Xss
avoid-content-tag
avoid-content-tag
‘content_tag()’ bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use ‘html_safe’. Ensure no external data enters the HTML-safe string!
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
avoid-render-inline
avoid-render-inline
‘render inline: …’ renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
avoid-link-to
avoid-link-to
This code includes user input in link_to
. In Rails 2.x, the body of link_to
is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with javascript:
or data:
are not escaped. It is better to create and use a safer function which checks the body argument.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
avoid-html-safe
avoid-html-safe
‘html_safe()’ does not make the supplied string safe. ‘html_safe()’ bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
manual-template-creation
manual-template-creation
Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a ‘.erb’ template file and use ‘render’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
avoid-raw
avoid-raw
‘raw()’ bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with html_safe()
.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
avoid-redirect
avoid-redirect
When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A01:2021 - Broken Access Control
avoid-default-routes
avoid-default-routes
Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn’t mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-276: Incorrect Default Permissions
OWASP:
- A01:2021 - Broken Access Control
avoid-render-text
avoid-render-text
‘render text: …’ actually sets the content-type to ‘text/html’. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use ‘render plain: …’ to render non-HTML text.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
avoid-render-dynamic-path
avoid-render-dynamic-path
Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn’t. To prevent this, check dynamic template paths against a predefined allowlist to make sure it’s an allowed template.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control