Last Updated
Viewed 04 Times

How to run brakeman only for modified file? Below is gem details

  1. gem 'brakeman', '4.6.1' # Security Analysis Tool
  2. Ruby: 2.6.3

I'm setting file name like 'abc_1.pdf' where '1' is the value of a model's attribute. But brakeman scanner take this as security issue. I need to keep track of files by referencing file name with model attribute. Can you please tell me, what is the right way to fix this security issue?


In my project,while using Brakeman gem, following security issues is raised:

1) In the following statement, Unescaped model attribute error is raised


I know Rails uses a cookie based session store. However, Rails 4 it's relatively safe to use cookies as you would need the Rails secret token in order to compromise it.

So, is this a false positive? If not how can I remove this vulnerability?

2) Secondly, I have a scenario where I need to check whether a record with a typical attribute exists or not. For that I have following code

  def check_email
    render json: ( is_available('email', params[:user][:email]) )

  def is_email_available
    is_email_taken = is_available('email', params[:user][:email])
    render json: !is_email_taken

  def is_username_available
    is_username_taken = is_available('username', params[:user][:username])
    render json: !is_username_taken

  def is_available(type, value)
    User.where("#{type}=?", value).exists?

And Brakeman raises the following warning

Possible SQL injection. User.where("#{(local type)}=?", (local value))

How can I remove this vulnerability and at the same time make my code DRY?

I have installed the latest version of the Brakeman gem to help me with Rails application security.

I have several Rails applications that I have on two servers, one for development and the other for production. When I ran the Brakeman reports on my applications, most of them flagged config/initializers/secret_token.rb with the following high security vulnerability.

Session secret should not be included in version control near line 7

This is the first time I have seen this error since I ran an older version of Brakeman months ago.

From what I have researched so far Rails automatically generated the secret token when rails new appname is executed. I was not aware of it until now. Apparently Rails does not protect this file where if I decided to move any of my applications to Github the information would be available to anyone at Github accessing the application. At this time I am not uploading to GitHub but I want information on how to move the secure_token from config/initializers/secret_token.rb in order to close the security hole in my applications.

One blog post I read suggested that I inject the secret token into an ENV variable. Will moving the statement from config/initializers/secret_token.rb to config/environment.rb solve the problem? If so I will add this task to my list of tasks in Rails development.

Any help would be appreciated.

Similar Question 4 (1 solutions) : Brakeman does not like rescue

Similar Question 5 (1 solutions) : Brakeman Scan Controller and View

Similar Question 7 (1 solutions) : Rails brakeman warning of sql injection

Similar Question 8 (1 solutions) : ruby on rails brakeman gem and owasp top 10