#ruby
Rulesets (16)
Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.
Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.
r2cSecure defaults for XSS prevention for Ruby on Rails
r2cSecure defaults for XSS prevention
Colleen DaiEnsure your code communicates over encrypted channels instead of plaintext.
Default ruleset for Ruby, curated by Semgrep.
Rules for detecting secrets checked into version control
Use recommended rulesets specific to your project. Auto config is not a ruleset but a mode that scans for languages and frameworks and then uses the Semgrep Registry to select recommended rules. Semgrep will send a list of languages, frameworks, and your project URL to the Registry when using auto mode (but code is never uploaded).
Brakeman ruleset curated by Semgrep.
r2cOmni pack for insecure transport rules
Colleen DaiEnsure your code communicates over encrypted channels instead of plaintext.
Colleen DaiSQL injection guardrails. Checks for non-constant SQL queries and other SQLi.
Vasilii ErmilovSecure defaults for Command injection prevention
Secure defaults for XSS prevention for Ruby on Rails
Rules (109)
semgrepUnsafe deserialization from YAML. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with YAML can potentially be dangerous. Use JSON in a secure fashion instead. However, loading YAML from a static file is not dangerous and should not be flagged.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepThis code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.
semgrepChecks for requests to http (unencrypted) sites using some of ruby's most popular REST/HTTP libraries, including httparty and restclient.
semgrepChecks for outgoing connections to ftp servers with the 'net/ftp' package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.
semgrepChecks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.
semgrepChecks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.
semgrepChecks for requests to http and ftp (unencrypted) sites using OpenURI.
semgrepDetected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql ["SELECT title FROM posts WHERE author = ? AND created > ?", author_id, start_date]`
semgrepDetected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`
semgrepDetected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`
semgrepDetected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`
semgrepDeserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil.
semgrepDetected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
semgrepDetected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.
semgrepThe object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.
semgrepPassword is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.
semgrepDetected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.
semgrepChecks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.
semgrepChecks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.
semgrepChecks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.
semgrepChecks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.
semgrepDetected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
semgrepDetected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
semgrepDetected non-static command inside $PIPE. Audit the input to '$PIPE'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
semgrepDetected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
semgrep'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.
semgrepDetected a possible ZeroDivisionError.
semgrepSpecial requests can determine whether a file exists on a filesystem that's outside the Rails app's root directory. To fix this, set config.serve_static_assets = false.
semgrepChecks for use of action in Ruby routes. This can cause Rails to render an arbitrary view if an attacker creates an URL accurately. Affects 3.0 applications. Can avoid the vulnerability by providing additional constraints.
semgrepChecks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.
semgrepDetected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.
semgrepFound the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.
semgrepThe RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.
semgrepHardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)
semgrepChecks if HTML escaping is globally disabled for JSON output. This could lead to XSS.
semgrepMass assignment protection disabled for '$MODEL'. This could permit assignment to sensitive model fields without intention. Instead, use 'attr_accessible' for the model or disable mass assigment using 'config.active_record.whitelist_attributes = true'. ':without_protection => true' must be removed for this to take effect.
semgrepIt looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.
semgrepDetected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.
semgrepChecks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don't allow admin, banned, role, and account_id using permit or attr_accessible.
semgrepChecks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.
semgrepUse of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.
semgrepChecks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.
semgrepDetected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use 'OpenSSL::SSL::VERIFY_PEER' instead.
semgrepChecks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.
semgrepShould not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.
semgrepShould not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.
semgrepFound a call to `render $T` after calling `$T.save`. Do not call `render` after calling `save` on an ActiveRecord object. Reloading the page will cause the state-changing operation to be repeated which may cause undesirable side effects. Use `redirect_to` instead.
semgrepThe $COLUMN column appears to be a foreign key. Would it benefit from an index? Having an index can improve performance.
semgrepThis gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key.
semgrepUsing user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
semgrepUsing user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
semgrepUsing user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
semgrepUsing user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.
semgrepFound that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.
semgrepThis call turns off CSRF protection allowing CSRF attacks against the application
semgrepDetected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.
semgrep'content_tag()' bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use 'html_safe'. Ensure no external data enters the HTML-safe string!
semgrepDefault routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.
semgrep'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.
semgrepThis code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.
semgrep'raw()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.
semgrepWhen a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.
semgrepAvoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.
semgrep'render inline: ...' renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.
semgrep'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text.
semgrepDetected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a '.erb' template file and use 'render'.
semgrepThis application is using LibXML as the XML backend. LibXML can be vulnerable to XML External Entities (XXE) vulnerabilities. Use the built-in Rails XML parser, REXML, instead.
semgrepThis application is explicitly enabling external entities enabling an attacker to inject malicious XML to exploit an XML External Entities (XXE) vulnerability. This could let the attacker cause a denial-of-service by forcing the parser to parse large files, or at worst, let the attacker download sensitive files or user data. Use the built-in Rails XML parser, REXML, instead.
semgrepDisabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with `:only => [...]` rather than `except: => [...]`
semgrepFound a Rails `cookie_store` session configuration setting the `$KEY` attribute to `false`. If using a cookie-based session store, the HttpOnly and Secure flags should be set.
semgrepFound an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used.
semgrepCalling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment.
semgrepCalling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment.
semgrepFound a string literal assignment to a Rails session secret `$KEY`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.
semgrepFound potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.
semgrepFound a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.
semgrepFound a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.
semgrepAllowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`
semgrepFound potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.
semgrepFound request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.
semgrepFound user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.
semgrepFound an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.
semgrep$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\A` for beginning of line and `\Z` for end of line, respectively.
semgrepDetected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.
semgrepUser data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepDetected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.
semgrepFound user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`