| Application Path | Rails Version | Brakeman Version | Report Time | Checks Performed |
|---|---|---|---|---|
| /home/mike/github/arvados/apps/workbench | 4.1.9 | 3.0.2 |
2015-03-13 06:51:02 +0100 13.342875966 seconds |
BasicAuth, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NumberToCurrency, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, YAMLParsing |
| Scanned/Reported | Total |
|---|---|
| Controllers | 26 |
| Models | 23 |
| Templates | 157 |
| Errors | 0 |
| Security Warnings | 11 (9) |
| Ignored Warnings | 0 |
| Warning Type | Total |
|---|---|
| Command Injection | 1 |
| Cross Site Scripting | 6 |
| Redirect | 2 |
| SQL Injection | 1 |
| SSL Verification Bypass | 1 |
| Confidence | Class | Method | Warning Type | Message | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| High | JobsController | cancel | Redirect | Possible unprotected redirect near line 54: redirect_to(params[:return_to])
|
||||||||||||||||||||
| High | CollectionsController | index | SQL Injection | Possible SQL injection near line 60: Collection.select(Collection.columns.map(&:name))
|
||||||||||||||||||||
| High | ArvadosApiClient | api | SSL Verification Bypass | SSL certificate verification was bypassed near line 89: HTTPClient.new.ssl_config.verify_mode = OpenS...SSL certificate verification was bypassed near line 89: HTTPClient.new.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
||||||||||||||||||||
| Medium | FileStreamer | each | Command Injection | Possible command injection near line 333: IO.popen([Hash[ENV].dup, "arv-get", "#{@opts[:uuid]}/#{@opt...Possible command injection near line 333: IO.popen([Hash[ENV].dup, "arv-get", "#{@opts[:uuid]}/#{@opts[:file]}"], "rb")
|
||||||||||||||||||||
| Weak | ActionsController | show | Redirect | Possible unprotected redirect near line 23: redirect_to(model_class.andand.find(params[:uuid]))
|
View Warnings
| Confidence | Template | Warning Type | Message | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| High | application/_choose (ApplicationController#choose) | Cross Site Scripting | Unescaped parameter value near line 26: params[:action_data]
|
||||||||||||||||||||||
| High | collections/_choose | Cross Site Scripting | Unescaped parameter value near line 26: params[:action_data]
|
||||||||||||||||||||||
| High | pipeline_templates/_choose | Cross Site Scripting | Unescaped parameter value near line 26: params[:action_data]
|
||||||||||||||||||||||
| High | projects/_choose | Cross Site Scripting | Unescaped parameter value near line 26: params[:action_data]
|
||||||||||||||||||||||
| High | users/inactive (UsersController#inactive) | Cross Site Scripting | Unsafe parameter value in link_to href near line 21: link_to("Retry", (params[:return_to] or "/"), :c...Unsafe parameter value in link_to href near line 21: link_to("Retry", (params[:return_to] or "/"), :class => "btn btn-primary")
|
||||||||||||||||||||||
| High | users/profile (UsersController#profile) | Cross Site Scripting | Unsafe parameter value in link_to href near line 19: link_to("Back to work!", (params[:offer_return_t...Unsafe parameter value in link_to href near line 19: link_to("Back to work!", (params[:offer_return_to] or params[:return_to]), :class => "btn btn-sm btn-primary")
|