Brakeman Report

Application Path	Report Generation Time	Checks Performed
/home/justin/work/brakeman/tests/test-app	2010-09-07 14:26:15 -0700	CrossSiteScripting, DefaultRoutes, Evaluation, Execute, FileAccess, ForgerySetting, MassAssignment, ModelAttributes, Redirect, Render, SQL, SendFile, SessionSettings, ValidationRegex

Application Path

Report Generation Time

Checks Performed

/home/justin/work/brakeman/tests/test-app

2010-09-07 14:26:15 -0700

CrossSiteScripting, DefaultRoutes, Evaluation, Execute, FileAccess, ForgerySetting, MassAssignment, ModelAttributes, Redirect, Render, SQL, SendFile, SessionSettings, ValidationRegex

Summary

Scanned/Reported	Total
Controllers	3
Models	3
Templates	10
Errors	0
Security Warnings	30 (23)

Scanned/Reported

Total

Controllers

Models

Templates

Errors

Security Warnings

30 (23)

Warning Type	Total
Attribute Restriction	1
Command Injection	3
Cross Site Scripting	10
Cross-Site Request Forgery	1
Default Routes	1
Dynamic Render Path	2
File Access	3
Format Validation	1
Mass Assignment	1
Redirect	2
SQL Injection	5

Warning Type

Total

Attribute Restriction

Command Injection

Cross Site Scripting

Cross-Site Request Forgery

Default Routes

Dynamic Render Path

File Access

Format Validation

Mass Assignment

Redirect

SQL Injection

Security Warnings

Confidence

Class

Method

Warning Type

Message

High

Dangerous

dangerous_system_calls

Command Injection

Possible command injection near line 3: system("echo #{params[:file]}")

High

Dangerous

dangerous_system_calls

Command Injection

Possible command injection near line 5: exec(params[:command])

High

Default Routes

All public methods in controllers are available as actions in routes.rb near line 43

High

HomeController

dynamic_render

Dynamic Render Path

Render path is dynamic near line 35: render(partial => "home/something_#{params[:bad]}", { })

High

FileAccess

file_delete

File Access

Parameter value used in file name near line 3: File.delete(params[:file])

High

FileAccess

file_unlink

File Access

Cookie value used in file name near line 7: File.unlink(cookies[:file_name])

High

HomeController

get_file

File Access

Parameter value used in file name near line 43: send_file(("/var/www/uploads/" + params[:filename].gs...

High

UsersController

create

Mass Assignment

Unprotected mass assignment near line 43: User.new(params[:user])

High

UsersController

bad_redirect

Redirect

Possible unprotected redirect near line 91: redirect_to(params)

High

HomeController

bad_sql

SQL Injection

Possible SQL injection near line 11: User.find(:all, :conditions => ("name = '#{params[:name]}'"))

High

HomeController

more_bad_sql

SQL Injection

Possible SQL injection near line 16: User.find_by_sql("SELECT * FROM users WHERE name = '#{params[:na...

High

UsersController

bad_signin_sql

SQL Injection

Possible SQL injection near line 109: User.find(:first, "login = '#{params[:name]}' AND password = '#...

Medium

Dangerous

possibly_unsafe

Command Injection

Possible command injection near line 13: `#{command}`

Medium

HomeController

could_be_unsafe

SQL Injection

Possible SQL injection near line 21: User.find(:first, :conditions => (["name = '#{some_unknown_value...

Medium

UsersController

sql_in_model

SQL Injection

Possible SQL injection near line 85: find_by_sql("SELECT name, email FROM users WHERE email LIKE '%#{...

Weak

HomeController

dynamic_render2

Dynamic Render Path

Render path is dynamic near line 39: render(action => some_action, { })

Weak

UsersController

update

Redirect

Possible unprotected redirect near line 63: redirect_to(User.find(params[:id]), :notice => "User was ...

Controller Warnings

Confidence	Controller	Warning Type	Message
High	ApplicationController	Cross-Site Request Forgery	'protect_from_forgery' should be called in ApplicationController

Confidence

Controller

Warning Type

Message

High

ApplicationController

Cross-Site Request Forgery

'protect_from_forgery' should be called in ApplicationController

Model Warnings

Confidence

Model

Warning Type

Message

High

Dangerous, FileAccess, User

Attribute Restriction

Mass assignment is not restricted using attr_accessible

High

User

Format Validation

Insufficient validation for 'name' using /^\w+$/. Use \A and \z as anchors near line 2

View Warnings

Confidence

Template

Warning Type

Message

High

home/_model (Template:home/collection)

Cross Site Scripting

Unescaped model attribute near line 2: (Unresolved Model).new.name

High

home/index (HomeController#index)

Cross Site Scripting

Unescaped model attribute near line 2: User.find(params[:user_id]).name

High

home/something (HomeController#render_locals)

Cross Site Scripting

Unescaped model attribute near line 4: User.all.first.bad

High

home/test (HomeController#test)

Cross Site Scripting

Unescaped parameter value near line 6: params[:direct_use]

High

home/test (HomeController#test)

Cross Site Scripting

Unescaped cookie value near line 10: cookies[:unsafe]

High

home/test (HomeController#test)

Cross Site Scripting

Unescaped parameter value near line 20: request.query_parameters[:user_input]

High

users/index (UsersController#index)

Cross Site Scripting

Unescaped model attribute near line 13: User.new.name

High

users/index (UsersController#index)

Cross Site Scripting

Unescaped model attribute near line 14: User.new.bio

Medium

home/collection

Cross Site Scripting

Unescaped model attribute near line 8: User.some.random.method

Weak

home/test (HomeController#test)

Cross Site Scripting

Unescaped model attribute near line 16: maybe_unsafe(User.find(params[:user_id]).bio)