Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

brakeman security audit #38

Open
skull-squadron opened this issue Mar 20, 2013 · 2 comments
Open

brakeman security audit #38

skull-squadron opened this issue Mar 20, 2013 · 2 comments

Comments

@skull-squadron
Copy link
Contributor 

~/tmp/selfstarter (develop ✔) ᐅ brakeman
Loading scanner...
[Notice] Detected Rails 3 application
Processing application in /Users/user/tmp/selfstarter
Processing configuration...
[Notice] Escaping HTML by default
Processing gems...
Processing initializers...
Processing libs...
Processing routes...
Processing templates...
Processing data flow in templates...
Processing models...
Processing controllers...
Processing data flow in controllers...
Indexing call sites...
Running checks in parallel...
 - CheckBasicAuth
 - CheckCrossSiteScripting
 - CheckContentTag
 - CheckDefaultRoutes
 - CheckDigestDoS
 - CheckEscapeFunction
 - CheckEvaluation
 - CheckExecute
 - CheckFileAccess
 - CheckFilterSkipping
 - CheckForgerySetting
 - CheckJRubyXML
 - CheckJSONParsing
 - CheckLinkTo
 - CheckLinkToHref
 - CheckMailTo
 - CheckMassAssignment
 - CheckModelAttributes
 - CheckModelSerialize
 - CheckNestedAttributes
 - CheckQuoteTableName
 - CheckRedirect
 - CheckRender
 - CheckResponseSplitting
 - CheckSafeBufferManipulation
 - CheckSanitizeMethods
 - CheckSelectTag
 - CheckSelectVulnerability
 - CheckSend
 - CheckSendFile
 - CheckSessionSettings
 - CheckSingleQuotes
 - CheckSkipBeforeFilter
 - CheckSQL
 - CheckStripTags
 - CheckSymbolDoS
 - CheckTranslateBug
 - CheckUnsafeReflection
 - CheckValidationRegex
 - CheckWithoutProtection
 - CheckYAMLLoad
 - CheckYAMLParsing
Checks finished, collecting results...
Generating report...

+BRAKEMAN REPORT+

Application path: /Users/user/tmp/selfstarter
Rails version: 3.2.13
Brakeman version: 1.9.4
Started at 2013-03-19 18:34:55 -0700
Duration: 0.796561 seconds
Checks run: BasicAuth, ContentTag, CrossSiteScripting, DefaultRoutes, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FilterSkipping, ForgerySetting, JRubyXML, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttributes, ModelSerialize, NestedAttributes, QuoteTableName, Redirect, Render, ResponseSplitting, SQL, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoS, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, YAMLLoad, YAMLParsing


+SUMMARY+

+-------------------+-------+
| Scanned/Reported  | Total |
+-------------------+-------+
| Controllers       | 2     |
| Models            | 3     |
| Templates         | 21    |
| Errors            | 0     |
| Security Warnings | 3 (2) |
+-------------------+-------+

+-----------------------+-------+
| Warning Type          | Total |
+-----------------------+-------+
| Redirect              | 1     |
| Remote Code Execution | 1     |
| Session Setting       | 1     |
+-----------------------+-------+


+SECURITY WARNINGS+

+------------+--------------------+---------+-----------------------+--------------------------------------------------------------------------------------->>
| Confidence | Class              | Method  | Warning Type          | Message                                                                               >>
+------------+--------------------+---------+-----------------------+--------------------------------------------------------------------------------------->>
| High       |                    |         | Remote Code Execution | json gem version 1.7.6 has a remote code vulnerablity: upgrade to 1.7.7               >>
| High       |                    |         | Session Setting       | Session secret should not be included in version control near line 7                  >>
| Weak       | PreorderController | prefill | Redirect              | Possible unprotected redirect near line 29: redirect_to(AmazonFlexPay.multi_use_pipeli>>
+------------+--------------------+---------+-----------------------+--------------------------------------------------------------------------------------->>
@skull-squadron
Copy link
Contributor Author

Recommendations:

  1. Specify a json version ~> 1.7.7. and/or ruby 1.9.3 in the Gemfile (at least on heroku, where 1.9.2's json is unpatched).
  2. Redact the secret to an environment variable like RAILS_SESSION_SECRET.
  3. Whatever. This might help: http://railscasts.com/episodes/358-brakeman?view=asciicast

@skull-squadron skull-squadron mentioned this issue Mar 20, 2013
Merged
@skull-squadron
Copy link
Contributor Author

  1. default ruby 1.9.2 on heroku
~ $ ruby -rjson -e 'JSON.parse '\''{"json_class":"JSON::GenericObject","foo":"bar"}'\'''
/usr/local/lib/ruby/1.9.1/json/common.rb:44:in `rescue in block in deep_const_get': can't find const JSON::GenericObject (ArgumentError)
    from /usr/local/lib/ruby/1.9.1/json/common.rb:41:in `block in deep_const_get'
    from /usr/local/lib/ruby/1.9.1/json/common.rb:36:in `each'
    from /usr/local/lib/ruby/1.9.1/json/common.rb:36:in `inject'
    from /usr/local/lib/ruby/1.9.1/json/common.rb:36:in `deep_const_get'
    from /usr/local/lib/ruby/1.9.1/json/common.rb:146:in `parse'
    from /usr/local/lib/ruby/1.9.1/json/common.rb:146:in `parse'
    from -e:1:in `<main>'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@skull-squadron