#ruby

Rulesets (23)

profile photo of r2cr2c

The OWASP Top 10 is an industry-recognized report of top web application security risks. Use this ruleset to scan for OWASP Top 10 vulnerabilities.

Rules (71)

profile photo of returntocorpreturntocorp

Detected usage of `Mime.const_set`. This could lead to a Denial of Service attack, as an attacker could send lots of different mime types to the server, causing the cache to grow large and use all available RAM. Make sure you are using 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 or higher. If this is not possible, use the workaround with "Mime.const_set :LOOKUP, Hash.new { |h,k| Mime::Type.new(k) unless k.blank? }"

profile photo of returntocorpreturntocorp

Detected user input flowing into number_to_currency helper. One of the parameters to the helper (unit) is not escaped correctly and could lead to XSS, which in turn could lead to sensitive data being exfiltrated. Instead, sanitize data before passing it into `number_to_currency` with the html_escape (h) function or upgrade to Rails 4.0.2 or 3.2.16.

profile photo of returntocorpreturntocorp

Detected usage of `quote_table_name`, which has a vulnerability allowing malicious users to inject arbitrary SQL into a query. This is fixed in Rails versions 3.0.10, 2.3.13, and 3.1.0.rc5 and above. If updating your Rails version is not possible, sanitize input thoroughly before passing it to a `quote_table_name` call.

profile photo of returntocorpreturntocorp

Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with YAML, MARSHAL, or CSV can potentially be dangerous. Use JSON in a secure fashion instead. However, loading YAML from a static file is not dangerous and should not be flagged.

profile photo of returntocorpreturntocorp

Use of eval detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.

profile photo of returntocorpreturntocorp

Discovered an application that uses MySQL and find_by_* dynamic finders on potentially sensitive fields. There is a vulnerability in MySQL integer conversion, which could case "0" to match any string, and could therefore lead to sensitive data being exposed. Instead, upgrade to Rails version 4.

profile photo of returntocorpreturntocorp

Detected use of mail_to helper used with the `:encode => :javascript option`. The attacker could specify a malicious name or email value that could lead to a XSS attack. Instead, use `:encode => :hex` or patch to Rails 3.0.4 or 2.3.11.

profile photo of returntocorpreturntocorp

This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.

profile photo of returntocorpreturntocorp

It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.

profile photo of returntocorpreturntocorp

Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.

profile photo of returntocorpreturntocorp

Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.

profile photo of returntocorpreturntocorp

User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.

profile photo of returntocorpreturntocorp

This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.

profile photo of returntocorpreturntocorp

Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)

profile photo of returntocorpreturntocorp

Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.

profile photo of returntocorpreturntocorp

Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.

profile photo of returntocorpreturntocorp

Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.

profile photo of returntocorpreturntocorp

Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.

profile photo of returntocorpreturntocorp

Checks for use of action in Ruby routes. This can cause Rails to render an arbitrary view if an attacker creates an URL accurately. Affects 3.0 applications. Can avoid the vulnerability by providing additional constraints.

profile photo of returntocorpreturntocorp

The JDOM backend for XmlMini has a vulnerability that lets an attacker perform a denial of service attack or gain access to files on the application server. This affects versions 3.0, but is fixed in versions 3.1.12 and 3.2.13. To fix, either upgrade or use XmlMini.backend="REXML".

profile photo of returntocorpreturntocorp

When a 'Hash' with user-supplied input is encoded in JSPN, Rails doesn't provide adequate escaping. If the JSON string is supplied into HTML, the page will be vulnerable to XXS attacks. The affected ruby versions are 3.0.x, 3.1.x, 3.2.x, 4.1.x, 4.2.x. To fix, either upgrade or add an initializer.

profile photo of returntocorpreturntocorp

'raw()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.

profile photo of returntocorpreturntocorp

Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don't allow admin, banned, role, and account_id using permit or attr_accessible.

profile photo of returntocorpreturntocorp

Checks for nested attributes vulnerability (CVE-2015-7577). Setting allow_destroy: false in accepts_nested_attributes_for can lead to attackers setting attributes to invalid values and clearing all attributes. This affects versions 3.1.0 and newer, with fixed versions 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1. To fix, upgrade to a newer version or use the initializer specified in the google groups.

profile photo of returntocorpreturntocorp

Checks for models that enable nested attributes. A vulnerability in nested_attributes_for results in an attacker begin able to change parameters apart from the ones intended by the developer. Affected Ruby versions: 3.0.0, 2.3.9. Fix: don't use accepts_nested_attributes_for or upgrade Ruby version.

profile photo of returntocorpreturntocorp

'render inline: ...' renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.

profile photo of returntocorpreturntocorp

Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.

profile photo of returntocorpreturntocorp

Checks for unsafe use of method http_basic_authenticate_with, which is vulnerable to timing attacks as it does not use constant-time checking when comparing passwords. Affected Rails versions include: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1. Avoid this function if possible.

profile photo of returntocorpreturntocorp

Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.

profile photo of returntocorpreturntocorp

Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions,leading to potential collision attacks. Use SHA256 or other hashing functions instead.

profile photo of returntocorpreturntocorp

Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.

profile photo of returntocorpreturntocorp

'content_tag()' bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use 'html_safe'. Ensure no external data enters the HTML-safe string!