Found potentially unsafe handling of redirect behavior $X. Do not pass params to redirect_to without the :only_path => true hash value. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP: - A01:2021 - Broken Access Control
check-cookie-store-session-security-attributes
Found a Rails cookie_store session configuration setting the $KEY attribute to false. If using a cookie-based session store, the HttpOnly and Secure flags should be set. Likelihood: LOW Confidence: LOW CWE: - CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASP: - A05:2021 - Security Misconfiguration
check-http-verb-confusion
Found an improperly constructed control flow block with request.get?. Rails will route HEAD requests as GET requests but they will fail the request.get? check, potentially causing unexpected behavior unless an elif condition is used. Likelihood: HIGH Confidence: MEDIUM CWE: - CWE-650: Trusting HTTP Permission Methods on the Server Side
OWASP: - A04:2021 - Insecure Design
check-rails-session-secret-handling
Found a string literal assignment to a Rails session secret $KEY. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-540: Inclusion of Sensitive Information in Source Code
OWASP: - A01:2021 - Broken Access Control
check-unsafe-reflection-methods
Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to tap, method, or to_proc Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP: - A03:2021 - Injection
check-secrets
Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP: - A01:2021 - Broken Access Control
check-reverse-tabnabbing
Setting an anchor target of _blank without the noopener or noreferrer attribute allows reverse tabnabbing on Internet Explorer, Opera, and Android Webview. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
check-permit-attributes-high
Calling permit on security-critical properties like $ATTRIBUTE may leave your application vulnerable to mass assignment. Likelihood: LOW Confidence: LOW CWE: - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP: - A08:2021 - Software and Data Integrity Failures
check-validation-regex
$V Found an incorrectly-bounded regex passed to validates_format_of or validate ... format => .... Ruby regex behavior is multiline by default and lines should be terminated by \A for beginning of line and \Z for end of line, respectively. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-185: Incorrect Regular Expression
OWASP: - A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
check-dynamic-render-local-file-include
Found request parameters in a call to render in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP: - A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
check-send-file
Allowing user input to send_file allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in send_file or normalize with File.basename(...) Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-73: External Control of File Name or Path
OWASP: - A04:2021 - Insecure Design
check-unscoped-find
Found an unscoped find(...) with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. current_user.accounts.find(params[:id]). Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-639: Authorization Bypass Through User-Controlled Key
OWASP: - A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
check-sql
Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
check-permit-attributes-medium
Calling permit on security-critical properties like $ATTRIBUTE may leave your application vulnerable to mass assignment. Likelihood: LOW Confidence: LOW CWE: - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP: - A08:2021 - Software and Data Integrity Failures
check-regex-dos
Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking. Likelihood: HIGH Confidence: MEDIUM CWE: - CWE-1333: Inefficient Regular Expression Complexity
OWASP: - A03:2017 - Sensitive Data Exposure
check-rails-secret-yaml
$VALUE Found a string literal assignment to a production Rails session secret in secrets.yaml. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control. Likelihood: LOW Confidence: LOW CWE: - CWE-540: Inclusion of Sensitive Information in Source Code
OWASP: - A01:2021 - Broken Access Control
check-before-filter
Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with :only => [...] rather than except: => [...] Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-284: Improper Access Control
OWASP: - A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
check-render-local-file-include
Found request parameters in a call to render. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for render. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with File.basename(...). Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP: - A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
check-unsafe-reflection
Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP: - A03:2021 - Injection