Some methods are known to Brakeman to either be dangerous (link_to is one) or safe (escape_once). Users can specify safe methods using the --safe-methods option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct option.

      Model Attributes

      Because (many) models come from database values, Brakeman mistrusts them by default.

      For example, if @user is an instance of a model set in an action like

      def set_user
        @user = User.first
      end

      and there is a view with

      Brakeman will raise a warning like

      Unescaped model attribute near line 3: User.first.name

      If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output.

      Unescaped model attribute
      Open

            <%= @html_variant.html.html_safe %>
      Severity: Critical
      Found in app/views/html_variants/show.html.erb by brakeman

      Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.

      XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..

      In Rails 2.x, values need to be explicitly escaped (e.g., by using the h method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw or html_safe methods to output a value directly.

      See the Ruby Security Guide for more details.

      Query Parameters and Cookies

      ERB example:

      Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params or cookies is being directly output to a view. In such cases, it will issue a warning like:

      Unescaped parameter value near line 3: params[:query]

      By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

      For example:

      This raises a warning like:

      Unescaped cookie value near line 5: some_method(cookies[:oreo])

      However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

      Some methods are known to Brakeman to either be dangerous (link_to is one) or safe (escape_once). Users can specify safe methods using the --safe-methods option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct option.

      Model Attributes

      Because (many) models come from database values, Brakeman mistrusts them by default.

      For example, if @user is an instance of a model set in an action like

      def set_user
        @user = User.first
      end

      and there is a view with

      Brakeman will raise a warning like

      Unescaped model attribute near line 3: User.first.name

      If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output.

      Avoid too many return statements within this function.
      Open

          return; // Only append HTML once, on first render.
      Severity: Major
      Found in app/assets/javascripts/initializers/initializeBroadcast.js - About 30 mins to fix

        Unsafe reflection method constantize called with parameter value
        Open

            source = source_type.constantize.find_by(id: params[:source_id])

        Brakeman reports on several cases of remote code execution, in which a user is able to control and execute code in ways unintended by application authors.

        The obvious form of this is the use of eval with user input.

        However, Brakeman also reports on dangerous uses of send, constantize, and other methods which allow creation of arbitrary objects or calling of arbitrary methods.

        Unescaped model attribute
        Open

                    <%= SiteConfig.left_navbar_svg_icon.html_safe %>

        Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.

        XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..

        In Rails 2.x, values need to be explicitly escaped (e.g., by using the h method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw or html_safe methods to output a value directly.

        See the Ruby Security Guide for more details.

        Query Parameters and Cookies

        ERB example:

        Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params or cookies is being directly output to a view. In such cases, it will issue a warning like:

        Unescaped parameter value near line 3: params[:query]

        By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

        For example:

        This raises a warning like:

        Unescaped cookie value near line 5: some_method(cookies[:oreo])

        However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

        Some methods are known to Brakeman to either be dangerous (link_to is one) or safe (escape_once). Users can specify safe methods using the --safe-methods option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct option.

        Model Attributes

        Because (many) models come from database values, Brakeman mistrusts them by default.

        For example, if @user is an instance of a model set in an action like

        def set_user
          @user = User.first
        end

        and there is a view with

        Brakeman will raise a warning like

        Unescaped model attribute near line 3: User.first.name

        If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output.

        Potentially dangerous key allowed for mass assignment
        Open

            params.require(:chat_channel_membership).permit(:chat_channel_id, :invitation_usernames, :membership_id, :role)

        Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.

        Example:

        User.new(params[:user])

        Unfortunately, if there is a user field called admin which controls administrator access, now any user can make themselves an administrator.

        attr_accessible and attr_protected can be used to limit mass assignment. However, Brakeman will warn unless attr_accessible is used, or mass assignment is completely disabled.

        There are two different mass assignment warnings which can arise. The first is when mass assignment actually occurs, such as the example above. This results in a warning like

        Unprotected mass assignment near line 61: User.new(params[:user])

        The other warning is raised whenever a model is found which does not use attr_accessible. This produces generic warnings like

        Mass assignment is not restricted using attr_accessible

        with a list of affected models.

        In Rails 3.1 and newer, mass assignment can easily be disabled:

        config.active_record.whitelist_attributes = true

        Unfortunately, it can also easily be bypassed:

        User.new(params[:user], :without_protection => true)

        Brakeman will warn on uses of without_protection.

        Possible SQL injection
        Open

                "UPDATE comments SET public_reactions_count = positive_reactions_count WHERE id > #{comment_count / 2}",

        Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

        Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

        A basic (Rails 2.x) example looks like this:

        User.first(:conditions => "username = '#{params[:username]}'")

        Brakeman would produce a warning like this:

        Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

        The safe way to do this query is to use a parameterized query:

        User.first(:conditions => ["username = ?", params[:username]])

        Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

        username = params[:user][:name].downcase
        password = params[:user][:password]
        
        User.first.where("username = '" + username + "' AND password = '" + password + "'")

        This results in this kind of warning:

        Possible SQL injection near line 37:
        User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

        See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

        Unescaped model attribute
        Open

                        <%= HTML_Truncator.truncate(buffer_update.article.processed_html, 50, ellipsis: '<a class="comment-read-more" href="' + buffer_update.article.path + '">... Read Entire Post</a>').html_safe %>

        Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.

        XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..

        In Rails 2.x, values need to be explicitly escaped (e.g., by using the h method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw or html_safe methods to output a value directly.

        See the Ruby Security Guide for more details.

        Query Parameters and Cookies

        ERB example:

        Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params or cookies is being directly output to a view. In such cases, it will issue a warning like:

        Unescaped parameter value near line 3: params[:query]

        By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

        For example:

        This raises a warning like:

        Unescaped cookie value near line 5: some_method(cookies[:oreo])

        However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

        Some methods are known to Brakeman to either be dangerous (link_to is one) or safe (escape_once). Users can specify safe methods using the --safe-methods option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct option.

        Model Attributes

        Because (many) models come from database values, Brakeman mistrusts them by default.

        For example, if @user is an instance of a model set in an action like

        def set_user
          @user = User.first
        end

        and there is a view with

        Brakeman will raise a warning like

        Unescaped model attribute near line 3: User.first.name

        If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output.

        Severity
        Category
        Status
        Source
        Language