EzDevInfo.com

brakeman

A static analysis security vulnerability scanner for Ruby on Rails applications Brakeman - Rails Security Scanner brakeman is a static analysis security vulnerability scanner for ruby on rails applications.

Why is this XSS, according to Brakeman?

Can someone explain to me why this is a security problem?

= link_to new_locale.to_s, params.slice(:id, :reader_id, :screen_type).merge(locale: new_locale)

I am trying to add a simple partial to my project to be able to switch between languages. I don't really want this partial to have to interact with each controller or switch the user to a different page or have to know all possible valid parameters.


Source: (StackOverflow)

Brakeman Rails security scanner: how to add our own custom check

I am using Rails security scanner Brakeman but I want to include my own(custom) security checks. Just like CheckSQL,CheckCrossSiteScripting
Eg: I want to make sure all the controllers has before filter to validate authentication and authorization checks.

Question
Is there a option in brakeman to include our own custom checks ?
If yes how to do it ?


Source: (StackOverflow)

Advertisements

Brakeman: model attribute used in file name warnings

I'm setting file name like 'abc_1.pdf' where '1' is the value of a model's attribute. But brakeman scanner take this as security issue. I need to keep track of files by referencing file name with model attribute. Can you please tell me, what is the right way to fix this security issue?

Thanks.


Source: (StackOverflow)

Ruby on Rails 3.2.13 - Brakeman - Session secret should not be included in version control

I have installed the latest version of the Brakeman gem to help me with Rails application security.

I have several Rails applications that I have on two servers, one for development and the other for production. When I ran the Brakeman reports on my applications, most of them flagged config/initializers/secret_token.rb with the following high security vulnerability.

Session secret should not be included in version control near line 7

This is the first time I have seen this error since I ran an older version of Brakeman months ago.

From what I have researched so far Rails automatically generated the secret token when rails new appname is executed. I was not aware of it until now. Apparently Rails does not protect this file where if I decided to move any of my applications to Github the information would be available to anyone at Github accessing the application. At this time I am not uploading to GitHub but I want information on how to move the secure_token from config/initializers/secret_token.rb in order to close the security hole in my applications.

One blog post I read suggested that I inject the secret token into an ENV variable. Will moving the statement from config/initializers/secret_token.rb to config/environment.rb solve the problem? If so I will add this task to my list of tasks in Rails development.

Any help would be appreciated.


Source: (StackOverflow)

Rails Brakeman warning: Dynamic Render Path false alarm?

I'm just getting started with Rails, so I'm using Brakeman to learn about potential vulnerabilities in my newbie code. It's throwing a high-confidence "Dynamic Render Path" warning about the following code in my show.js.erb file:

$('#media-fragment').html('<%= escape_javascript(render(params[:partial])) %>');

I actually expected this was a problem, so no surprise there. So I changed it to the following:

  # controller:
  def show
    if legal_partial?
      @allowed_partial = params[:partial]
    else
      raise StandardError, "unexpected partial request: #{params[:partial]}"
    end
  end

  private

  def legal_partial?
    %w(screenshots video updates).include? params[:partial]
  end

  # ...
  # show.js.erb
  $('#media-fragment').html('<%= escape_javascript(render(@allowed_partial)) %>');

Although I believe the code is now safe, Brakeman is still unhappy with this. Is there a more idiomatic way to control rendering of a partial based on user input?


Source: (StackOverflow)

rails brakeman order sql injection

How can I avoid a brakeman warning in Rails when constructing an order method from parameters?

def index
  @methods = [:name, :manager, :deadline]
  assignments = Assignment.order(sort_column(@methods) + " " + sort_direction).received(current_user).root
end

def sort_column(column_names)
  column_names.each do |column|
    return column if column == params[:sort]
  end
  return 'updated_at'
end

def sort_direction
  params[:direction] == 'asc' ? 'asc' : 'desc'
end

I'm working hard to avoid ever putting user-generated code directly into the query, but brakeman still alerts (medium confidence) that this is a SQL injection vulnerability.

Is this a false positive? If not, how do I correct the vulnerability?

If so, is there an easy way to avoid the false positive?


Source: (StackOverflow)

How to secure link_to @variable cross site scripting vulnerabilities

I've just started using the brakeman gem to explore my rails app for security vulnerabilities.

I've managed to get everything tidy except for several cross site scripting warnings.

These all share the following in common:

  • They're all link_to tags
  • They all have instance variables in the class, alt or title attributes
  • The instance variables all represent an active record query that includes associated models
  • The instance variables are all "commentable". This describes a polymorphic association for user generated comments, similar in approach to the revised version of this Railscast.

e.g

<%= link_to "Click" , :class=> @model.association.attribute, :alt=> @model.association.attribute, :title=> @model.association.attribute, @model.association %>

where

@model = @commentable = Model.includes(:association1, association2: {:nested-association1, :nested-association2}).find(params[:id])

Is this something I need to be concerned about/ take action for? I thought Rails 3.2 escapes these by default.

I'd welcome advice to help me understand this issue better, and identify what steps I should take, if any.


Source: (StackOverflow)

Security Issues in Rails raised by Brakeman

In my project,while using Brakeman gem, following security issues is raised:

1) In the following statement, Unescaped model attribute error is raised

CashTransaction.find(session[:transaction_id]).customer.address_1

I know Rails uses a cookie based session store. However, Rails 4 it's relatively safe to use cookies as you would need the Rails secret token in order to compromise it.

So, is this a false positive? If not how can I remove this vulnerability?

2) Secondly, I have a scenario where I need to check whether a record with a typical attribute exists or not. For that I have following code

  def check_email
    render json: ( is_available('email', params[:user][:email]) )
  end

  def is_email_available
    is_email_taken = is_available('email', params[:user][:email])
    render json: !is_email_taken
  end

  def is_username_available
    is_username_taken = is_available('username', params[:user][:username])
    render json: !is_username_taken
  end

  def is_available(type, value)
    User.where("#{type}=?", value).exists?
  end

And Brakeman raises the following warning

Possible SQL injection. User.where("#{(local type)}=?", (local value))

How can I remove this vulnerability and at the same time make my code DRY?


Source: (StackOverflow)

Rails brakeman warning of sql injection

I've got a scope in my model :

scope :assigned_to_user, ->(user) {
task_table = UserTask.table_name

    joins("INNER JOIN #{task_table}
          ON  #{task_table}.user_id = #{user.id}
          AND (#{task_table}.type_id = #{table_name}.type_id)
          AND (#{task_table}.manager_id = #{table_name}.manager_id)
        ")
}

So after running brakeman report I get this warning :

assigned_to_user | SQL Injection | Possible

So I tried the following :

scope :assigned_to_user, ->(user) {
    task_table = UserTask.table_name

        joins(ActiveRecord::Base::sanitize("INNER JOIN #{task_table}
              ON  #{task_table}.user_id = #{user.id}
              AND (#{task_table}.type_id = #{table_name}.type_id)
              AND (#{task_table}.manager_id = #{table_name}.manager_id)
            "))
    }

This doesn't work for me because it adds ' (apostrophe) to the front and back of the sql. So when I use this as a part of query which returns some results and I apply this scope it generates the incorrect sql.

I also tried this:

scope :assigned_to_user, ->(user) {
    task_table = UserTask.table_name

        joins("INNER JOIN #{task_table}
              ON  #{task_table}.user_id = ?
              AND (#{task_table}.type_id = #{table_name}.type_id)
              AND (#{task_table}.manager_id = #{table_name}.manager_id)
            ", user.id)
    }

Doesn't even build the statement. And tried couple of other stuff which didn't work and not even worth mentioning. Does anybody have idea how to fix this?


Source: (StackOverflow)

Unprotected redirect not cured by only_path

I have a Rails 4 application, and when I run Brakeman, it (rightly) identifies an unprotected redirect in my create action. However, adding only_path: true (as in the Brakeman Railscast) does not cure the warning:

  def create
    refer_url = params[:referrer]
    @portfolio = current_user.portfolios.build(portfolio_params)
    if @portfolio.save
      redirect_to refer_url, notice: "Portfolio was successfully created.", only_path: true
    else
      render :new
    end
  end

Results in:

+SECURITY WARNINGS+

+------------+-----------------------+---------+--------------+----------------------------------------------------------------------------------------------------------------------->>
| Confidence | Class                 | Method  | Warning Type | Message                                                                                                               >>
+------------+-----------------------+---------+--------------+----------------------------------------------------------------------------------------------------------------------->>
| High       | PortfoliosController  | create  | Redirect     | Possible unprotected redirect near line 14: redirect_to(+params[:referrer]+, :notice => "Portfolio was successfully cr>>
+------------+-----------------------+---------+--------------+----------------------------------------------------------------------------------------------------------------------->>

Why might this be? What risk is Brakeman still identifying?


Source: (StackOverflow)

Ruby On Rails - What do these Brakeman warnings mean?

I am using brakeman gem for scanning my app.

After scanning the app, I get the following warnings:

#Security warnings

Method                  | Warning Type    | Message                    
------------------------------------------------------
show                    | Unscoped Find   | Unscoped call to PatientMessage#find near line 27: Message.find(+params[:id]+)
------------------------------------------------------

#Controller warnings:

Controller            | Warning Type               | Message
----------------------------------------------------------------------------
ApplicationController | Cross-Site Request Forgery | 'protect_from_forgery' should be called in ApplicationController

Can someone help figure out what these warnings mean?


Source: (StackOverflow)

Error while executing the rcov report, rails stats report and brakeman warnings from Jenkins

I am using Jenkins for deployment process and it works fine. When i try to take rcov report rails stats report and brakeman warnings.

[ubuntu@xx.xxx.xxx.xx] executing command

** [out :: ubuntu@xx.xxx.xxx.xx] Starting Unicorn..

command finished in 2228ms

POST BUILD TASK : SUCCESS

END OF POST BUILD TASK : 0

ERROR: Publisher hudson.plugins.brakeman.BrakemanPublisher aborted due to exception java.io.FileNotFoundException: /home/kannan/.jenkins/workspace/Publisher Dev/brakeman-output.tabs (No such file or directory)

at java.io.FileInputStream.open(Native Method)

at java.io.FileInputStream.<init>(FileInputStream.java:137)

at hudson.FilePath.read(FilePath.java:1570)

at hudson.FilePath.readToString(FilePath.java:1595)

at hudson.plugins.brakeman.BrakemanPublisher.perform(BrakemanPublisher.java:99)

at hudson.plugins.analysis.core.HealthAwarePublisher.perform(HealthAwarePublisher.java:146)

at hudson.plugins.analysis.core.HealthAwareRecorder.perform(HealthAwareRecorder.java:331)

    at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:19)

    at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:804)

    at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:776)


    at hudson.model.Build$BuildExecution.post2(Build.java:183)

at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:726)

at hudson.model.Run.execute(Run.java:1618)

at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)

at hudson.model.ResourceController.execute(ResourceController.java:88)

at hudson.model.Executor.run(Executor.java:247)

Publishing rails stats report...

Build failed, skipping rcov coverage report

Build step 'Publish Rcov report' marked build as failure

Finished: FAILURE

What am i supposed to do


Source: (StackOverflow)

brakeman report - Direct Model attribute used as the filename

The brakeman showing the following error, The files are managing with the paperclip. in my controller

asset_file ||= AssetFile.find(params[:id])

if asset_file
// downloading file
send_file asset_file.uploaded_file.path, :type => asset_file.uploaded_file_content_type
else
flash[:error] = t('document.mind_your_asset_file')
redirect_to root_url
end

enter image description here


Source: (StackOverflow)

Safe redirect to nested resource in Rails

I recently added the Brakeman gem to my Gemfile and had to see, that I should use

:only_path => true

to make it more secure. But i'm using a nested resource and don't know exactly how, here is the part from my Controller.

if @comment.update_attributes(params[:comment])
  redirect_to [@message, @comment], notice: 'Comment was successfully updated.'   

How can i do this, i only saw the only_path attribute with the url_for helper. Thanks for your Help!


Source: (StackOverflow)

path traversal attacks in rails 4.1.0

I am getting file access warning for following code:

FileUtils.rm(File.join(Project.with_deleted.find_by(
  :user_id => (User.find_by(:username => (params[:user_id])).id),
  :name => (params[:id])
).satellitedir, params[:image_name]))

warning is:

When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

I tried to sanitize params with:

 if !params[:image_name].gsub(/\\/, '').index('../')
   #my code
 end

but this seem to have no effect on warning of hakiri warning.


Source: (StackOverflow)