ruby
Default ruleset for Ruby, curated by Semgrep.
Run Locally
Rules (65)
semgrepDetected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.
semgrepChecks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.
semgrepDetected a possible ZeroDivisionError.
semgrepChecks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.
semgrepDetected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use 'OpenSSL::SSL::VERIFY_PEER' instead.
semgrepUse of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.
semgrepShould not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.
semgrepShould not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.
semgrepDetected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
semgrepDetected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.
semgrepDetected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql ["SELECT title FROM posts WHERE author = ? AND created > ?", author_id, start_date]`
semgrepDetected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`
semgrepDetected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`
semgrepDetected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`
semgrepDeserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil.
semgrepDetected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepFound the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.
semgrepThe RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.
semgrepIt looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepThis gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key.
semgrepUsing user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
semgrepUsing user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
semgrepUsing user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
semgrepUsing user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
semgrepThis code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.
semgrepWhen a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.
semgrepAvoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.
semgrepDisabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with `:only => [...]` rather than `except: => [...]`
semgrepFound an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used.
semgrepFound a string literal assignment to a Rails session secret `$KEY`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.
semgrepFound potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.
semgrepFound a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.
semgrepFound request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.
semgrepFound a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.
semgrepAllowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`
semgrepFound potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.
semgrepFound user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`
semgrepFound user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.
semgrepFound an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.
semgrep$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\A` for beginning of line and `\Z` for end of line, respectively.
semgrepDetected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.
semgrepDetected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.
semgrepUser data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.