brakeman
A static analysis security vulnerability scanner for Ruby on Rails applications
Brakeman - Rails Security Scanner brakeman is a static analysis security vulnerability scanner for ruby on rails applications.
Can someone explain to me why this is a security problem?
= link_to new_locale.to_s, params.slice(:id, :reader_id, :screen_type).merge(locale: new_locale)
I am trying to add a simple partial to my project to be able to switch between languages. I don't really want this partial to have to interact with each controller or switch the user to a different page or have to know all possible valid parameters.
Source: (StackOverflow)
I am using Rails security scanner Brakeman but I want to include my own(custom) security checks. Just like CheckSQL,CheckCrossSiteScripting
Eg: I want to make sure all the controllers has before filter to validate authentication and authorization checks.
Question
Is there a option in brakeman to include our own custom checks ?
If yes how to do it ?
Source: (StackOverflow)
I'm setting file name like 'abc_1.pdf' where '1' is the value of a model's attribute. But brakeman scanner take this as security issue. I need to keep track of files by referencing file name with model attribute. Can you please tell me, what is the right way to fix this security issue?
Thanks.
Source: (StackOverflow)
I have installed the latest version of the Brakeman gem to help me with Rails application security.
I have several Rails applications that I have on two servers, one for development and the other for production. When I ran the Brakeman reports on my applications, most of them flagged config/initializers/secret_token.rb with the following high security vulnerability.
Session secret should not be included in version control near line 7
This is the first time I have seen this error since I ran an older version of Brakeman months ago.
From what I have researched so far Rails automatically generated the secret token when rails new appname is executed. I was not aware of it until now. Apparently Rails does not protect this file where if I decided to move any of my applications to Github the information would be available to anyone at Github accessing the application. At this time I am not uploading to GitHub but I want information on how to move the secure_token from config/initializers/secret_token.rb in order to close the security hole in my applications.
One blog post I read suggested that I inject the secret token into an ENV variable. Will moving the statement from config/initializers/secret_token.rb to config/environment.rb solve the problem? If so I will add this task to my list of tasks in Rails development.
Any help would be appreciated.
Source: (StackOverflow)
I'm just getting started with Rails, so I'm using Brakeman to learn about potential vulnerabilities in my newbie code. It's throwing a high-confidence "Dynamic Render Path" warning about the following code in my show.js.erb file:
$('#media-fragment').html('<%= escape_javascript(render(params[:partial])) %>');
I actually expected this was a problem, so no surprise there. So I changed it to the following:
# controller:
def show
if legal_partial?
@allowed_partial = params[:partial]
else
raise StandardError, "unexpected partial request: #{params[:partial]}"
end
end
private
def legal_partial?
%w(screenshots video updates).include? params[:partial]
end
# ...
# show.js.erb
$('#media-fragment').html('<%= escape_javascript(render(@allowed_partial)) %>');
Although I believe the code is now safe, Brakeman is still unhappy with this. Is there a more idiomatic way to control rendering of a partial based on user input?
Source: (StackOverflow)
How can I avoid a brakeman warning in Rails when constructing an order method from parameters?
def index
@methods = [:name, :manager, :deadline]
assignments = Assignment.order(sort_column(@methods) + " " + sort_direction).received(current_user).root
end
def sort_column(column_names)
column_names.each do |column|
return column if column == params[:sort]
end
return 'updated_at'
end
def sort_direction
params[:direction] == 'asc' ? 'asc' : 'desc'
end
I'm working hard to avoid ever putting user-generated code directly into the query, but brakeman still alerts (medium confidence) that this is a SQL injection vulnerability.
Is this a false positive? If not, how do I correct the vulnerability?
If so, is there an easy way to avoid the false positive?
Source: (StackOverflow)
I've just started using the brakeman gem to explore my rails app for security vulnerabilities.
I've managed to get everything tidy except for several cross site scripting warnings.
These all share the following in common:
- They're all link_to tags
- They all have instance variables in the class, alt or title
attributes
- The instance variables all represent an active record query that
includes associated models
- The instance variables are all "commentable". This describes a polymorphic association for user generated comments, similar in approach to the revised version of this Railscast.
e.g
<%= link_to "Click" , :class=> @model.association.attribute, :alt=> @model.association.attribute, :title=> @model.association.attribute, @model.association %>
where
@model = @commentable = Model.includes(:association1, association2: {:nested-association1, :nested-association2}).find(params[:id])
Is this something I need to be concerned about/ take action for? I thought Rails 3.2 escapes these by default.
I'd welcome advice to help me understand this issue better, and identify what steps I should take, if any.
Source: (StackOverflow)
In my project,while using Brakeman gem, following security issues is raised:
1) In the following statement, Unescaped model attribute error is raised
CashTransaction.find(session[:transaction_id]).customer.address_1
I know Rails uses a cookie based session store. However, Rails 4 it's relatively safe to use cookies as you would need the Rails secret token in order to compromise it.
So, is this a false positive? If not how can I remove this vulnerability?
2) Secondly, I have a scenario where I need to check whether a record with a typical attribute exists or not. For that I have following code
def check_email
render json: ( is_available('email', params[:user][:email]) )
end
def is_email_available
is_email_taken = is_available('email', params[:user][:email])
render json: !is_email_taken
end
def is_username_available
is_username_taken = is_available('username', params[:user][:username])
render json: !is_username_taken
end
def is_available(type, value)
User.where("#{type}=?", value).exists?
end
And Brakeman raises the following warning
Possible SQL injection. User.where("#{(local type)}=?", (local value))
How can I remove this vulnerability and at the same time make my code DRY?
Source: (StackOverflow)
I've got a scope in my model :
scope :assigned_to_user, ->(user) {
task_table = UserTask.table_name
joins("INNER JOIN #{task_table}
ON #{task_table}.user_id = #{user.id}
AND (#{task_table}.type_id = #{table_name}.type_id)
AND (#{task_table}.manager_id = #{table_name}.manager_id)
")
}
So after running brakeman report I get this warning :
assigned_to_user | SQL Injection | Possible
So I tried the following :
scope :assigned_to_user, ->(user) {
task_table = UserTask.table_name
joins(ActiveRecord::Base::sanitize("INNER JOIN #{task_table}
ON #{task_table}.user_id = #{user.id}
AND (#{task_table}.type_id = #{table_name}.type_id)
AND (#{task_table}.manager_id = #{table_name}.manager_id)
"))
}
This doesn't work for me because it adds ' (apostrophe) to the front and back of the sql. So when I use this as a part of query which returns some results and I apply this scope it generates the incorrect sql.
I also tried this:
scope :assigned_to_user, ->(user) {
task_table = UserTask.table_name
joins("INNER JOIN #{task_table}
ON #{task_table}.user_id = ?
AND (#{task_table}.type_id = #{table_name}.type_id)
AND (#{task_table}.manager_id = #{table_name}.manager_id)
", user.id)
}
Doesn't even build the statement. And tried couple of other stuff which didn't work and not even worth mentioning. Does anybody have idea how to fix this?
Source: (StackOverflow)
I have a Rails 4 application, and when I run Brakeman, it (rightly) identifies an unprotected redirect in my create action. However, adding only_path: true (as in the Brakeman Railscast) does not cure the warning:
def create
refer_url = params[:referrer]
@portfolio = current_user.portfolios.build(portfolio_params)
if @portfolio.save
redirect_to refer_url, notice: "Portfolio was successfully created.", only_path: true
else
render :new
end
end
Results in:
+SECURITY WARNINGS+
+------------+-----------------------+---------+--------------+----------------------------------------------------------------------------------------------------------------------->>
| Confidence | Class | Method | Warning Type | Message >>
+------------+-----------------------+---------+--------------+----------------------------------------------------------------------------------------------------------------------->>
| High | PortfoliosController | create | Redirect | Possible unprotected redirect near line 14: redirect_to(+params[:referrer]+, :notice => "Portfolio was successfully cr>>
+------------+-----------------------+---------+--------------+----------------------------------------------------------------------------------------------------------------------->>
Why might this be? What risk is Brakeman still identifying?
Source: (StackOverflow)
I am using brakeman gem for scanning my app.
After scanning the app, I get the following warnings:
#Security warnings
Method | Warning Type | Message
------------------------------------------------------
show | Unscoped Find | Unscoped call to PatientMessage#find near line 27: Message.find(+params[:id]+)
------------------------------------------------------
#Controller warnings:
Controller | Warning Type | Message
----------------------------------------------------------------------------
ApplicationController | Cross-Site Request Forgery | 'protect_from_forgery' should be called in ApplicationController
Can someone help figure out what these warnings mean?
Source: (StackOverflow)
I am using Jenkins for deployment process and it works fine. When i try to take rcov report rails stats report and brakeman warnings.
[ubuntu@xx.xxx.xxx.xx] executing command
** [out :: ubuntu@xx.xxx.xxx.xx] Starting Unicorn..
command finished in 2228ms
POST BUILD TASK : SUCCESS
END OF POST BUILD TASK : 0
ERROR: Publisher hudson.plugins.brakeman.BrakemanPublisher aborted due to exception
java.io.FileNotFoundException: /home/kannan/.jenkins/workspace/Publisher Dev/brakeman-output.tabs (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:137)
at hudson.FilePath.read(FilePath.java:1570)
at hudson.FilePath.readToString(FilePath.java:1595)
at hudson.plugins.brakeman.BrakemanPublisher.perform(BrakemanPublisher.java:99)
at hudson.plugins.analysis.core.HealthAwarePublisher.perform(HealthAwarePublisher.java:146)
at hudson.plugins.analysis.core.HealthAwareRecorder.perform(HealthAwareRecorder.java:331)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:19)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:804)
at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:776)
at hudson.model.Build$BuildExecution.post2(Build.java:183)
at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:726)
at hudson.model.Run.execute(Run.java:1618)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:247)
Publishing rails stats report...
Build failed, skipping rcov coverage report
Build step 'Publish Rcov report' marked build as failure
Finished: FAILURE
What am i supposed to do
Source: (StackOverflow)
The brakeman showing the following error, The files are managing with the paperclip.
in my controller
asset_file ||= AssetFile.find(params[:id])
if asset_file
// downloading file
send_file asset_file.uploaded_file.path, :type => asset_file.uploaded_file_content_type
else
flash[:error] = t('document.mind_your_asset_file')
redirect_to root_url
end
Source: (StackOverflow)
I recently added the Brakeman gem to my Gemfile and had to see, that I should use
:only_path => true
to make it more secure. But i'm using a nested resource and don't know exactly how, here is the part from my Controller.
if @comment.update_attributes(params[:comment])
redirect_to [@message, @comment], notice: 'Comment was successfully updated.'
How can i do this, i only saw the only_path attribute with the url_for helper.
Thanks for your Help!
Source: (StackOverflow)
I am getting file access warning for following code:
FileUtils.rm(File.join(Project.with_deleted.find_by(
:user_id => (User.find_by(:username => (params[:user_id])).id),
:name => (params[:id])
).satellitedir, params[:image_name]))
warning is:
When user-supplied input can contain ".." or similar characters that
are passed through to file access APIs, causing access to files
outside of an intended subdirectory.
I tried to sanitize params with:
if !params[:image_name].gsub(/\\/, '').index('../')
#my code
end
but this seem to have no effect on warning of hakiri warning.
Source: (StackOverflow)