CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
Documentation
API Reference
Start Here
  • What is CodeAnt?
  • Join Community
Setup
  • Github
  • GitHub Enterprise
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • Quality gates
  • Automated scans
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
    • Ruby
      • Aws-lambda
      • Aws-sdk-core
      • Cassandra
      • Excon
      • Faraday
      • Jwt
      • Lang
      • Mongo
      • Mysql2
      • Octokit
      • Pg
      • Rails
        • Correctness
        • Performance
        • Security
          • Audit
          • Audit
          • Brakeman
          • Injection
      • Redis
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Security

Audit

avoid-tainted-http-request

Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)

avoid-session-manipulation

This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn’t intend them to. Do not use user input as a session key.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-276: Incorrect Default Permissions
OWASP:
- A01:2021 - Broken Access Control

avoid-tainted-shell-call

Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

detailed-exceptions

Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control

avoid-tainted-ftp-call

Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

avoid-tainted-file-access

Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

rails-skip-forgery-protection

This call turns off CSRF protection allowing CSRF attacks against the application
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
PerformanceSqli
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.