We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
There was an error while loading. Please reload this page.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Brakeman version: 7.0.2 Rails version: 8.0.2 Ruby version: 3.4.2
I expect this code to raise a warning by Brakeman:
<div id="<%= dom_id article %>"> <p> <strong>Title:</strong> <%= article.title %> </p> <p> <strong>Content:</strong> <%= article.content.html_safe %> </p> </div>
It uses html_safe, which should by default raise a Cross Site Scripting issue I believe.
Complete code available here: https://github.com/pbernery/vulnerabilities_demo/blob/main/app/views/articles/_article.html.erb
And below is the output of brakeman. It correctly detects 2 issues while I expect to detect 3.
bundle exec brakeman
[Notice] Using Prism parser Loading scanner... Processing application in /Users/pbernery/Code/vulnerable_app Processing gems... [Notice] Detected Rails 8 application Processing configuration... [Notice] Escaping HTML by default Finding files... Parsing files... Detecting file types... Processing initializers... Processing libs... Processing routes... Processing templates... Processing data flow in templates... Processing models... Processing controllers... Processing data flow in controllers... Indexing call sites... Running checks in parallel... - CheckBasicAuth - CheckBasicAuthTimingAttack - CheckCrossSiteScripting - CheckContentTag - CheckCookieSerialization - CheckCreateWith - CheckCSRFTokenForgeryCVE - CheckDefaultRoutes - CheckDeserialize - CheckDetailedExceptions - CheckDigestDoS - CheckDynamicFinders - CheckEOLRails - CheckEOLRuby - CheckEscapeFunction - CheckEvaluation - CheckExecute - CheckFileAccess - CheckFileDisclosure - CheckFilterSkipping - CheckForgerySetting - CheckHeaderDoS - CheckI18nXSS - CheckJRubyXML - CheckJSONEncoding - CheckJSONEntityEscape - CheckJSONParsing - CheckLinkTo - CheckLinkToHref - CheckMailTo - CheckMassAssignment - CheckMimeTypeDoS - CheckModelAttrAccessible - CheckModelAttributes - CheckModelSerialize - CheckNestedAttributes - CheckNestedAttributesBypass - CheckNumberToCurrency - CheckPageCachingCVE - CheckPathname - CheckPermitAttributes - CheckQuoteTableName - CheckRansack - CheckRedirect - CheckRegexDoS - CheckRender - CheckRenderDoS - CheckRenderInline - CheckResponseSplitting - CheckRouteDoS - CheckSafeBufferManipulation - CheckSanitizeConfigCve - CheckSanitizeMethods - CheckSelectTag - CheckSelectVulnerability - CheckSend - CheckSendFile - CheckSessionManipulation - CheckSessionSettings - CheckSimpleFormat - CheckSingleQuotes - CheckSkipBeforeFilter - CheckSprocketsPathTraversal - CheckSQL - CheckSQLCVEs - CheckSSLVerify - CheckStripTags - CheckSymbolDoSCVE - CheckTemplateInjection - CheckTranslateBug - CheckUnsafeReflection - CheckUnsafeReflectionMethods - CheckValidationRegex - CheckVerbConfusion - CheckWeakRSAKey - CheckWithoutProtection - CheckXMLDoS - CheckYAMLParsing Checks finished, collecting results... Generating report... == Brakeman Report == Application Path: /Users/pbernery/Code/vulnerable_app Rails Version: 8.0.2 Brakeman Version: 7.0.2 Scan Date: 2025-05-13 21:36:27 +0200 Duration: 0.213341 seconds Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EOLRails, EOLRuby, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, Pathname, PermitAttributes, QuoteTableName, Ransack, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeConfigCve, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, ValidationRegex, VerbConfusion, WeakRSAKey, WithoutProtection, XMLDoS, YAMLParsing == Overview == Controllers: 2 Models: 2 Templates: 8 Errors: 0 Security Warnings: 2 == Warning Types == Mass Assignment: 1 SQL Injection: 1 == Warnings == Confidence: High Category: SQL Injection Check: SQL Message: Possible SQL injection Code: Article.find_by_sql("SELECT * FROM articles WHERE confidential = false AND title LIKE '%#{params[:search]}%'") File: app/controllers/articles_controller.rb Line: 8 Confidence: Medium Category: Mass Assignment Check: MassAssignment Message: Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys Code: params.require(:article).permit! File: app/controllers/articles_controller.rb Line: 73
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Uh oh!
There was an error while loading. Please reload this page.
Background
Brakeman version: 7.0.2
Rails version: 8.0.2
Ruby version: 3.4.2
Issue
I expect this code to raise a warning by Brakeman:
It uses html_safe, which should by default raise a Cross Site Scripting issue I believe.
Complete code available here: https://github.com/pbernery/vulnerabilities_demo/blob/main/app/views/articles/_article.html.erb
And below is the output of brakeman. It correctly detects 2 issues while I expect to detect 3.
bundle exec brakemanThe text was updated successfully, but these errors were encountered: