Stack Overflow
Stack Overflow

Questions tagged [brakeman]

Open source static-analysis security vulnerability scanner for Ruby on Rails applications

Brakeman is an open source security vulnerability scanner for applications.

78 questions
19
votes
3 answers

How to run a specific version of a ruby gem

I am running brakeman outside of my Gemfile, so am not using bundler. If I do gem list, I can see I have the following for brakeman brakeman (3.3.3, 3.3.2, 3.1.4, 3.1.2) But if I do brakeman --version, I get brakeman 3.1.2 so I am not using the…
Obromios
  • 15,408
  • 15
  • 72
  • 127
11
votes
1 answer

How to prevent Brakeman 'unprotected redirect' warning when redirect to external domain is desired?

A model in a Rails app has a url column, where users can enter the address of external sites. The urls are displayed on a page. When clicked, in addition to routing to that url, I need to perform some actions in the app. So I defined a controller…
Andy Harvey
  • 12,333
  • 17
  • 93
  • 185
9
votes
3 answers

Ruby on Rails - When to use params.permit! and how to replace it

I'm working on a legacy rails application and the controllers have many instances of params.permit!. When running a Brakeman scan on it, params.permit! opens up the application to mass assignment vulnerabilities. My question is- what is the most…
zasman
  • 446
  • 1
  • 8
  • 28
9
votes
2 answers

Ruby on Rails 3.2.13 - Brakeman - Session secret should not be included in version control

I have installed the latest version of the Brakeman gem to help me with Rails application security. I have several Rails applications that I have on two servers, one for development and the other for production. When I ran the Brakeman reports on…
Pamela Cook - LightBe Corp
  • 3,912
  • 5
  • 50
  • 86
9
votes
2 answers

Rails Brakeman warning: Dynamic Render Path false alarm?

I'm just getting started with Rails, so I'm using Brakeman to learn about potential vulnerabilities in my newbie code. It's throwing a high-confidence "Dynamic Render Path" warning about the following code in my show.js.erb…
George Armhold
  • 30,824
  • 50
  • 153
  • 232
6
votes
1 answer

Brakeman Error - Unescaped model attribute near

I am getting a lot error as follows Unescaped model attribute near line 20: show_errors(Objective.new(objective_params), :name) Expanded View This is my code module ApplicationHelper # Error Helper for Form def show_errors(object,…
Harsha M V
  • 54,075
  • 125
  • 354
  • 529
6
votes
1 answer

Unprotected redirect not cured by only_path

I have a Rails 4 application, and when I run Brakeman, it (rightly) identifies an unprotected redirect in my create action. However, adding only_path: true (as in the Brakeman Railscast) does not cure the warning: def create refer_url =…
tom_servo
  • 308
  • 1
  • 15
5
votes
1 answer

How to fix Cross Site Scripting security warning in rails generated by brakeman?

I used brakeman for generating scanning reports in my application. It generated many Cross Site Scripting security warnings with High Confidence. In that one of them is: Unescaped parameter value rendered inline near line 47: render(text =>…
venkat
  • 796
  • 1
  • 10
  • 28
5
votes
1 answer

ruby on rails brakeman gem and owasp top 10

I was wondering if brakeman covers/scans for OWASP top 10 security vulnerabilities: This is the OWASP top 10: https://www.owasp.org/index.php/Top_10_2013-Top_10 Is there documentation somewhere on brakeman that shows that it covers the above…
Micheal
  • 2,272
  • 10
  • 49
  • 93
5
votes
1 answer

Rails brakeman warning of sql injection

I've got a scope in my model : scope :assigned_to_user, ->(user) { task_table = UserTask.table_name joins("INNER JOIN #{task_table} ON #{task_table}.user_id = #{user.id} AND (#{task_table}.type_id = #{table_name}.type_id) …
Gandalf StormCrow
  • 25,788
  • 70
  • 174
  • 263
5
votes
2 answers

rails brakeman order sql injection

How can I avoid a brakeman warning in Rails when constructing an order method from parameters? def index @methods = [:name, :manager, :deadline] assignments = Assignment.order(sort_column(@methods) + " " +…
dsilver829
  • 295
  • 1
  • 3
  • 9
5
votes
1 answer

How to secure link_to @variable cross site scripting vulnerabilities

I've just started using the brakeman gem to explore my rails app for security vulnerabilities. I've managed to get everything tidy except for several cross site scripting warnings. These all share the following in common: They're all link_to…
Andy Harvey
  • 12,333
  • 17
  • 93
  • 185
4
votes
2 answers

Brakeman Warning Dynamic Render Path

I have code. users_controller.rb def show @user = User.find_by id: params[:id] @microposts = @user.microposts.order_micropost.paginate(page: params[:page], per_page: 5) end And view/user/show.html.erb <% provide :title, @user.name…
Trần Hồng
  • 91
  • 2
  • 10
4
votes
1 answer

What is this "Unscoped call to" warning in Brakeman?

I am getting a warning message when I scan my code with Brakeman's Tool. It states that there is an Unscoped call to the following query: @applicant = Applicant.find(params[:id]) Here is the actual error…
Amrinder Singh
  • 5,300
  • 12
  • 46
  • 88
3
votes
1 answer

Why is brakeman-guard raising "NoMethodError: undefined method `gsub'"

I'm using the following gems in a Rails 5.2 app. # /Gemfile group :development do gem 'guard' gem 'guard-spring' gem 'guard-rspec' gem 'brakeman', require: false gem 'guard-brakeman' # ... end # ... Brakeman was working fine with…
Andy Harvey
  • 12,333
  • 17
  • 93
  • 185
1
2 3 4 5 6