How to run brakeman only for modified file? Below is gem details
- gem 'brakeman', '4.6.1' # Security Analysis Tool
- Ruby: 2.6.3
This question has not any solutions,You can see other similar question below.
Similar Question 1 : Brakeman: model attribute used in file name warnings
I'm setting file name like 'abc_1.pdf' where '1' is the value of a model's attribute. But brakeman scanner take this as security issue. I need to keep track of files by referencing file name with model attribute. Can you please tell me, what is the right way to fix this security issue?
Thanks.
Similar Question 2 : Security Issues in Rails raised by Brakeman
In my project,while using Brakeman gem, following security issues is raised:
1) In the following statement, Unescaped model attribute error is raised
CashTransaction.find(session[:transaction_id]).customer.address_1
I know Rails uses a cookie based session store. However, Rails 4 it's relatively safe to use cookies as you would need the Rails secret token in order to compromise it.
So, is this a false positive? If not how can I remove this vulnerability?
2) Secondly, I have a scenario where I need to check whether a record with a typical attribute exists or not. For that I have following code
def check_email
render json: ( is_available('email', params[:user][:email]) )
end
def is_email_available
is_email_taken = is_available('email', params[:user][:email])
render json: !is_email_taken
end
def is_username_available
is_username_taken = is_available('username', params[:user][:username])
render json: !is_username_taken
end
def is_available(type, value)
User.where("#{type}=?", value).exists?
end
And Brakeman raises the following warning
Possible SQL injection. User.where("#{(local type)}=?", (local value))
How can I remove this vulnerability and at the same time make my code DRY?
Similar Question 3 : Ruby on Rails 3.2.13 - Brakeman - Session secret should not be included in version control
I have installed the latest version of the Brakeman gem to help me with Rails application security.
I have several Rails applications that I have on two servers, one for development and the other for production. When I ran the Brakeman reports on my applications, most of them flagged config/initializers/secret_token.rb with the following high security vulnerability.
Session secret should not be included in version control near line 7
This is the first time I have seen this error since I ran an older version of Brakeman months ago.
From what I have researched so far Rails automatically generated the secret token when rails new appname is executed. I was not aware of it until now. Apparently Rails does not protect this file where if I decided to move any of my applications to Github the information would be available to anyone at Github accessing the application. At this time I am not uploading to GitHub but I want information on how to move the secure_token from config/initializers/secret_token.rb in order to close the security hole in my applications.
One blog post I read suggested that I inject the secret token into an ENV variable. Will moving the statement from config/initializers/secret_token.rb to config/environment.rb solve the problem? If so I will add this task to my list of tasks in Rails development.
Any help would be appreciated.