streichsbaer/brakeman output

## brakeman output
Loading scanner...
Processing application in /Users/at/src/github.com/OWASP/railsgoat
Processing gems...
[Notice] Detected Rails 5 application
Processing configuration...
[Notice] Escaping HTML by default
Parsing files...
Processing initializers...
Processing libs...sed
Processing routes...
Processing templates...
Processing data flow in templates...
Processing models...
Processing controllers...
Processing data flow in controllers...
Indexing call sites...
Running checks in parallel...
 - CheckBasicAuth
 - CheckBasicAuthTimingAttack
 - CheckCrossSiteScripting
 - CheckContentTag
 - CheckCreateWith
 - CheckDefaultRoutes
 - CheckDeserialize
 - CheckDetailedExceptions
 - CheckDigestDoS
 - CheckDynamicFinders
 - CheckEscapeFunction
 - CheckEvaluation
 - CheckExecute
 - CheckFileAccess
 - CheckFileDisclosure
 - CheckFilterSkipping
 - CheckForgerySetting
 - CheckHeaderDoS
 - CheckI18nXSS
 - CheckJRubyXML
 - CheckJSONEncoding
 - CheckJSONParsing
 - CheckLinkTo
 - CheckLinkToHref
 - CheckMailTo
 - CheckMassAssignment
 - CheckMimeTypeDoS
 - CheckModelAttrAccessible
 - CheckModelAttributes
 - CheckModelSerialize
 - CheckNestedAttributes
 - CheckNestedAttributesBypass
 - CheckNumberToCurrency
 - CheckPermitAttributes
 - CheckQuoteTableName
 - CheckRedirect
 - CheckRegexDoS
 - CheckRender
 - CheckRenderDoS
 - CheckRenderInline
 - CheckResponseSplitting
 - CheckRouteDoS
 - CheckSafeBufferManipulation
 - CheckSanitizeMethods
 - CheckSelectTag
 - CheckSelectVulnerability
 - CheckSend
 - CheckSendFile
 - CheckSessionManipulation
 - CheckSessionSettings
 - CheckSimpleFormat
 - CheckSingleQuotes
 - CheckSkipBeforeFilter
 - CheckSQL
 - CheckSQLCVEs
 - CheckSSLVerify
 - CheckStripTags
 - CheckSymbolDoSCVE
 - CheckTranslateBug
 - CheckUnsafeReflection
 - CheckValidationRegex
 - CheckWithoutProtection
 - CheckXMLDoS
 - CheckYAMLParsing
Checks finished, collecting results...
Generating report...
== Brakeman Report ==

Application Path: /Users/at/src/github.com/OWASP/railsgoat
Rails Version: 5.1.6
Brakeman Version: 4.3.1
Scan Date: 2018-09-20 09:51:57 +0700
Duration: 0.926424 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing

== Overview ==

Controllers: 17
Models: 12
Templates: 27
Errors: 0
Security Warnings: 17

== Warning Types ==

Command Injection: 1
Cross-Site Request Forgery: 1
Cross-Site Scripting: 1
Dangerous Send: 1
File Access: 1
Format Validation: 1
Mass Assignment: 2
Remote Code Execution: 4
SQL Injection: 2
Session Setting: 3

== Warnings ==

Confidence: High
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: 'protect_from_forgery' should be called in ApplicationController
File: app/controllers/application_controller.rb
Line: 2

Confidence: High
Category: Cross-Site Scripting
Check: CrossSiteScripting
Message: Unescaped cookie value
Code: cookies[:font]
File: app/views/layouts/application.html.erb
Line: 12

Confidence: High
Category: Dangerous Send
Check: Send
Message: User controlled method execution
Code: self.try(params[:graph])
File: app/controllers/dashboard_controller.rb
Line: 16

Confidence: High
Category: File Access
Check: SendFile
Message: Parameter value used in file name
Code: send_file(params[:type].constantize.new(params[:name]), :disposition => "attachment")
File: app/controllers/benefit_forms_controller.rb
Line: 12

Confidence: High
Category: Format Validation
Check: ValidationRegex
Message: Insufficient validation for 'email' using /.+@.+\..+/i. Use \A and \z as anchors
File: app/models/user.rb
Line: 13

Confidence: High
Category: Mass Assignment
Check: PermitAttributes
Message: Potentially dangerous key allowed for mass assignment
Code: params.require(:user).permit(:email, :admin, :first_name, :last_name)
File: app/controllers/users_controller.rb
Line: 55

Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:class].classify.constantize
File: app/controllers/api/v1/mobile_controller.rb
Line: 17

Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:class].classify.constantize
File: app/controllers/api/v1/mobile_controller.rb
Line: 10

Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:type].constantize
File: app/controllers/benefit_forms_controller.rb
Line: 11

Confidence: High
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: User.where("id = '#{params[:user][:id]}'")
File: app/controllers/users_controller.rb
Line: 29

Confidence: High
Category: Session Setting
Check: SessionSettings
Message: Session cookies should be set to HTTP only
File: config/initializers/session_store.rb
Line: 4

Confidence: High
Category: Session Setting
Check: SessionSettings
Message: Session secret should not be included in version control
File: config/initializers/secret_token.rb
Line: 9

Confidence: High
Category: Session Setting
Check: SessionSettings
Message: Session secret should not be included in version control
File: config/initializers/secret_token.rb
Line: 8

Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: system("cp #{full_file_name} #{data_path}/bak#{Time.zone.now.to_i}_#{file.original_filename}")
File: app/models/benefits.rb
Line: 15

Confidence: Medium
Category: Mass Assignment
Check: MassAssignment
Message: Parameters should be whitelisted for mass assignment
Code: params.require(:user).permit!
File: app/controllers/users_controller.rb
Line: 50

Confidence: Medium
Category: Remote Code Execution
Check: Deserialize
Message: Marshal.load called with parameter value
Code: Marshal.load(Base64.decode64(params[:user]))
File: app/controllers/password_resets_controller.rb
Line: 6

Confidence: Medium
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: select("#{col}")
File: app/models/analytics.rb
Line: 3
	Loading scanner...
	Processing application in /Users/at/src/github.com/OWASP/railsgoat
	Processing gems...
	[Notice] Detected Rails 5 application
	Processing configuration...
	[Notice] Escaping HTML by default
	Parsing files...
	Processing initializers...
	Processing libs...sed
	Processing routes...
	Processing templates...
	Processing data flow in templates...
	Processing models...
	Processing controllers...
	Processing data flow in controllers...
	Indexing call sites...
	Running checks in parallel...
	- CheckBasicAuth
	- CheckBasicAuthTimingAttack
	- CheckCrossSiteScripting
	- CheckContentTag
	- CheckCreateWith
	- CheckDefaultRoutes
	- CheckDeserialize
	- CheckDetailedExceptions
	- CheckDigestDoS
	- CheckDynamicFinders
	- CheckEscapeFunction
	- CheckEvaluation
	- CheckExecute
	- CheckFileAccess
	- CheckFileDisclosure
	- CheckFilterSkipping
	- CheckForgerySetting
	- CheckHeaderDoS
	- CheckI18nXSS
	- CheckJRubyXML
	- CheckJSONEncoding
	- CheckJSONParsing
	- CheckLinkTo
	- CheckLinkToHref
	- CheckMailTo
	- CheckMassAssignment
	- CheckMimeTypeDoS
	- CheckModelAttrAccessible
	- CheckModelAttributes
	- CheckModelSerialize
	- CheckNestedAttributes
	- CheckNestedAttributesBypass
	- CheckNumberToCurrency
	- CheckPermitAttributes
	- CheckQuoteTableName
	- CheckRedirect
	- CheckRegexDoS
	- CheckRender
	- CheckRenderDoS
	- CheckRenderInline
	- CheckResponseSplitting
	- CheckRouteDoS
	- CheckSafeBufferManipulation
	- CheckSanitizeMethods
	- CheckSelectTag
	- CheckSelectVulnerability
	- CheckSend
	- CheckSendFile
	- CheckSessionManipulation
	- CheckSessionSettings
	- CheckSimpleFormat
	- CheckSingleQuotes
	- CheckSkipBeforeFilter
	- CheckSQL
	- CheckSQLCVEs
	- CheckSSLVerify
	- CheckStripTags
	- CheckSymbolDoSCVE
	- CheckTranslateBug
	- CheckUnsafeReflection
	- CheckValidationRegex
	- CheckWithoutProtection
	- CheckXMLDoS
	- CheckYAMLParsing
	Checks finished, collecting results...
	Generating report...
	== Brakeman Report ==

	Application Path: /Users/at/src/github.com/OWASP/railsgoat
	Rails Version: 5.1.6
	Brakeman Version: 4.3.1
	Scan Date: 2018-09-20 09:51:57 +0700
	Duration: 0.926424 seconds
	Checks Run: BasicAuth, BasicAuthTimingAttack, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing

	== Overview ==

	Controllers: 17
	Models: 12
	Templates: 27
	Errors: 0
	Security Warnings: 17

	== Warning Types ==

	Command Injection: 1
	Cross-Site Request Forgery: 1
	Cross-Site Scripting: 1
	Dangerous Send: 1
	File Access: 1
	Format Validation: 1
	Mass Assignment: 2
	Remote Code Execution: 4
	SQL Injection: 2
	Session Setting: 3

	== Warnings ==

	Confidence: High
	Category: Cross-Site Request Forgery
	Check: ForgerySetting
	Message: 'protect_from_forgery' should be called in ApplicationController
	File: app/controllers/application_controller.rb
	Line: 2

	Confidence: High
	Category: Cross-Site Scripting
	Check: CrossSiteScripting
	Message: Unescaped cookie value
	Code: cookies[:font]
	File: app/views/layouts/application.html.erb
	Line: 12

	Confidence: High
	Category: Dangerous Send
	Check: Send
	Message: User controlled method execution
	Code: self.try(params[:graph])
	File: app/controllers/dashboard_controller.rb
	Line: 16

	Confidence: High
	Category: File Access
	Check: SendFile
	Message: Parameter value used in file name
	Code: send_file(params[:type].constantize.new(params[:name]), :disposition => "attachment")
	File: app/controllers/benefit_forms_controller.rb
	Line: 12

	Confidence: High
	Category: Format Validation
	Check: ValidationRegex
	Message: Insufficient validation for 'email' using /.+@.+\..+/i. Use \A and \z as anchors
	File: app/models/user.rb
	Line: 13

	Confidence: High
	Category: Mass Assignment
	Check: PermitAttributes
	Message: Potentially dangerous key allowed for mass assignment
	Code: params.require(:user).permit(:email, :admin, :first_name, :last_name)
	File: app/controllers/users_controller.rb
	Line: 55

	Confidence: High
	Category: Remote Code Execution
	Check: UnsafeReflection
	Message: Unsafe reflection method constantize called with parameter value
	Code: params[:class].classify.constantize
	File: app/controllers/api/v1/mobile_controller.rb
	Line: 17

	Confidence: High
	Category: Remote Code Execution
	Check: UnsafeReflection
	Message: Unsafe reflection method constantize called with parameter value
	Code: params[:class].classify.constantize
	File: app/controllers/api/v1/mobile_controller.rb
	Line: 10

	Confidence: High
	Category: Remote Code Execution
	Check: UnsafeReflection
	Message: Unsafe reflection method constantize called with parameter value
	Code: params[:type].constantize
	File: app/controllers/benefit_forms_controller.rb
	Line: 11

	Confidence: High
	Category: SQL Injection
	Check: SQL
	Message: Possible SQL injection
	Code: User.where("id = '#{params[:user][:id]}'")
	File: app/controllers/users_controller.rb
	Line: 29

	Confidence: High
	Category: Session Setting
	Check: SessionSettings
	Message: Session cookies should be set to HTTP only
	File: config/initializers/session_store.rb
	Line: 4

	Confidence: High
	Category: Session Setting
	Check: SessionSettings
	Message: Session secret should not be included in version control
	File: config/initializers/secret_token.rb
	Line: 9

	Confidence: High
	Category: Session Setting
	Check: SessionSettings
	Message: Session secret should not be included in version control
	File: config/initializers/secret_token.rb
	Line: 8

	Confidence: Medium
	Category: Command Injection
	Check: Execute
	Message: Possible command injection
	Code: system("cp #{full_file_name} #{data_path}/bak#{Time.zone.now.to_i}_#{file.original_filename}")
	File: app/models/benefits.rb
	Line: 15

	Confidence: Medium
	Category: Mass Assignment
	Check: MassAssignment
	Message: Parameters should be whitelisted for mass assignment
	Code: params.require(:user).permit!
	File: app/controllers/users_controller.rb
	Line: 50

	Confidence: Medium
	Category: Remote Code Execution
	Check: Deserialize
	Message: Marshal.load called with parameter value
	Code: Marshal.load(Base64.decode64(params[:user]))
	File: app/controllers/password_resets_controller.rb
	Line: 6

	Confidence: Medium
	Category: SQL Injection
	Check: SQL
	Message: Possible SQL injection
	Code: select("#{col}")
	File: app/models/analytics.rb
	Line: 3