brakeman markdown

rails3bm.md

BRAKEMAN REPORT

Application path	Rails version	Brakeman version	Started at	Duration
/Users/gose/github/brakeman/test/apps/rails3	3.0.3	2.4.3github5	2014-04-06 23:19:33 -0500	0.698895 seconds

Checks performed

BasicAuth, ContentTag, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NumberToCurrency, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, ResponseSplitting, SQL, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoS, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, YAMLParsing

SUMMARY

Scanned/Reported	Total
Controllers	7
Models	8
Templates	34
Errors	0
Security Warnings	119 (91)

Warning Type	Total
Attribute Restriction	2
Command Injection	13
Cross Site Scripting	43
Cross-Site Request Forgery	1
Dangerous Eval	1
Default Routes	1
Denial of Service	4
Dynamic Render Path	1
File Access	5
Format Validation	3
Mail Link	1
Mass Assignment	11
Redirect	3
Remote Code Execution	12
SQL Injection	16
Session Setting	2

SECURITY WARNINGS

Confidence	Class	Method	Warning Type	Message
High	HomeController	test_command	Command Injection	Possible command injection near line 34: `ls #{params[:file_name]}`
High	HomeController	test_more_ways_to_execute	Command Injection	Possible command injection near line 146: Open3.capture2("ls #{params[:dir]}")
High	HomeController	test_more_ways_to_execute	Command Injection	Possible command injection near line 147: Open3.capture2e("ls #{params[:dir]}")
High	HomeController	test_more_ways_to_execute	Command Injection	Possible command injection near line 148: Open3.capture3("ls #{params[:dir]}")
High	HomeController	test_more_ways_to_execute	Command Injection	Possible command injection near line 149: Open3.pipeline("sort", "uniq", :in => (params[:file]))
High	HomeController	test_more_ways_to_execute	Command Injection	Possible command injection near line 150: Open3.pipeline_r("sort #{params[:file]}", "uniq")
High	HomeController	test_more_ways_to_execute	Command Injection	Possible command injection near line 151: Open3.pipeline_rw(params[:cmd], "sort -g")
High	HomeController	test_more_ways_to_execute	Command Injection	Possible command injection near line 152: Open3.pipeline_start(*params[:cmds])
High	HomeController	test_more_ways_to_execute	Command Injection	Possible command injection near line 154: POSIX::Spawn.spawn(params[:cmd])
High	HomeController	test_command	Command Injection	Possible command injection near line 36: system(params[:user_input])
High	HomeController	test_more_ways_to_execute	Command Injection	Possible command injection near line 153: spawn("some_cool_command #{params[:opts]}")
High	User	sanitized_profile	Cross Site Scripting	Rails 3.0.3 has a vulnerability in sanitize: upgrade to 3.2.13 or patch near line 40: sanitize(self.profile.to_s)
High			Cross Site Scripting	Versions before 3.0.10 have a vulnerability in strip_tags (CVE-2011-2931)
High	HomeController	test_eval	Dangerous Eval	User input in eval near line 40: eval(params[:dangerous_input])
High			Default Routes	All public methods in controllers are available as actions in routes.rb near line 101
High			Denial of Service	json_pure gem version 1.6.4 has a symbol creation vulnerablity: upgrade to 1.6.8
High			Denial of Service	Rails 3.0.3 has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17
High			Denial of Service	Vulnerability in digest authentication (CVE-2012-3424). Upgrade to Rails version 3.0.16
High	HomeController	test_file_access	File Access	Parameter value used in file name near line 24: File.open(((RAILS_ROOT + "/") + params[:file]))
High	HomeController	test_yaml_file_access	File Access	Parameter value used in file name near line 109: YAML.parse_file(("whatever/" + params[:file_name]))
High	HomeController	test_load_params	File Access	Parameter value used in file name near line 67: load(params[:file])
High	OtherController	test_send_file	File Access	Parameter value used in file name near line 21: send_file(params[:file])
High	Account	mass_assign_it	Mass Assignment	Unprotected mass assignment near line 9: Account.new(params[:account_info])
High	HomeController	test_mass_assignment	Mass Assignment	Unprotected mass assignment near line 54: User.new(params[:user])
High	HomeController	test_model_build	Mass Assignment	Unprotected mass assignment near line 73: User.new.something.something.build(params[:awesome_user])
High	HomeController	test_more_mass_assignment_methods	Mass Assignment	Unprotected mass assignment near line 114: User.first_or_create(params[:user])
High	HomeController	test_more_mass_assignment_methods	Mass Assignment	Unprotected mass assignment near line 116: User.first_or_initialize!(params[:user])
High	HomeController	test_more_mass_assignment_methods	Mass Assignment	Unprotected mass assignment near line 119: User.find(1).assign_attributes(params[:update])
High	HomeController	test_more_mass_assignment_methods	Mass Assignment	Unprotected mass assignment near line 118: User.update(1, params[:update])
High	HomeController	test_redirect	Redirect	Possible unprotected redirect near line 45: redirect_to(params)
High	HomeController	test_only_path_wrong	Redirect	Possible unprotected redirect near line 77: redirect_to(params[:user], :only_path => (true))
High	HomeController	test_url_for_only_path	Redirect	Possible unprotected redirect near line 83: redirect_to(url_for(params))
High	HomeController	test_yaml_file_access	Remote Code Execution	YAML.load called with parameter value near line 106: YAML.load("some/path/#{params[:user][:file]}")
High	HomeController	test_yaml_load	Remote Code Execution	YAML.load called with parameter value near line 123: YAML.load(params[:input])
High	HomeController	test_more_yaml_methods	Remote Code Execution	YAML.load_documents called with parameter value near line 130: YAML.load_documents(params[:input])
High	HomeController	test_more_yaml_methods	Remote Code Execution	YAML.load_stream called with cookie value near line 131: YAML.load_stream(cookies[:thing])
High	HomeController	test_more_yaml_methods	Remote Code Execution	YAML.parse_documents called with parameter value near line 132: YAML.parse_documents("a: #{params[:a]}")
High			Remote Code Execution	Rails 3.0.3 has a serious JSON parsing vulnerability: upgrade to 3.0.20 or patch
High	HomeController	test_sql	SQL Injection	Possible SQL injection near line 30: User.first(:conditions => ("name = '#{params[:name]}'"))
High	OtherController	test_sql_deletes	SQL Injection	Possible SQL injection near line 57: User.delete_all("name = #{params[:name]}")
High	OtherController	test_sql_deletes	SQL Injection	Possible SQL injection near line 58: User.destroy_all("human = #{User.current.humanity}")
High	User	sql_in_if_branches	SQL Injection	Possible SQL injection near line 32: User.where((z or "name like '%#{params[:name]}%'"))
High			SQL Injection	Rails 3.0.3 contains a SQL injection vulnerability (CVE-2013-6417). Upgrade to 3.2.16
High			SQL Injection	Rails 3.0.3 contains a SQL injection vulnerability (CVE-2012-2660). Upgrade to 3.0.13
High			SQL Injection	Rails 3.0.3 contains a SQL injection vulnerability (CVE-2012-5664). Upgrade to 3.0.18
High			SQL Injection	Rails 3.0.3 contains a SQL injection vulnerability (CVE-2013-0155). Upgrade to 3.0.19
High			SQL Injection	Rails 3.0.3 contains a SQL injection vulnerability (CVE-2012-2661). Upgrade to 3.0.13
High			SQL Injection	Rails 3.0.3 contains a SQL injection vulnerability (CVE-2012-2695). Upgrade to 3.0.14
High			Session Setting	Session cookies should be set to HTTP only near line 3
High			Session Setting	Session cookie should be set to secure only near line 3
Medium	OtherController	test_command_injection_locals	Command Injection	Possible command injection near line 48: `#{some_command}`
Medium	OtherController	test_command_injection_locals	Command Injection	Possible command injection near line 49: system("ls #{some_files}")
Medium			Cross Site Scripting	Rails 3.0.3 has a vulnerabilty in SafeBuffer. Upgrade to 3.0.12 or apply patches.
Medium			Cross Site Scripting	Versions before 3.0.11 have a vulnerability in the translate helper with keys ending in _html.
Medium			Cross Site Scripting	Rails 3.0.3 has a vulnerability in number helpers (CVE-2014-0081). Upgrade to Rails version 3.2.17
Medium			Cross Site Scripting	Rails 3.0.3 does not escape single quotes (CVE-2012-3464). Upgrade to 3.0.17
Medium			Denial of Service	Rails 3.0.3 has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version 3.2.16
Medium	HomeController	test_dynamic_render	Dynamic Render Path	Render path contains parameter value near line 63: render(file => "/some/path/#{params[:page]}", {})
Medium	ProductsController	create	Mass Assignment	Unprotected mass assignment near line 43: Product.new(params[:product])
Medium	ProductsController	update	Mass Assignment	Unprotected mass assignment near line 62: Product.find(params[:id]).update_attributes(params[:product])
Medium	HomeController	test_yaml_load	Remote Code Execution	YAML.load called with cookie value near line 125: YAML.load(x(cookies[:store]))
Medium	HomeController	test_yaml_load	Remote Code Execution	YAML.load called with model attribute near line 126: YAML.load(User.first.bad_stuff)
Medium	HomeController	test_more_yaml_methods	Remote Code Execution	YAML.parse_stream called with model attribute near line 133: YAML.parse_stream(User.find(1).upload)
Medium	HomeController	test_sql	SQL Injection	Possible SQL injection near line 29: User.all(:conditions => ("status = '#{happy}'"))
Medium	HomeController	test_sql	SQL Injection	Possible SQL injection near line 28: User.find_by_sql("select * from users where something = '#{(local some_var)}'")
Medium	OtherController	test_sql_to_s	SQL Injection	Possible SQL injection near line 68: Product.find(:all, :conditions => (("product_status_id = " + (local status).to_s)))
Medium	OtherController	test_sql_to_s	SQL Injection	Possible SQL injection near line 64: Product.where(:id => (product_id)).update_all(["#{"#{product_action_type_key.to_s}_count"} = #{"#{product_action_type_key.to_s}_count"} + ?", delta])
Medium	Underline_Model	inject!	SQL Injection	Possible SQL injection near line 3: User.where("a < #{(local b)}")
Medium			SQL Injection	Versions before 3.0.10 have a vulnerability in quote_table_name: CVE-2011-2930
Weak	HomeController	test_mass_assignment_with_hash	Mass Assignment	Unprotected mass assignment near line 58: User.new(:name => (params[:user][:name]))
Weak	HomeController	test_more_mass_assignment_methods	Mass Assignment	Unprotected mass assignment near line 115: User.first_or_create!(:name => (params[:user][:name]))

Controller Warnings:

Confidence	Controller	Warning Type	Message
High	ApplicationController	Cross-Site Request Forgery	'protect_from_forgery' should be called in ApplicationController

Model Warnings:

Confidence	Model	Warning Type	Message
High	Account, User	Attribute Restriction	Mass assignment is not restricted using attr_accessible
High	Product	Attribute Restriction	attr_protected is bypassable in 3.0.3, use attr_accessible or upgrade to 3.2.11
High	Account	Format Validation	Insufficient validation for 'name' using /^[a-zA-Z]+$/. Use \A and \z as anchors near line 2
High	Account	Format Validation	Insufficient validation for 'blah' using /\A[a-zA-Z]+$/. Use \A and \z as anchors near line 3
High	Account	Format Validation	Insufficient validation for 'something' using /[a-zA-Z]\z/. Use \A and \z as anchors near line 4
High	User	Remote Code Execution	Serialized attributes are vulnerable in Rails 3.0.3, upgrade to 3.2.11 or patch.
Medium	Product	Remote Code Execution	Serialized attributes are vulnerable in Rails 3.0.3, upgrade to 3.2.11 or patch.
Medium	Purchase	Remote Code Execution	Serialized attributes are vulnerable in Rails 3.0.3, upgrade to 3.2.11 or patch.

View Warnings:

Confidence	Template	Warning Type	Message
High	home/test_content_tag (HomeController#test_content_tag)	Cross Site Scripting	Unescaped parameter value in content_tag near line 8: content_tag(:span, raw(params[:blah]))
High	home/test_content_tag (HomeController#test_content_tag)	Cross Site Scripting	Unescaped cookie value in content_tag near line 14: content_tag(:div, "Blah!", cookies[:weird] => "bad idea")
High	home/test_content_tag (HomeController#test_content_tag)	Cross Site Scripting	Unescaped model attribute in content_tag near line 20: content_tag(:div, "Blah!", { User.find(current_user).something => "bad idea" }, true)
High	home/test_content_tag (HomeController#test_content_tag)	Cross Site Scripting	Unescaped model attribute in content_tag near line 26: content_tag(:div, "Blah!", { :id => (User.find(current_user).name) }, false)
High	home/test_content_tag (HomeController#test_content_tag)	Cross Site Scripting	Unescaped parameter value in content_tag near line 32: content_tag(params[:whyyy], "Don't do this")
High	home/test_content_tag (HomeController#test_content_tag)	Cross Site Scripting	Unescaped model attribute in content_tag near line 35: content_tag(User.find(current_user).preferred_markup, "Seriously")
High	before/use_filter12345 (BeforeController#use_filter12345)	Cross Site Scripting	Unescaped model attribute near line 3: User.find(params[:user_id]).account.purchases.last.total
High	before/use_filter12345 (BeforeController#use_filter12345)	Cross Site Scripting	Unescaped model attribute near line 5: User.find(params[:user_id]).name
High	before/use_filter12345 (BeforeController#use_filter12345)	Cross Site Scripting	Unescaped model attribute near line 8: User.find(params[:user_id]).bill.total
High	before/use_filters12 (BeforeController#use_filters12)	Cross Site Scripting	Unescaped model attribute near line 1: User.find(params[:user_id]).name
High	before/use_filters12 (BeforeController#use_filters12)	Cross Site Scripting	Unescaped model attribute near line 4: User.find(params[:user_id]).bill.total
High	home/test_model (HomeController#test_model)	Cross Site Scripting	Unescaped model attribute near line 3: User.first.name
High	home/test_model (HomeController#test_model)	Cross Site Scripting	Unescaped model attribute near line 6: auto_link(User.profile)
High	home/test_sql (HomeController#test_sql)	Cross Site Scripting	Unescaped model attribute near line 3: User.first(:conditions => ("name = '#{params[:name]}'"))
High	other/_user (OtherController#test_collection)	Cross Site Scripting	Unescaped model attribute near line 1: User.new.first_name
High	other/test_iteration (OtherController#test_iteration)	Cross Site Scripting	Unescaped model attribute near line 3: User.new.name
High	other/test_iteration (OtherController#test_iteration)	Cross Site Scripting	Unescaped model attribute near line 4: User.new.email
High	products/_form (Template:products/new)	Cross Site Scripting	Unescaped model attribute near line 15: Product.new(params[:product]).something
High	before/use_filter12345 (BeforeController#use_filter12345)	Cross Site Scripting	Unescaped parameter value near line 1: params[:search]
High	child/action_in_child (ChildController#action_in_child)	Cross Site Scripting	Unescaped parameter value near line 1: params[:horrible_thing]
High	home/index (HomeController#index)	Cross Site Scripting	Unescaped parameter value near line 3: params[:user_input]
High	home/index (HomeController#test_render)	Cross Site Scripting	Unescaped parameter value near line 5: params[:unsafe_input]
High	home/test_cookie (HomeController#test_cookie)	Cross Site Scripting	Unescaped cookie value near line 3: cookies[:name]
High	home/test_cookie (HomeController#test_cookie)	Cross Site Scripting	Unescaped cookie value near line 6: cookies[:x][:y]
High	home/test_filter (HomeController#test_filter)	Cross Site Scripting	Unescaped parameter value near line 3: params[:evil_input]
High	home/test_params (HomeController#test_params)	Cross Site Scripting	Unescaped parameter value near line 4: params[:name]
High	home/test_params (HomeController#test_params)	Cross Site Scripting	Unescaped parameter value near line 10: params[:x][:y]
High	home/test_params (HomeController#test_params)	Cross Site Scripting	Unescaped parameter value near line 20: request.parameters
High	other/test_locals (OtherController#test_locals)	Cross Site Scripting	Unescaped parameter value near line 4: params[:user_input]
High	whatever/wherever/nested/so_nested (Whatever::Wherever::NestedController#so_nested)	Cross Site Scripting	Unescaped parameter value near line 1: params[:x]
High	home/test_params (HomeController#test_params)	Cross Site Scripting	Unsafe parameter value in link_to href near line 14: link_to("more text", params[:dangerous])
High	other/test_select_tag	Cross Site Scripting	Upgrade to Rails 3.0.17, 3.0.3 select_tag is vulnerable (CVE-2012-3463) near line 3: select_tag("name", options, :prompt => ("Select #{params[:name]}"))
High	home/test_file_access (HomeController#test_file_access)	File Access	Parameter value used in file name near line 3: File.open(params[:name])
High	other/test_mail_to (OtherController#test_mail_to)	Mail Link	Vulnerability in mail_to using javascript encoding (CVE-2011-0446). Upgrade to Rails version 3.0.4 near line 1: mail_to(User.find(current_user).email, User.find(current_user).name, :encode => :javascript)
Medium	home/test_params (HomeController#test_params)	Cross Site Scripting	Unsafe parameter value in link_to href near line 12: link_to("some text", ensure_valid_proto!(params[:not_so_bad], :js))
Medium	home/test_params (HomeController#test_params)	Cross Site Scripting	Unsafe parameter value in link_to href near line 16: link_to("donkey", not_safe(params[:bad_robot]))
Medium	home/test_params (HomeController#test_params)	Cross Site Scripting	Unsafe parameter value in link_to href near line 18: link_to("Helvetica hoodie bushwick", h(params[:js_xss]))
Weak	home/test_cookie (HomeController#test_cookie)	Cross Site Scripting	Unescaped cookie value near line 4: indirect(cookies[:chipsahoy])
Weak	home/test_params (HomeController#test_params)	Cross Site Scripting	Unescaped parameter value near line 6: indirect_method(params[:input])