Brakeman
check-redirect-to
check-redirect-to
Found potentially unsafe handling of redirect behavior $X. Do not pass params to redirect_to without the :only_path => true hash value.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A01:2021 - Broken Access Control
check-cookie-store-session-security-attributes
check-cookie-store-session-security-attributes
check-http-verb-confusion
check-http-verb-confusion
Found an improperly constructed control flow block with request.get?. Rails will route HEAD requests as GET requests but they will fail the request.get? check, potentially causing unexpected behavior unless an elif condition is used.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-650: Trusting HTTP Permission Methods on the Server Side
OWASP:
- A04:2021 - Insecure Design
check-rails-session-secret-handling
check-rails-session-secret-handling
Found a string literal assignment to a Rails session secret $KEY. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-540: Inclusion of Sensitive Information in Source Code
OWASP:
- A01:2021 - Broken Access Control
check-unsafe-reflection-methods
check-unsafe-reflection-methods
Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to tap, method, or to_proc
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
check-secrets
check-secrets
Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control
check-reverse-tabnabbing
check-reverse-tabnabbing
Setting an anchor target of _blank without the noopener or noreferrer attribute allows reverse tabnabbing on Internet Explorer, Opera, and Android Webview.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
check-permit-attributes-high
check-permit-attributes-high
Calling permit on security-critical properties like $ATTRIBUTE may leave your application vulnerable to mass assignment.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP:
- A08:2021 - Software and Data Integrity Failures
check-validation-regex
check-validation-regex
$V Found an incorrectly-bounded regex passed to validates_format_of or validate ... format => .... Ruby regex behavior is multiline by default and lines should be terminated by \A for beginning of line and \Z for end of line, respectively.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-185: Incorrect Regular Expression
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
check-dynamic-render-local-file-include
check-dynamic-render-local-file-include
Found request parameters in a call to render in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
check-send-file
check-send-file
Allowing user input to send_file allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in send_file or normalize with File.basename(...)
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-73: External Control of File Name or Path
OWASP:
- A04:2021 - Insecure Design
check-unscoped-find
check-unscoped-find
Found an unscoped find(...) with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. current_user.accounts.find(params[:id]).
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-639: Authorization Bypass Through User-Controlled Key
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
check-sql
check-sql
Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
check-permit-attributes-medium
check-permit-attributes-medium
Calling permit on security-critical properties like $ATTRIBUTE may leave your application vulnerable to mass assignment.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP:
- A08:2021 - Software and Data Integrity Failures
check-regex-dos
check-regex-dos
Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-1333: Inefficient Regular Expression Complexity
OWASP:
- A03:2017 - Sensitive Data Exposure
check-rails-secret-yaml
check-rails-secret-yaml
$VALUE Found a string literal assignment to a production Rails session secret in secrets.yaml. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-540: Inclusion of Sensitive Information in Source Code
OWASP:
- A01:2021 - Broken Access Control
check-before-filter
check-before-filter
Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with :only => [...] rather than except: => [...]
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
check-render-local-file-include
check-render-local-file-include
Found request parameters in a call to render. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for render. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with File.basename(...).
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
check-unsafe-reflection
check-unsafe-reflection
Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection