A static analysis security vulnerability scanner for Ruby on Rails applications
OTHER License
Bot releases are visible (Hide)
Published by presidentbeef over 3 years ago
--[no-]skip-vendor
optionuuid
as a safe attributeTempfile#path
in shell commands__send__
callsload_defaults
version--force
if no Rails application is detectedPublished by presidentbeef almost 4 years ago
Sexp#sexp_body
instead of Sexp#[..]
(Ruby 3.0 compatibility)Published by presidentbeef almost 4 years ago
--force
if no Rails application is detected--[no-]skip-vendor
optionPublished by presidentbeef about 4 years ago
Published by presidentbeef about 4 years ago
active_record
for non-Rails apps (Ulysse Buonomo)chomp
ed strings for SQL injection (#1509)attr_accessible
if protected_attributes
gem is used (#1512)Published by presidentbeef about 4 years ago
--ensure-ignore-notes
(Eli Block)ERB.new
(Matt Hickman)environment.rb
safe_yaml
is used via YAML.load(..., safe: true)
params.permit!.slice
params.permit!
in path helpersDir.glob
as safe source of values in guardsPublished by presidentbeef over 4 years ago
--text-fields
optionauthenticate_or_request_with_http_basic
check for passed blocks (Hugo Corbucci)Published by presidentbeef over 4 years ago
CheckExecute
(Jacob Evelyn)nil
(Carsten Wirth)Published by presidentbeef almost 5 years ago
Published by presidentbeef almost 5 years ago
:_blank
symbol (Jacob Evelyn)s(:lambda)
to s(:call)
in Sexp#block_call
(#1410)Symbol#to_s
in Ruby 2.7Published by presidentbeef about 5 years ago
-c
shell commands (Jacob Evelyn)CheckCookieSerialization
(Phil Turnbull)Brakeman::Differ#second_pass
(Benoit Côté-Jodoin)version_between?
(Andrey Glushkov)%W[]
(#1399)form_for
for XSS checkPublished by presidentbeef about 5 years ago
Published by presidentbeef about 5 years ago
ActiveStorage::Filename#sanitized
(Tejas Bubane)nil
line numbers to Sexp
sdup
(#1374)Warning#relative_path
Published by presidentbeef over 5 years ago
config.force_ssl
(#1181)Oj.load/object_load
destroy_by
/delete_by
find_or_create_by
and friendslink_to
with block for href XSS (#1339)!!
calls to boolean value (#1343)__FILE__
Brakeman::FilePath
Published by presidentbeef over 5 years ago
Shellwords
escaping (#1323)**
inside Hash literalsAliasProcessor
Tracker#errors
listFileParser
in Scanner
to parse filesCheckContentTag
Published by presidentbeef almost 6 years ago
--enable
option to enable optional checkssecrets.yml
files (Naoki Kimura)String#shellescape
and Shellwords.shelljoin
are used (George Ogata)if not
like unless
(#1225)rel="noreferrer"
in HTML reportsnil
errors when concatenating arraysPublished by presidentbeef over 6 years ago
:BRAKEMAN_SAFE_LITERAL
to represent known-safe literalsArray#map
and Array#each
over literal arrays (#1208 / #1224)symbolize_keys
to be called on params
in SQL (Jacob Evelyn)Object#freeze
, use the target instead (#1211)foreign_key
calls in SQL (#1202)included
calls outside of classes/modules (#1209)Published by presidentbeef over 6 years ago
--parser-timeout
optionBaseCheck#include_interp?
should return first string interpolation (#1189)Process.pid
in system callslink_to
href with sanitize()
(#1187)params#to_h
and params#to_hash
in SQL checks (#1180)Array#join
to string interpolation (#1179)"".freeze
to just ""
(#1182)--color
can be used to force color output (#1175)only_files
(Todd Mazierski)