| Application Path |
Rails Version |
Brakeman Version |
Report Time |
Checks Performed |
| /home/mike/github/arvados/services/api |
3.2.17 |
3.0.2
|
2015-03-13 06:50:38 +0100
5.561111123 seconds
|
BasicAuth, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NumberToCurrency, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, YAMLParsing |
| Confidence |
Class |
Method |
Warning Type |
Message |
| High |
|
|
SQL Injection |
Rails 3.2.17 contains a SQL injection vulnerability (CVE-2014-3482). Upgrade to 3.2.19 near line 158 Gemfile.lock
153
|
rack (>= 0.4)
|
154
|
rack-ssl (1.3.4)
|
155
|
rack
|
156
|
rack-test (0.6.2)
|
157
|
rack (>= 1.0)
|
158
|
rails (3.2.17)
|
159
|
actionmailer (= 3.2.17)
|
160
|
actionpack (= 3.2.17)
|
161
|
activerecord (= 3.2.17)
|
162
|
activeresource (= 3.2.17)
|
163
|
activesupport (= 3.2.17)
|
|
| High |
|
|
SQL Injection |
Rails 3.2.17 contains a SQL injection vulnerability (CVE-2014-3483). Upgrade to 3.2.19 near line 158 Gemfile.lock
153
|
rack (>= 0.4)
|
154
|
rack-ssl (1.3.4)
|
155
|
rack
|
156
|
rack-test (0.6.2)
|
157
|
rack (>= 1.0)
|
158
|
rails (3.2.17)
|
159
|
actionmailer (= 3.2.17)
|
160
|
actionpack (= 3.2.17)
|
161
|
activerecord (= 3.2.17)
|
162
|
activeresource (= 3.2.17)
|
163
|
activesupport (= 3.2.17)
|
|
| Medium |
Commit |
Commit.git_check_ref_format |
Command Injection |
Possible command injection near line 9: `git check-ref-format --allow-onelevel #{ e.shellescape}` app/models/commit.rb
4
|
def self.git_check_ref_format(e)
|
5
|
if !e or e.empty? or e[0] == '-' or e[0] == '$'
|
6
|
# definitely not valid
|
7
|
false
|
8
|
else
|
9
|
`git check-ref-format --allow-onelevel #{e.shellescape}`
|
10
|
$?.success?
|
11
|
end
|
12
|
end
|
14
|
def self.find_commit_range(current_user, repository, minimum, maximum, exclude)
|
|
| Medium |
|
|
Remote Code Execution |
Rails 3.2.17 with globbing routes is vulnerable to directory traversal and remote code execution. Pat...Rails 3.2.17 with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to 3.2.18 |
| Medium |
DatabaseController |
reset |
SQL Injection |
Possible SQL injection near line 40: ActiveRecord::Base.connection.execute("LOCK TABLE #{(("\"" + Act...Possible SQL injection near line 40: ActiveRecord::Base.connection.execute("LOCK TABLE #{(("\"" + ActiveRecord::Base.connection.tables.join("ActiveRecord::Base.connection.tables.join("\",\"")quot;,ActiveRecord::Base.connection.tables.join("\",\"")quot;")) + "\"")} IN ACCESS EXCLUSIVE MODE")app/controllers/database_controller.rb
35
|
begin
|
36
|
ActiveRecord::Base.transaction do
|
37
|
# Avoid deadlock by locking all tables before doing anything
|
38
|
# drastic.
|
39
|
ActiveRecord::Base.connection.execute \
|
40
|
"LOCK TABLE #{table_names} IN ACCESS EXCLUSIVE MODE"
|
42
|
# Delete existing fixtures (and everything else) from fixture
|
43
|
# tables
|
44
|
fixturesets.each do |x|
|
45
|
x.classify.constantize.unscoped.delete_all
|
|
| Weak |
Arvados::V1::ApiClientAuthorizationsController |
create_system_auth |
Mass Assignment |
Unprotected mass assignment near line 18: ApiClientAuthorization.new(:user_id => (system_user.id), :a...Unprotected mass assignment near line 18: ApiClientAuthorization.new(:user_id => (system_user.id), :api_client_id => ((params[:api_client_id] or current_api_client.andand.id)), :created_by_ip_address => (remote_ip), :scopes => (Oj.load((params[:scopes] or "[\"all\"]"))))app/controllers/arvados/v1/api_client_authorizations_controller.rb
13
|
def create_system_auth
|
14
|
@object = ApiClientAuthorization.
|
15
|
new(user_id: system_user.id,
|
16
|
api_client_id: params[:api_client_id] || current_api_client.andand.id,
|
17
|
created_by_ip_address: remote_ip,
|
18
|
scopes: Oj.load(params[:scopes] || '["all"]'))
|
19
|
@object.save!
|
20
|
show
|
21
|
end
|
23
|
def create
|
|
| Weak |
Arvados::V1::KeepDisksController |
find_object_by_uuid |
Mass Assignment |
Unprotected mass assignment near line 39: KeepDisk.new(:filesystem_uuid => (params[:filesystem_uuid])...Unprotected mass assignment near line 39: KeepDisk.new(:filesystem_uuid => (params[:filesystem_uuid]))app/controllers/arvados/v1/keep_disks_controller.rb
35
|
def find_object_by_uuid
|
36
|
@object = KeepDisk.where(uuid: (params[:id] || params[:uuid])).first
|
37
|
if !@object && current_user.andand.is_admin
|
38
|
# Create a new KeepDisk and ping it.
|
39
|
@object = KeepDisk.new(filesystem_uuid: params[:filesystem_uuid])
|
40
|
@object.save!
|
42
|
# In the first ping from this new filesystem_uuid, we can't
|
43
|
# expect the keep node to know the ping_secret so we made sure
|
44
|
# we got an admin token. Here we add ping_secret to params so
|
|
| Weak |
Arvados::V1::UserAgreementsController |
sign |
Mass Assignment |
Unprotected mass assignment near line 57: Link.create(:link_class => "signature", :name => "click", :...Unprotected mass assignment near line 57: Link.create(:link_class => "signature", :name => "click", :tail_uuid => (current_user.uuid), :head_uuid => (params.delete(:id)))app/controllers/arvados/v1/user_agreements_controller.rb
52
|
current_user_uuid = current_user.uuid
|
53
|
act_as_system_user do
|
54
|
@object = Link.create(link_class: 'signature',
|
55
|
name: 'click',
|
56
|
tail_uuid: current_user_uuid,
|
57
|
head_uuid: params[:uuid])
|
58
|
end
|
59
|
show
|
60
|
end
|
62
|
def create
|
|
| Weak |
KeepDisk |
ping |
Mass Assignment |
Unprotected mass assignment near line 39: self.update_attributes!(o.select do [:bytes_total, :bytes_...Unprotected mass assignment near line 39: self.update_attributes!(o.select do [:bytes_total, :bytes_free, :is_readable, :is_writable, :last_read_at, :last_write_at].collect(&:to_s).index(k) end.merge(:last_ping_at => (Time.now)))app/models/keep_disk.rb
34
|
logger.info "Ping: secret mismatch: received \"#{o[:ping_secret]}\" != \"#{self.ping_secret}\""
|
35
|
return nil
|
36
|
end
|
38
|
@bypass_arvados_authorization = true
|
39
|
self.update_attributes!(o.select { |k,v|
|
40
|
[:bytes_total,
|
41
|
:bytes_free,
|
42
|
:is_readable,
|
43
|
:is_writable,
|
44
|
:last_read_at,
|
|
| Weak |
User |
create_user_repo_link |
Mass Assignment |
Unprotected mass assignment near line 347: Link.create(:tail_uuid => (self.uuid), :head_uuid => (Repo...Unprotected mass assignment near line 347: Link.create(:tail_uuid => (self.uuid), :head_uuid => (Repository.create(:name => (repo_name))[:uuid]), :link_class => "permission", :name => "can_manage")app/models/user.rb
342
|
# create repo, if does not already exist
|
343
|
repo ||= Repository.create(name: repo_name)
|
344
|
logger.info { "repo uuid: " + repo[:uuid] }
|
346
|
repo_perm = Link.create(tail_uuid: self.uuid,
|
347
|
head_uuid: repo[:uuid],
|
348
|
link_class: 'permission',
|
349
|
name: 'can_manage')
|
350
|
logger.info { "repo permission: " + repo_perm[:uuid] }
|
351
|
return repo_perm
|
352
|
end
|
|
| Weak |
User |
create_vm_login_permission_link |
Mass Assignment |
Unprotected mass assignment near line 389: Link.create(:tail_uuid => (self.uuid), :head_uuid => (Virt...Unprotected mass assignment near line 389: Link.create(:tail_uuid => (self.uuid), :head_uuid => (VirtualMachine.where(:uuid => (vm_uuid)).first[:uuid]), :link_class => "permission", :name => "can_login", :properties => ({ "username" => (repo_name) }))app/models/user.rb
385
|
if perm_exists
|
386
|
login_perm = perm_exists
|
387
|
else
|
388
|
login_perm = Link.create(tail_uuid: self.uuid,
|
389
|
head_uuid: vm[:uuid],
|
390
|
link_class: 'permission',
|
391
|
name: 'can_login',
|
392
|
properties: {'username' => repo_name})
|
393
|
logger.info { "login permission: " + login_perm[:uuid] }
|
394
|
end
|
|
| Weak |
UserSessionsController |
send_api_token_to |
Mass Assignment |
Unprotected mass assignment near line 136: ApiClientAuthorization.new(:user => (user), :api_client =>...Unprotected mass assignment near line 136: ApiClientAuthorization.new(:user => (user), :api_client => (ApiClient.find_or_create_by_url_prefix((callback_url.match(/^.*?:\/\/[^\/]+/)[0] + "/"))), :created_by_ip_address => (remote_ip), :scopes => (["all"]))app/controllers/user_sessions_controller.rb
132
|
api_client_auth = ApiClientAuthorization.
|
133
|
new(user: user,
|
134
|
api_client: @api_client,
|
135
|
created_by_ip_address: remote_ip,
|
136
|
scopes: ["all"])
|
137
|
api_client_auth.save!
|
139
|
if callback_url.index('?')
|
140
|
callback_url += '&'
|
141
|
else
|
|
| Weak |
UserSessionsController |
send_api_token_to |
Redirect |
Possible unprotected redirect near line 147: redirect_to((((callback_url + "&") or (callback_url + "?...Possible unprotected redirect near line 147: redirect_to((((callback_url + "&") or (callback_url + "?")) + ("api_token=" + ApiClientAuthorization.new(:user => (user), :api_client => (ApiClient.find_or_create_by_url_prefix((callback_url.match(/^.*?:\/\/[^\/]+/)[0] + "/"))), :created_by_ip_address => (remote_ip), :scopes => (["all"])).api_token)))app/controllers/user_sessions_controller.rb
142
|
callback_url += '?'
|
143
|
end
|
144
|
callback_url += 'api_token=' + api_client_auth.api_token
|
145
|
redirect_to callback_url
|
146
|
end
|
148
|
def cross_origin_forbidden
|
149
|
send_error 'Forbidden', status: 403
|
150
|
end
|
151
|
end
|
|
| Confidence |
Model |
Warning Type |
Message |
| High |
ApiClient |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
ApiClientAuthorization |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
AuthorizedKey |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
Collection |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
Commit |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
CommitAncestor |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
Group |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
Human |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
JobTask |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
KeepDisk |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
KeepService |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
Link |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
Log |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
Node |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
PipelineInstance |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
PipelineTemplate |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
Repository |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
Specimen |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
Trait |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
User |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
UserAgreement |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| High |
VirtualMachine |
Attribute Restriction |
Mass assignment is not restricted using attr_accessible |
| Medium |
ArvadosModel |
Attribute Restriction |
attr_accessible is recommended over attr_protected near line 8 app/models/arvados_model.rb
3
|
class ArvadosModel < ActiveRecord::Base
|
4
|
self.abstract_class = true
|
6
|
include CurrentApiClient # current_user, current_api_client, etc.
|
8
|
attr_protected :created_at
|
9
|
attr_protected :modified_by_user_uuid
|
10
|
attr_protected :modified_by_client_uuid
|
11
|
attr_protected :modified_at
|
12
|
after_initialize :log_start_state
|
13
|
before_save :ensure_permission_to_save
|
|
| Medium |
Job |
Attribute Restriction |
attr_accessible is recommended over attr_protected near line 5 app/models/job.rb
1
|
class Job < ArvadosModel
|
2
|
include HasUuid
|
3
|
include KindAndEtag
|
4
|
include CommonApiTemplate
|
5
|
attr_protected :arvados_sdk_version, :docker_image_locator
|
6
|
serialize :script_parameters, Hash
|
7
|
serialize :runtime_constraints, Hash
|
8
|
serialize :tasks_summary, Hash
|
9
|
before_create :ensure_unique_submit_id
|
10
|
after_commit :trigger_crunch_dispatch_if_cancelled, :on => :update
|
|