Giters

apigy / selfstarter

Roll your own crowdfunding

Home Page:selfstarter.us

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

brakeman security audit

skull-squadron opened this issue · comments

commented 
~/tmp/selfstarter (develop ✔) ᐅ brakeman
Loading scanner...
[Notice] Detected Rails 3 application
Processing application in /Users/user/tmp/selfstarter
Processing configuration...
[Notice] Escaping HTML by default
Processing gems...
Processing initializers...
Processing libs...
Processing routes...
Processing templates...
Processing data flow in templates...
Processing models...
Processing controllers...
Processing data flow in controllers...
Indexing call sites...
Running checks in parallel...
 - CheckBasicAuth
 - CheckCrossSiteScripting
 - CheckContentTag
 - CheckDefaultRoutes
 - CheckDigestDoS
 - CheckEscapeFunction
 - CheckEvaluation
 - CheckExecute
 - CheckFileAccess
 - CheckFilterSkipping
 - CheckForgerySetting
 - CheckJRubyXML
 - CheckJSONParsing
 - CheckLinkTo
 - CheckLinkToHref
 - CheckMailTo
 - CheckMassAssignment
 - CheckModelAttributes
 - CheckModelSerialize
 - CheckNestedAttributes
 - CheckQuoteTableName
 - CheckRedirect
 - CheckRender
 - CheckResponseSplitting
 - CheckSafeBufferManipulation
 - CheckSanitizeMethods
 - CheckSelectTag
 - CheckSelectVulnerability
 - CheckSend
 - CheckSendFile
 - CheckSessionSettings
 - CheckSingleQuotes
 - CheckSkipBeforeFilter
 - CheckSQL
 - CheckStripTags
 - CheckSymbolDoS
 - CheckTranslateBug
 - CheckUnsafeReflection
 - CheckValidationRegex
 - CheckWithoutProtection
 - CheckYAMLLoad
 - CheckYAMLParsing
Checks finished, collecting results...
Generating report...

+BRAKEMAN REPORT+

Application path: /Users/user/tmp/selfstarter
Rails version: 3.2.13
Brakeman version: 1.9.4
Started at 2013-03-19 18:34:55 -0700
Duration: 0.796561 seconds
Checks run: BasicAuth, ContentTag, CrossSiteScripting, DefaultRoutes, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FilterSkipping, ForgerySetting, JRubyXML, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttributes, ModelSerialize, NestedAttributes, QuoteTableName, Redirect, Render, ResponseSplitting, SQL, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoS, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, YAMLLoad, YAMLParsing


+SUMMARY+

+-------------------+-------+
| Scanned/Reported  | Total |
+-------------------+-------+
| Controllers       | 2     |
| Models            | 3     |
| Templates         | 21    |
| Errors            | 0     |
| Security Warnings | 3 (2) |
+-------------------+-------+

+-----------------------+-------+
| Warning Type          | Total |
+-----------------------+-------+
| Redirect              | 1     |
| Remote Code Execution | 1     |
| Session Setting       | 1     |
+-----------------------+-------+


+SECURITY WARNINGS+

+------------+--------------------+---------+-----------------------+--------------------------------------------------------------------------------------->>
| Confidence | Class              | Method  | Warning Type          | Message                                                                               >>
+------------+--------------------+---------+-----------------------+--------------------------------------------------------------------------------------->>
| High       |                    |         | Remote Code Execution | json gem version 1.7.6 has a remote code vulnerablity: upgrade to 1.7.7               >>
| High       |                    |         | Session Setting       | Session secret should not be included in version control near line 7                  >>
| Weak       | PreorderController | prefill | Redirect              | Possible unprotected redirect near line 29: redirect_to(AmazonFlexPay.multi_use_pipeli>>
+------------+--------------------+---------+-----------------------+--------------------------------------------------------------------------------------->>
commented

Recommendations:

  1. Specify a json version ~> 1.7.7. and/or ruby 1.9.3 in the Gemfile (at least on heroku, where 1.9.2's json is unpatched).
  2. Redact the secret to an environment variable like RAILS_SESSION_SECRET.
  3. Whatever. This might help: http://railscasts.com/episodes/358-brakeman?view=asciicast
commented
  1. default ruby 1.9.2 on heroku
~ $ ruby -rjson -e 'JSON.parse '\''{"json_class":"JSON::GenericObject","foo":"bar"}'\'''
/usr/local/lib/ruby/1.9.1/json/common.rb:44:in `rescue in block in deep_const_get': can't find const JSON::GenericObject (ArgumentError)
    from /usr/local/lib/ruby/1.9.1/json/common.rb:41:in `block in deep_const_get'
    from /usr/local/lib/ruby/1.9.1/json/common.rb:36:in `each'
    from /usr/local/lib/ruby/1.9.1/json/common.rb:36:in `inject'
    from /usr/local/lib/ruby/1.9.1/json/common.rb:36:in `deep_const_get'
    from /usr/local/lib/ruby/1.9.1/json/common.rb:146:in `parse'
    from /usr/local/lib/ruby/1.9.1/json/common.rb:146:in `parse'
    from -e:1:in `<main>'