Brakeman

check-redirect-to

Found potentially unsafe handling of redirect behavior $X. Do not pass params to redirect_to without the :only_path => true hash value.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A01:2021 - Broken Access Control

check-cookie-store-session-security-attributes

Found a Rails cookie_store session configuration setting the $KEY attribute to false. If using a cookie-based session store, the HttpOnly and Secure flags should be set.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASP:
- A05:2021 - Security Misconfiguration

check-http-verb-confusion

Found an improperly constructed control flow block with request.get?. Rails will route HEAD requests as GET requests but they will fail the request.get? check, potentially causing unexpected behavior unless an elif condition is used.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-650: Trusting HTTP Permission Methods on the Server Side
OWASP:
- A04:2021 - Insecure Design

check-rails-session-secret-handling

Found a string literal assignment to a Rails session secret $KEY. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-540: Inclusion of Sensitive Information in Source Code
OWASP:
- A01:2021 - Broken Access Control

check-unsafe-reflection-methods

Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to tap, method, or to_proc
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection

check-secrets

Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control

check-reverse-tabnabbing

Setting an anchor target of _blank without the noopener or noreferrer attribute allows reverse tabnabbing on Internet Explorer, Opera, and Android Webview.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-1022: Use of Web Link to Untrusted Target with window.opener Access

check-permit-attributes-high

Calling permit on security-critical properties like $ATTRIBUTE may leave your application vulnerable to mass assignment.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP:
- A08:2021 - Software and Data Integrity Failures

check-validation-regex

$V Found an incorrectly-bounded regex passed to validates_format_of or validate ... format => .... Ruby regex behavior is multiline by default and lines should be terminated by \A for beginning of line and \Z for end of line, respectively.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-185: Incorrect Regular Expression
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

check-dynamic-render-local-file-include

Found request parameters in a call to render in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

check-send-file

Allowing user input to send_file allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in send_file or normalize with File.basename(...)
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-73: External Control of File Name or Path
OWASP:
- A04:2021 - Insecure Design

check-unscoped-find

Found an unscoped find(...) with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. current_user.accounts.find(params[:id]).
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-639: Authorization Bypass Through User-Controlled Key
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

check-sql

Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

check-permit-attributes-medium

check-regex-dos

Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-1333: Inefficient Regular Expression Complexity
OWASP:
- A03:2017 - Sensitive Data Exposure

check-rails-secret-yaml

$VALUE Found a string literal assignment to a production Rails session secret in secrets.yaml. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-540: Inclusion of Sensitive Information in Source Code
OWASP:
- A01:2021 - Broken Access Control

check-before-filter

Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with :only => [...] rather than except: => [...]
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

check-render-local-file-include

Found request parameters in a call to render. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for render. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with File.basename(...).
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

check-unsafe-reflection

Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection

Start Here

Setup

Pull Request Review

Scan center

Integrations

IDE

Rule Reference

Resources