Security Vulnerabilities

[steven-solomon]

I ran a Brakman scan. The result of the scan is below.

I want to assist in moving toward security scans being a part of Project Monitor's CI pipeline once the issues have been resolved.

== Warning Types ==

Command Injection: 5
Cross-Site Request Forgery: 1
Cross-Site Scripting: 1
Remote Code Execution: 3
SQL Injection: 3
Session Setting: 1

== Warnings ==

Confidence: High
Category: Cross-Site Scripting
Check: ContentTag
Message: Rails 4.2.7 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1
File: Gemfile.lock
Line: 290

Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:project][:type].constantize
File: app/controllers/projects_controller.rb
Line: 81

Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:project][:type].constantize
File: app/controllers/projects_controller.rb
Line: 52

Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:project][:type].constantize
File: app/controllers/projects_controller.rb
Line: 28

Confidence: High
Category: SQL Injection
Check: SQLCVEs
Message: Rails 4.2.7 contains a SQL injection vulnerability (CVE-2016-6317). Upgrade to 4.2.7.1
File: Gemfile.lock
Line: 290

Confidence: High
Category: Session Setting
Check: SessionSettings
Message: Session secret should not be included in version control
File: config/initializers/secret_token.rb
Line: 7

Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: cf auth #{username} #{password}
File: lib/cf_authenticator.rb
Line: 7

Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: cf push #{env}
File: lib/cf_deploy.rb
Line: 70

Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: git tag #{tag} #{commit_sha} -m "#{message}"
File: lib/cf_git_tagger.rb
Line: 5

Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: cf t -o #{org} -s #{space}
File: lib/cf_authenticator.rb
Line: 16

Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: git push origin #{tag}
File: lib/cf_git_tagger.rb
Line: 6

Confidence: Medium
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: protect_from_forgery should be configured with 'with: :exception'
File: app/controllers/application_controller.rb

Confidence: Medium
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: joins("INNER JOIN (#{" SELECT id,\n (CASE project_statuses.project_id\n WHEN @curType\n THEN @currow := @currow + 1\n ELSE @currow := 1 AND @curType := project_statuses.project_id END\n ) AS rank\n FROM project_statuses,\n (SELECT @currow := 0, @curType := '') r\n ORDER BY project_statuses.published_at desc, project_statuses.build_id desc\n".strip_heredoc}) rankings ON rankings.id = project_statuses.id")
File: app/models/project_status.rb
Line: 20

Confidence: Medium
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: joins("INNER JOIN (#{" SELECT id,\n (CASE payload_log_entries.project_id\n WHEN @curType\n THEN @currow := @currow + 1\n ELSE @currow := 1 AND @curType := payload_log_entries.project_id END\n ) AS rank\n FROM payload_log_entries,\n (SELECT @currow := 0, @curType := '') r\n ORDER BY payload_log_entries.created_at desc\n".strip_heredoc}) rankings ON rankings.id = payload_log_entries.id")
File: app/models/payload_log_entry.rb
Line: 20

[steven-solomon]

I'm considering implementing a factory method to construct the appropriate type of project in order to fix the constantize issues

[steven-solomon]

Tasks:

• Command Injection: 5
• Cross-Site Request Forgery: 1
• Cross-Site Scripting: 1
• Remote Code Execution: 3
• SQL Injection: (1 of 3)
• Session Setting: 1

[steven-solomon]

One interesting thing I noticed. Due to the fact that the supported project types are loaded from project-meta.yml, there seems to be the ability to configure which CIs are supported. Is that a feature or a consequence of the implementation?